Ubuntu

rkhunter warnings?

Asked by george_rutkay

I ran chkrootkit and rkhunter on my system (Ubuntu 8.04) and I receive only this set of warnings:

[23:58:20] Performing filesystem checks
[23:58:20] Info: Starting test name 'filesystem'
[23:58:20] Info: SCAN_MODE_DEV set to 'THOROUGH'
[23:58:40] Checking /dev for suspicious file types [ Warning ]
[23:58:40] Warning: Suspicious files found in /dev:
[23:58:40] /dev/shm/pulse-shm-1272671680: data
[23:58:40] Checking for hidden files and directories [ Warning ]
[23:58:40] Warning: Hidden directory found: /etc/.java
[23:58:40] Warning: Hidden directory found: /dev/.static
[23:58:40] Warning: Hidden directory found: /dev/.udev
[23:58:40] Warning: Hidden directory found: /dev/.initramfs

Is this anything to be concerned about?

I've noticed that my system has started to behave sluggishly, sometimes the connection to the network slows down or stops entirely. Is there any possible connection between what I've noticed and these warnings?

(I'll be out of town and away from a computer for the next week and nobody else in the family administers it so I'll not be able to check on replies right away).

Thanks.

Question information

Language:
English Edit question
Status:
Answered
For:
Ubuntu Edit question
Assignee:
No assignee Edit question
Last query:
Last reply:
Revision history for this message
Bhavani Shankar (bhavi) said : 		#1

Hello George

The binary rkhunter is installed in the /usr/local/bin directory and one needs to be logged in as root to run this program. Once the program is executed, it conducts a series of tests as follows :

    * MD5 tests to check for any changes
    * Checks the binaries and system tools for any rootkits
    * Checks for trojan specific characteristics
    * Checks for any suspicious file properties of most commonly used programs
    * Carries out a couple of OS dependent tests - this is because rootkit hunter supports multiple OSes.
    * Scans for any promiscuous interfaces and checks frequently used backdoor ports.
    * Checks all the configuration files such as those in the /etc/rc.d directory, the history files, any suspicious hidden files and so on. For example, in my system, it gave a warning to check the files /dev/.udev and /etc/.pwd.lock .
    * Does a version scan of applications which listen on any ports such as the apache web server, procmail and so on.

After all this, it outputs the results of the scan and lists the possible infected files, incorrect MD5 checksums and vulnerable applications if any.

Most system directories contain no hidden directories and files, but there are a few special exceptions.

Some known false positives:
- /dev/lcd
- /dev/watchdog
- /etc/.aumixrc
- /etc/.java
- /usr/.Trash-root
- /etc/.whostmgrft

If you are 100 percent sure a hidden directory/file is valid for your system, add it to the whitelist. See the configuration file for more information.

More info:

http://www.rootkit.nl/articles/rootkit_hunter_usage.html

also see manual page

man rkhunter

Regards

Bhavani Shankar.

Revision history for this message
Sam_ (and-sam) said : 		#2

Hi,
the hidden directories appear here also regularly, with ctrl+h in Nautilus they will appear.
The "pulse-shm-1272671680" is generated from PulseAudio every day new with a different number.

After installing rkhunter with Synaptic it started automatically every day, means it set up a cron job daily.
The file can be found in /etc/cron.daily
The logfile of rkunter is in /var/log/rkhunter.log
The daily check is in /var/mail

FAQ
http://sourceforge.net/docman/display_doc.php?docid=35179&group_id=155034

CERT
http://www.cert.org/tech_tips/intruder_detection_checklist.html

Can you help with this problem?

Provide an answer of your own, or ask george_rutkay for more information if necessary.

To post a message you must log in.