rkhunter
Hi Guys,
I have just run a rkhunter scan which results i consider a little bit disturbing.With following output>
[ Rootkit Hunter version 1.4.6 ]
Checking system commands...
Performing 'strings' command checks
Checking 'strings' command [ OK ]
Performing 'shared libraries' checks
Checking for preloading variables [ None found ]
Checking for preloaded libraries [ None found ]
Checking LD_LIBRARY_PATH variable [ Not found ]
Performing file properties checks
Checking for prerequisites [ OK ]
/usr/bin/awk [ OK ]
/usr/bin/basename [ OK ]
/usr/bin/bash [ Warning ]
/usr/bin/cat [ OK ]
/usr/bin/chattr [ Warning ]
/usr/bin/chmod [ OK ]
/usr/bin/chown [ OK ]
/usr/bin/chroot [ OK ]
/usr/bin/cp [ OK ]
/usr/bin/curl [ Warning ]
/usr/bin/cut [ OK ]
/usr/bin/date [ OK ]
/usr/bin/depmod [ Warning ]
/usr/bin/df [ OK ]
/usr/bin/diff [ OK ]
/usr/bin/dirname [ OK ]
/usr/bin/dmesg [ Warning ]
/usr/bin/du [ OK ]
/usr/bin/echo [ OK ]
/usr/bin/egrep [ Warning ]
/usr/bin/env [ OK ]
/usr/bin/fgrep [ Warning ]
/usr/bin/file [ OK ]
/usr/bin/find [ Warning ]
/usr/bin/fsck [ Warning ]
/usr/bin/fuser [ Warning ]
/usr/bin/grep [ Warning ]
/usr/bin/groupadd [ Warning ]
/usr/bin/groupdel [ Warning ]
/usr/bin/groupmod [ Warning ]
/usr/bin/groups [ Warning ]
/usr/bin/grpck [ Warning ]
/usr/bin/head [ OK ]
/usr/bin/id [ OK ]
/usr/bin/ifconfig [ Warning ]
/usr/bin/init [ Warning ]
/usr/bin/insmod [ Warning ]
/usr/bin/ip [ Warning ]
/usr/bin/ipcs [ Warning ]
/usr/bin/kill [ Warning ]
/usr/bin/killall [ Warning ]
/usr/bin/last [ Warning ]
/usr/bin/lastlog [ Warning ]
/usr/bin/ldd [ Warning ]
/usr/bin/less [ Warning ]
/usr/bin/links [ OK ]
/usr/bin/locate [ Warning ]
/usr/bin/logger [ Warning ]
/usr/bin/login [ Warning ]
/usr/bin/ls [ OK ]
/usr/bin/lsattr [ Warning ]
/usr/bin/lsmod [ Warning ]
/usr/bin/lsof [ Warning ]
/usr/bin/md5sum [ OK ]
/usr/bin/mktemp [ OK ]
/usr/bin/modinfo [ Warning ]
/usr/bin/modprobe [ Warning ]
/usr/bin/more [ Warning ]
/usr/bin/mount [ Warning ]
/usr/bin/mv [ OK ]
/usr/bin/netstat [ Warning ]
/usr/bin/newgrp [ Warning ]
/usr/bin/nologin [ Warning ]
/usr/bin/passwd [ Warning ]
/usr/bin/perl [ Warning ]
/usr/bin/pgrep [ OK ]
/usr/bin/ping [ Warning ]
/usr/bin/pkill [ OK ]
/usr/bin/ps [ OK ]
/usr/bin/pstree [ Warning ]
/usr/bin/pwck [ Warning ]
/usr/bin/pwd [ OK ]
/usr/bin/readlink [ OK ]
/usr/bin/rkhunter [ OK ]
/usr/bin/rmmod [ Warning ]
/usr/bin/route [ Warning ]
/usr/bin/runcon [ OK ]
/usr/bin/sed [ OK ]
/usr/bin/sh [ Warning ]
/usr/bin/sha1sum [ OK ]
/usr/bin/sha224sum [ OK ]
/usr/bin/sha256sum [ OK ]
/usr/bin/sha384sum [ OK ]
/usr/bin/sha512sum [ OK ]
/usr/bin/size [ Warning ]
/usr/bin/slocate [ Warning ]
/usr/bin/sort [ OK ]
/usr/bin/ssh [ Warning ]
/usr/bin/sshd [ Warning ]
/usr/bin/stat [ OK ]
/usr/bin/strace [ Warning ]
/usr/bin/strings [ Warning ]
/usr/bin/su [ Warning ]
/usr/bin/sudo [ Warning ]
/usr/bin/sulogin [ Warning ]
/usr/bin/sysctl [ OK ]
/usr/bin/tail [ OK ]
/usr/bin/telnet [ OK ]
/usr/bin/test [ OK ]
/usr/bin/top [ OK ]
/usr/bin/touch [ OK ]
/usr/bin/tr [ OK ]
/usr/bin/uname [ OK ]
/usr/bin/uniq [ OK ]
/usr/bin/useradd [ Warning ]
/usr/bin/userdel [ Warning ]
/usr/bin/usermod [ Warning ]
/usr/bin/users [ OK ]
/usr/bin/vipw [ Warning ]
/usr/bin/vmstat [ OK ]
/usr/bin/w [ OK ]
/usr/bin/watch [ OK ]
/usr/bin/wc [ OK ]
