rkhunter problem

Jason Lee · **Posted:** Wed Mar 16, 2005 10:47 am

I'm running rkhunter and I keep getting the following errors that I haven't been able to solve...

Quote:

* Filesystem checks
Checking /dev for suspicious files... [ Warning! (unusual files found) ]
---------------------------------------------
Unusual files:
/dev/tmpMnt: Linux rev 1.0 ext2 filesystem data (mounted or unclean)
---------------------------------------------
Scanning for hidden files... [ Warning! ]
---------------
/etc/.pwd.lock
/etc/.java
---------------
Please inspect: /etc/.java (directory)
* Application version scan
- Apache 2.0.51 [ Old or patched version ]
- OpenSSL 0.9.7a [ Old or patched version ]
- OpenSSH 3.9.0p1 [ Unknown ]

scott · **Posted:** Wed Mar 16, 2005 6:40 pm

the /dev report could be telling you there is a rootkit installed, the other messages, like /etc/.java and the apache and openssl reports could be false positives if you are running the latest updates from the vendor.

Also, make sure you run: rkhunter --update before you run a scan, that will download the latest signatures

Jason Lee · **Posted:** Thu Mar 17, 2005 11:36 am

I started receiving that /dev report after securing my tmp directories using the instructions http://eth0.us/?q=node/11

phatPhrog · **Posted:** Thu Mar 17, 2005 4:57 pm

After running an rkhunter --update, I am now getting the following entries in the log.

Quote:

1.) Checking network interfaces (promiscuous mode)... [ WARNING ]

Now I know this is SNORT, is it a problem?

Quote:

2.) - Bind DNS [unknown] [ OK ]
- OpenSSL 0.9.7a [ Old or patched version ]
- PHP 4.3.10 [ OK ]
- Procmail MTA 3.22 [ OK ]
- ProFTPd 1.2.9 [ Old or patched version ]
- OpenSSH 3.9.0p1 [ Unknown ]

and

Quote:

3.) [07:15:19] /usr/bin/gpg found
[07:15:19] Version 1.2.3 seems to be vulnerable (if unpatched)!
[07:15:19] ----------------------------------------------------------
[07:15:19] Scanning Apache...
[07:15:19] /usr/sbin/httpd found
[07:15:19] Version 2.0.51 seems to be vulnerable (if unpatched)!
[07:15:19] ----------------------------------------------------------
[07:15:20] Scanning OpenSSL...
[07:15:20] /usr/bin/openssl found
[07:15:20] Version 0.9.7a seems to be vulnerable (if unpatched)!
[07:15:20] ----------------------------------------------------------
[07:15:20] Scanning ProFTPd...
[07:15:20] /usr/sbin/proftpd found
[07:15:20] Version 1.2.9 seems to be vulnerable (if unpatched)!

I ran yum upgrade and also upwdate -l and everything seems to be up-date-date for FC1/Plesk 7.04

Any cause for concern here?

scott · **Posted:** Fri Mar 18, 2005 11:54 am

The promiscous mode message is to be expected if you are running snort. Id say the GPG and Proftpd messages are valid warnings, and assuming youre running the latest updates for openssl/ssh and apache, those are false positives.

phatPhrog · **Posted:** Fri Mar 18, 2005 12:03 pm

Thanks a bunch.

I don't understand why yum or up2date doesn't find upgrades to GPG or Proftpd.

There are RPM upgrades for them I hope. :oops:

scott · **Posted:** Fri Mar 18, 2005 12:20 pm

If youre using FC1/RH9 you need to use fedoralegacy.org for updates

phatPhrog · **Posted:** Sat Mar 26, 2005 7:13 pm

Is this not the correct config for Fedora Legacy in the yum.conf?

