i performed rkhunter -c on my server, and i get warnings for following files:
/bin/GET
/bin/wget
/usr/local/bin/rkhunter
Performing trojan specific checks
Checking for enabled xinetd services [ Warning ]
Checking for Apache backdoor [ Not found ]
can you give me some advices what to do with mentioned files?
also, why rkhunter gives warning for itself?
thank you in advance!
I am no rkhunter expert by anymeans, but their are some things I would want to know. Did you install rkhunter on a fresh install with known good packages? I believe you are supposed to install on a fresh system then run,
rkhunter --propupd
so it can build its database of known good files. Then when you run after that it knows what to compare it too. I also would run rkhunter now with '--report-warnings-only' flag. You would be better served posting the logs from rkhunter, pastebin them if they are really long. I would also verify all my packages are good, this will very depending on what distro you are running. Do you have a reason to be looking for rootkits?
Those files
/bin/GET
/bin/wget
/usr/local/bin/rkhunter
are all files you should expect to be there (though GET is usually in /usr/bin). wget is a normal part of Linux and a useful program. Evidently some rootkits make use of it and, presumably, include it themselves sometimes. I installed wget on my Windows PCs and AVG often reports it as a suspicious file.
Unless you have other evidence of a rootkit, I'd not worry too much. You could compare the checksums or hashes of those files against expected values - but remember if your computer is badly compromised, checksums can be faked.
I'd review the xinetd configuration file and disable any services you are not currently using.