/usr/bin/wget [ Warning ]
/usr/bin/whatis [ OK ]
/usr/bin/whereis [ Warning ]
/usr/bin/which [ OK ]
/usr/bin/who [ OK ]
/usr/bin/whoami [ OK ]
/usr/bin/xinetd [ Warning ]
/usr/bin/unhide [ OK ]
/usr/bin/unhide-linux [ OK ]
/usr/bin/unhide-posix [ OK ]
/usr/bin/unhide-tcp [ OK ]
/usr/bin/numfmt [ OK ]
/usr/bin/gawk [ OK ]
/usr/bin/kmod [ Warning ]
/usr/bin/openrc-init [ Warning ]
/usr/bin/vendor_perl/GET [ Warning ]
/etc/rkhunter.conf [ Warning ]
Checking for rootkits...
Performing check of known rootkit files and directories
55808 Trojan - Variant A [ Not found ]
ADM Worm [ Not found ]
AjaKit Rootkit [ Not found ]
Adore Rootkit [ Not found ]
aPa Kit [ Not found ]
Apache Worm [ Not found ]
Ambient (ark) Rootkit [ Not found ]
Balaur Rootkit [ Not found ]
BeastKit Rootkit [ Not found ]
beX2 Rootkit [ Not found ]
BOBKit Rootkit [ Not found ]
cb Rootkit [ Not found ]
CiNIK Worm (Slapper.B variant) [ Not found ]
Danny-Boy's Abuse Kit [ Not found ]
Devil RootKit [ Not found ]
Diamorphine LKM [ Not found ]
Dica-Kit Rootkit [ Not found ]
Dreams Rootkit [ Not found ]
Duarawkz Rootkit [ Not found ]
Ebury backdoor [ Not found ]
Enye LKM [ Not found ]
Flea Linux Rootkit [ Not found ]
Fu Rootkit [ Not found ]
Fuck`it Rootkit [ Not found ]
GasKit Rootkit [ Not found ]
Heroin LKM [ Not found ]
HjC Kit [ Not found ]
ignoKit Rootkit [ Not found ]
IntoXonia-NG Rootkit [ Not found ]
Irix Rootkit [ Not found ]
Jynx Rootkit [ Not found ]
Jynx2 Rootkit [ Not found ]
KBeast Rootkit [ Not found ]
Kitko Rootkit [ Not found ]
Knark Rootkit [ Not found ]
ld-linuxv.so Rootkit [ Not found ]
Li0n Worm [ Not found ]
Lockit / LJK2 Rootkit [ Not found ]
Mokes backdoor [ Not found ]
Mood-NT Rootkit [ Not found ]
MRK Rootkit [ Not found ]
Ni0 Rootkit [ Not found ]
Ohhara Rootkit [ Not found ]
Optic Kit (Tux) Worm [ Not found ]
Oz Rootkit [ Not found ]
Phalanx Rootkit [ Not found ]
Phalanx2 Rootkit [ Not found ]
Phalanx2 Rootkit (extended tests) [ Not found ]
Portacelo Rootkit [ Not found ]
R3dstorm Toolkit [ Not found ]
RH-Sharpe's Rootkit [ Not found ]
RSHA's Rootkit [ Not found ]
Scalper Worm [ Not found ]
Sebek LKM [ Not found ]
Shutdown Rootkit [ Not found ]
SHV4 Rootkit [ Not found ]
SHV5 Rootkit [ Not found ]
Sin Rootkit [ Not found ]
Slapper Worm [ Not found ]
Sneakin Rootkit [ Not found ]
'Spanish' Rootkit [ Not found ]
Suckit Rootkit [ Not found ]
Superkit Rootkit [ Not found ]
TBD (Telnet BackDoor) [ Not found ]
TeLeKiT Rootkit [ Not found ]
T0rn Rootkit [ Not found ]
trNkit Rootkit [ Not found ]
Trojanit Kit [ Not found ]
Tuxtendo Rootkit [ Not found ]
URK Rootkit [ Not found ]
Vampire Rootkit [ Not found ]
VcKit Rootkit [ Not found ]
Volc Rootkit [ Not found ]
Xzibit Rootkit [ Not found ]
zaRwT.KiT Rootkit [ Not found ]
ZK Rootkit [ Not found ]
Performing additional rootkit checks
Suckit Rootkit additional checks [ OK ]
Checking for possible rootkit files and directories [ None found ]
Checking for possible rootkit strings [ None found ]
Performing malware checks
Checking running processes for deleted files [ Warning ]
Checking running processes for suspicious files [ None found ]
Checking for hidden processes [ None found ]
Checking for files with suspicious contents [ None found ]
Checking for login backdoors [ None found ]
Checking for sniffer log files [ None found ]