Quote:

[base]
name=Fedora Core $releasever base
baseurl=http://download.fedoralegacy.org/fedora/$releasever/os/$basearch

[updates]
name=Fedora Core $releasever updates
baseurl=http://download.fedoralegacy.org/fedora/$releasever/updates/$basearch

(this is only the FC entries)

After running yum upgrade or yum upgrade <packname> I only get:

Quote:

Gathering header information file(s) from server(s)
Server: Atomic Rocket Turtle - 1 - Atomic PSA-Compatible RPMS
Server: Fedora Core 1 base
Server: Fedora Legacy utilities for Fedora Core 1
Server: Atomic Rocket Turtle - 1 - SW-Soft PSA 7.0 RPMS
Server: Fedora Core 1 updates
Finding updated packages
Downloading needed headers
Finding obsoleted packages
Resolving dependencies
.Package spamassassin-tools needs perl-Mail-SpamAssassin = 2.61-4, this is not available.

scott · **Posted:** Sun Mar 27, 2005 10:29 am

Ahh that spamassassin error is blocking you from getting updates. Id exclude it from yum, then run it again. I'll bet you'll see a ton of new packages available.

phatPhrog · **Posted:** Tue Apr 12, 2005 11:02 am

Took awhile to do this but .... You were right. There are a lot of upgrades available, BUT, they are all already installed and up-to-date. I checked each package to see what version was installed and they are identical to the ones listed.

Code:

[install: kernel 2.4.22-1.2199.4.legacy.nptl.i686]
[install: kernel-source 2.4.22-1.2199.4.legacy.nptl.i386]
[update: mysql-devel 4.0.24-2.rhfc1.art.i386]
[update: XFree86-libs-data 4.3.0-59.legacy.i386]
[update: cyrus-sasl-devel 2.1.15-6.2.legacy.i386]
[update: XFree86-Mesa-libGLU 4.3.0-59.legacy.i386]
[update: cyrus-sasl 2.1.15-6.2.legacy.i386]
[update: cyrus-sasl-md5 2.1.15-6.2.legacy.i386]
[update: mysql-server 4.0.24-2.rhfc1.art.i386]
[update: XFree86-Mesa-libGL 4.3.0-59.legacy.i386]
[update: cyrus-sasl-plain 2.1.15-6.2.legacy.i386]
[update: XFree86-libs 4.3.0-59.legacy.i386]
[update: mysql-compat 4.0.24-2.rhfc1.art.i386]

Now the question is how do I get yum and up2date to see these packages are already installed without excluding them in the configuration files?

Always something.

scott · **Posted:** Wed Apr 13, 2005 10:03 pm

Wow really? Ive never seen that happen before. Yum and rpm read from the same database (/var/lib/rpm), how are you checking to see what versions are installed? With rpm -q, or manually? If its manual, then Id say your rpm db is corrupted.

phatPhrog · **Posted:** Thu Apr 14, 2005 10:09 pm

rpm -q

scott · **Posted:** Fri Apr 15, 2005 3:47 pm

yum would check against the rpm db, its essentially doing an rpm -q to determine what the system has, then it looks at the headers/xml files from my archive to compare it against what is available for an update. I cant really think of any way that would come up with a mismatch when its looking at the same exact sources.

phatPhrog · **Posted:** Fri Apr 15, 2005 4:13 pm

Well, I have no idea what is up. This is the results of up2date --update.

Code:

Name                                    Version        Rel
----------------------------------------------------------
XFree86-Mesa-libGL                      4.3.0          59.legacy           i386
XFree86-Mesa-libGLU                     4.3.0          59.legacy           i386
XFree86-libs                            4.3.0          59.legacy           i386
XFree86-libs-data                       4.3.0          59.legacy           i386
cyrus-sasl                              2.1.15         6.2.legacy          i386
cyrus-sasl-devel                        2.1.15         6.2.legacy          i386
cyrus-sasl-md5                          2.1.15         6.2.legacy          i386
cyrus-sasl-plain                        2.1.15         6.2.legacy          i386
kernel                                  2.4.22         1.2199.4.legacy.nptli686
kernel-source                           2.4.22         1.2199.4.legacy.nptli386
mysql-compat                            4.0.24         2.rhfc1.art         i386
mysql-devel                             4.0.24         2.rhfc1.art         i386
mysql-server                            4.0.24         2.rhfc1.art         i386
php-imap                                4.3.11         3.rhfc1.art         i386
php-ldap                                4.3.11         3.rhfc1.art         i386
php-mbstring                            4.3.11         3.rhfc1.art         i386
php-mysql                               4.3.11         3.rhfc1.art         i386
php-pear                                4.3.11         3.rhfc1.art         i386


