Server Fault Stack Exchange
Server Fault Stack Exchange

Questions tagged [rkhunter]

rkhunter (Rootkit Hunter) is an easy-to-use tool for Unix which checks systems for the presence of rootkits and other unwanted tools.

rkhunter (Rootkit Hunter) is an easy-to-use tool for which checks systems for the presence of and other unwanted tools.

Website: http://rkhunter.sourceforge.net

Wikipedia: http://en.wikipedia.org/wiki/Rkhunter

More rootkit informations: http://www.rootkit.nl

See also

40 questions
16
votes
3 answers

rkhunter: "Suspicious Shared Memory segments"

I have here a new installed server with CentOS7 and a GroupOffice installation on it. After installing rkhunter and starting a rkhunter check I get: [09:58:15] Suspicious Shared Memory segments [09:58:15] Process: PID: 1769 Owner: apache …
Steffen
  • 929
  • 3
  • 13
  • 28
9
votes
4 answers

rkhunter warns of inode change but no file modification date changes

I have several systems running Centos 6 with rkhunter installed. I have a daily cron running rkhunter and reporting back via email. I very often get reports like: ---------------------- Start Rootkit Hunter Scan ---------------------- Warning: The…
Nic Cottrell
  • 1,282
  • 16
  • 31
9
votes
1 answer

rkhunter error message, how to fix?

I am receiving the following errors from rkhunter. I have recently upgraded my server from lenny to squeeze and this may have caused the problem. How do I fix this or hide the error messages? Warning: The modules file '/proc/modules' is…
John Magnolia
  • 1,613
  • 6
  • 27
  • 44
7
votes
3 answers

Rkhunter reports file properties have changed

I am running a fully updated LTS copy of Ubuntu server. Today I ran rkhunter (as I do from time to time). This is the output I got: Warning: The file properties have changed: [15:52:25] File: /bin/ps [15:52:25] Current hash:…
CountMurphy
  • 195
  • 1
  • 7
3
votes
1 answer

Is there any reference for current binary file checksums (Ubuntu 12.04 LTS)

I'm using rkhunter to check my system regularly - Sometimes rkhunter output some warnings on file changes (after update e.g.) rkhunter gives me the new file checksum and the old one, but is there any reference, where I can check if it's the right…
kapsiR
  • 131
  • 4
2
votes
1 answer

rkhunter: After some days I get "The system has changed to not using prelinking since the last run."

We run here a (new) CentOS 7 system. To observe the system against invalid changes / hacker attacks we running rkhunter every night. Also after each (yum) update we prelinking all and running "rkhunter --propupd". This runs fine. But after some days…
Steffen
  • 929
  • 3
  • 13
  • 28
2
votes
1 answer

RKHunter report: "No hash value found"

I'm getting RKHunter warnings every day when my cron job runs the check. I'm on FreeBSD 10.2 This is the warning I'm getting: Warning: No hash value found for file '/usr/bin/perl' in the 'rkhunter.dat' file. I already tried rkhunter --updateand…
basbebe
  • 313
  • 2
  • 16
2
votes
2 answers

Rkhunter reports openssl warning

I have installed and configured rkhunter on Centos and I have no warning except Checking version of OpenSSL [ Warning ] when I check log file I see that I need to update openssl root@server [~]# openssl version…
emir
  • 161
  • 3
  • 9
2
votes
1 answer

What to do if rkhunter finds a possible rootkit?

ran rkhunter tonight, and I got this for the results: [04:17:34] System checks summary [04:17:34] ===================== [04:17:34] [04:17:34] File properties checks... [04:17:34] Files checked: 133 [04:17:34] Suspect files: 16 [04:17:34] [04:17:34]…
Alex Douglas
  • 323
  • 1
  • 4
  • 11
2
votes
1 answer

RKHunter reports change in file properties, but different hash length

RKHunter reports change in file properties, but the strange thing is that the hash length is different in the current hash an in the stored hash. [11:47:13] Warning: The file properties have changed: [11:47:13] File:…
Zhen
  • 2,109
  • 4
  • 19
  • 31
2
votes
2 answers

Single file changed: intrusion or corruption?

rkhunter reported a single file change on a virtual server (netstat binary). It didn't report any other warning. The change was not the result of a package upgrade (I reinstalled it and the checksum is back as it was before). I'm wondering whether…
Michaël Witrant
  • 338
  • 3
  • 5
2
votes
3 answers

Yum install problems

I'm trying to install rkhunter via yum on CentOS 4.8, but it's just not happening... Loading "fastestmirror" plugin Setting up Install Process Setting up repositories update 100% |=========================| 951 B …
Mathew
  • 287
  • 1
  • 3
  • 9
1
vote
1 answer

Rkhunter verbose cronjob is not working

I'm on Debian 9.5 and have the following /etc/cronjob.weekly/rkhunter file : #!/bin/sh OUTPUT=`rkhunter --cronjob --report-warnings-only` if [ "$OUTPUT" != "" ] then echo $OUTPUT | mail -s "[rkhunter] Warnings found for $(hostname)"…
cyclone200
  • 125
  • 4
1
vote
1 answer

Add a file/directory to rkhunter checking

My question is very simple and I'm very surprised to see that this question haven't be asked before. How to add a file or a directory to rkhunter checking ? With that I could see my directory appears in the 'rkhunter --propupd' command I know I can…
KaAzZ
  • 33
  • 1
  • 7
1
vote
0 answers

Nginx uses another ports rather than tcp 80 and 443

Rkhunter shows that nginx uses two UDP ports rather than 80 and 443 which I have of course enabled, but not those which rkhunter shows as hidden ports: [12:56:58] Checking for hidden ports [ Warning ] [12:56:58] Warning:…
fkin
  • 83
  • 10
1
2 3