Checking for suspicious directories [ None found ]
Checking for suspicious (large) shared memory segments [ Warning ]
Performing trojan specific checks
Checking for enabled xinetd services [ None found ]
Checking for Apache backdoor [ Not found ]
Performing Linux specific checks
Checking loaded kernel modules [ OK ]
Checking kernel module names [ OK ]
Checking the network...
Performing checks on the network ports
Checking for backdoor ports [ None found ]
Checking for hidden ports [ None found ]
Performing checks on the network interfaces
Checking for promiscuous interfaces [ None found ]
Checking for packet capturing applications [ Warning ]
Checking the local host...
Performing system boot checks
Checking for local host name [ Found ]
Checking for system startup files [ Found ]
Checking system startup files for malware [ None found ]
Performing group and account checks
Checking for passwd file [ Found ]
Checking for root equivalent (UID 0) accounts [ None found ]
Checking for passwordless accounts [ None found ]
Checking for passwd file changes [ None found ]
Checking for group file changes [ None found ]
Checking root account shell history files [ OK ]
Performing system configuration file checks
Checking for an SSH configuration file [ Found ]
Checking if SSH root access is allowed [ Warning ]
Checking if SSH protocol v1 is allowed [ Warning ]
Checking for other suspicious configuration settings [ None found ]
Checking for a running system logging daemon [ Found ]
Checking for a system logging configuration file [ Found ]
Checking if syslog remote logging is allowed [ Not allowed ]
Performing filesystem checks
Checking /dev for suspicious file types [ None found ]
Checking for hidden files and directories [ Warning ]
Checking application versions...
Checking version of GnuPG [ OK ]
Checking version of Bind DNS [ OK ]
Checking version of OpenSSL [ OK ]
Checking version of OpenSSH [ OK ]
System checks summary
=====================
File properties checks...
Files checked: 130
Suspect files: 68
Rootkit checks...
Rootkits checked : 504
Possible rootkits: 9
Applications checks...
Applications checked: 4
Suspect applications: 0
The system checks took: 13 minutes and 18 seconds
I do not know what to think about this results. Should I be worried? I know i should have done rkhunter --proupd after every upgrade, but i just forgot.
Is there any way how to track down those possible rootkits? In the log are only Warnings. I thought there could be a way to tell what files are those possible rootkits.
Could a further investigation of /proc reveal any useful information?
Is there any way to discover possible breach?
What i find also weird in the output are this lines>
Checking running processes for deleted files [ Warning ]
Checking if SSH root access is allowed [ Warning ]
Checking if SSH protocol v1 is allowed [ Warning ]
Checking for hidden files and directories [ Warning ]
I have Openssh package installed which apparently contains also sshd what i consider a security issue.Is there any chance that i could remove sshd and keep ssh client only since i use it for educational purposes?
I do not have ssh enabled in rc-update nor i do not have any ports open, at least it is what nmap claims.
Thanks for any help and support.