Testing package set / solving RPM inter-dependencies...
There was a package dependency problem. The message was:

    To solve all dependencies for the RPMs you have selected, The following
    packages you have marked to exclude would have to be added to the set:

    Package Name                        Reason For Skipping
    ======================================================================
    php-4.3.11-3.rhfc1.art              Config modified
    php-4.3.11-3.rhfc1.art              Config modified

Unresolvable chain of dependencies:
php-4.3.10-3.rhfc1.art                   requires php-mbstring = 4.3.10-3.rhfc1.art
php-imap-4.3.11-3.rhfc1.art              requires php = 4.3.11-3.rhfc1.art
php-ldap-4.3.11-3.rhfc1.art              requires php = 4.3.11-3.rhfc1.art
php-mbstring-4.3.11-3.rhfc1.art          requires php = 4.3.11-3.rhfc1.art
php-mysql-4.3.11-3.rhfc1.art             requires php = 4.3.11-3.rhfc1.art
php-pear-4.3.11-3.rhfc1.art              requires php = 4.3.11-3.rhfc1.art

RPM -q

Code:

rpm -q kernel
kernel-2.4.22-1.2199.nptl

rpm -q php 
php-4.3.10-3.rhfc1.art

rpm -q mysql
mysql-4.0.24-2.rhfc1.art

I have added nothing to be exluded nor can I find anything other than [perl*] listed in the up2date config as being setup to skip.

The only excludes in yum are

Code:

exclude=spamassassin
exclude=spamassassin-tools

I temporarily removed the excludes from both and received the same results as listed here.

yum upgrade

Code:

Gathering header information file(s) from server(s)
Server: Atomic Rocket Turtle - 1 - Atomic PSA-Compatible RPMS
Server: Fedora Core 1 base
Server: Fedora Legacy utilities for Fedora Core 1
Server: Atomic Rocket Turtle - 1 - SW-Soft PSA 7.0 RPMS
Server: Fedora Core 1 updates
Finding updated packages
Downloading needed headers
Finding obsoleted packages
Resolving dependencies
.....Unable to satisfy dependencies
Package php-mbstring needs php = 4.3.11-3.rhfc1.art, this is not available.
Package php-mysql needs php = 4.3.11-3.rhfc1.art, this is not available.
Package php-pear needs php = 4.3.11-3.rhfc1.art, this is not available.
Package php-ldap needs php = 4.3.11-3.rhfc1.art, this is not available.
Package php-imap needs php = 4.3.11-3.rhfc1.art, this is not available.

After going through this I ran a trace to see if there was a problem with the up2date and/or rpm database and found no segmentation faults in the hourlong report.

Once it was complete I ran yum upgrade and up2date once again with the same results as above.

Your wisdom is once again requested.

What the #$*# is up with this. This happened once before, if you recall.

I'd offer you the last few lines of the trace, but for you to see the dependencies that failed it would require about 150 lines of code to be placed here.

At any rate, I'm sure you're gonna say. Oh, just do this and then do that and all will be better.

phatPhrog · **Posted:** Fri Apr 15, 2005 4:15 pm

Well, I have no idea what is up. This is the results of up2date --update.

Code:

Name                                    Version        Rel
----------------------------------------------------------
XFree86-Mesa-libGL                      4.3.0          59.legacy           i386
XFree86-Mesa-libGLU                     4.3.0          59.legacy           i386
XFree86-libs                            4.3.0          59.legacy           i386
XFree86-libs-data                       4.3.0          59.legacy           i386
cyrus-sasl                              2.1.15         6.2.legacy          i386
cyrus-sasl-devel                        2.1.15         6.2.legacy          i386
cyrus-sasl-md5                          2.1.15         6.2.legacy          i386
cyrus-sasl-plain                        2.1.15         6.2.legacy          i386
kernel                                  2.4.22         1.2199.4.legacy.nptli686
kernel-source                           2.4.22         1.2199.4.legacy.nptli386
mysql-compat                            4.0.24         2.rhfc1.art         i386
mysql-devel                             4.0.24         2.rhfc1.art         i386
mysql-server                            4.0.24         2.rhfc1.art         i386
php-imap                                4.3.11         3.rhfc1.art         i386
php-ldap                                4.3.11         3.rhfc1.art         i386
php-mbstring                            4.3.11         3.rhfc1.art         i386
php-mysql                               4.3.11         3.rhfc1.art         i386
php-pear                                4.3.11         3.rhfc1.art         i386


Testing package set / solving RPM inter-dependencies...
There was a package dependency problem. The message was:

    To solve all dependencies for the RPMs you have selected, The following
    packages you have marked to exclude would have to be added to the set:

    Package Name                        Reason For Skipping
    ======================================================================
    php-4.3.11-3.rhfc1.art              Config modified
    php-4.3.11-3.rhfc1.art              Config modified

Unresolvable chain of dependencies:
php-4.3.10-3.rhfc1.art                   requires php-mbstring = 4.3.10-3.rhfc1.art
php-imap-4.3.11-3.rhfc1.art              requires php = 4.3.11-3.rhfc1.art
php-ldap-4.3.11-3.rhfc1.art              requires php = 4.3.11-3.rhfc1.art
php-mbstring-4.3.11-3.rhfc1.art          requires php = 4.3.11-3.rhfc1.art
php-mysql-4.3.11-3.rhfc1.art             requires php = 4.3.11-3.rhfc1.art
php-pear-4.3.11-3.rhfc1.art              requires php = 4.3.11-3.rhfc1.art

RPM -q

Code:

rpm -q kernel
kernel-2.4.22-1.2199.nptl

rpm -q php 
php-4.3.10-3.rhfc1.art

rpm -q mysql
mysql-4.0.24-2.rhfc1.art

I have added nothing to be exluded nor can I find anything other than [perl*] listed in the up2date config as being setup to skip.

The only excludes in yum are

Code:

exclude=spamassassin
exclude=spamassassin-tools

I temporarily removed the excludes from both and received the same results as listed here.

yum upgrade

Code:

Gathering header information file(s) from server(s)
Server: Atomic Rocket Turtle - 1 - Atomic PSA-Compatible RPMS
Server: Fedora Core 1 base
Server: Fedora Legacy utilities for Fedora Core 1
Server: Atomic Rocket Turtle - 1 - SW-Soft PSA 7.0 RPMS
Server: Fedora Core 1 updates
Finding updated packages
Downloading needed headers
Finding obsoleted packages
Resolving dependencies
.....Unable to satisfy dependencies
Package php-mbstring needs php = 4.3.11-3.rhfc1.art, this is not available.
Package php-mysql needs php = 4.3.11-3.rhfc1.art, this is not available.
Package php-pear needs php = 4.3.11-3.rhfc1.art, this is not available.
Package php-ldap needs php = 4.3.11-3.rhfc1.art, this is not available.
Package php-imap needs php = 4.3.11-3.rhfc1.art, this is not available.

After going through this I ran a trace to see if there was a problem with the up2date and/or rpm database and found no segmentation faults in the hourlong report.

Once it was complete I ran yum upgrade and up2date once again with the same results as above.

Your wisdom is once again requested.

What the #$*# is up with this. This happened once before, if you recall.

I'd offer you the last few lines of the trace, but for you to see the dependencies that failed it would require about 150 lines of code to be placed here.

At any rate, I'm sure you're gonna say. Oh, just do this and then do that and all will be better.

rkhunter problem

Who is online