Multiple Rootkit Hunter Cron warnings

LukeDouglas

• February 01, 2019 10:17

I am getting dozens of emails with various warnings. I suspect they are false positives but wanted confirmation. Here is text from just one of the emails: [ Rootkit Hunter version 1.4.2 ] Checking rkhunter data files... Checking file mirrors.dat [ No update ] Checking file programs_bad.dat [ No update ] Checking file backdoorports.dat [ No update ] Checking file suspscan.dat [ No update ] Checking file i18n/cn [ No update ] Checking file i18n/de [ No update ] Checking file i18n/en [ No update ] Checking file i18n/tr [ No update ] Checking file i18n/tr.utf8 [ No update ] Checking file i18n/zh [ No update ] Checking file i18n/zh.utf8 [ No update ] [ Rootkit Hunter version 1.4.2 ] File updated: searched for 171 files, found 145 Warning: The command '/usr/bin/GET' has been replaced by a script: /usr/bin/GET: a /usr/bin/perl -w script text executable Warning: The command '/usr/bin/ldd' has been replaced by a script: /usr/bin/ldd: Bourne-Again shell script text executable Warning: The command '/usr/bin/whatis' has been replaced by a script: /usr/bin/whatis: POSIX shell script text executable Warning: The command '/sbin/ifdown' has been replaced by a script: /sbin/ifdown: Bourne-Again shell script text executable Warning: The command '/sbin/ifup' has been replaced by a script: /sbin/ifup: Bourne-Again shell script text executable Error: Invalid display - keyword cannot be found: Display line: display --to LOG --type PLAIN --log-indent 2 ROOTKIT_MALWARE_LOGIN_BDOOR_LOG Error: Invalid display - keyword cannot be found: Display line: display --to LOG --type PLAIN --nl --log-indent 2 ROOTKIT_MALWARE_SUSP_DIR_LOG Error: Invalid display - keyword cannot be found: Display line: display --to LOG --type PLAIN --nl --log-indent 2 ROOTKIT_MALWARE_SNIFFER_LOG Error: Invalid display - keyword cannot be found: Display line: display --to LOG --type PLAIN --nl --log-indent 2 ROOTKIT_TROJAN_XINETD_LOG Warning: The SSH and rkhunter configuration options should be the same: SSH configuration option 'PermitRootLogin': yes Rkhunter configuration option 'ALLOW_SSH_ROOT_USER': no Warning: Suspicious file types found in /dev: /dev/.udev/queue.bin: data /dev/.udev/db/block:vda1: ASCII text /dev/.udev/db/input:event0: ASCII text /dev/.udev/db/input:event1: ASCII text /dev/.udev/db/input:js0: ASCII text /dev/.udev/db/input:mouse1: ASCII text /dev/.udev/db/input:event3: ASCII text /dev/.udev/db/net:eth0: ASCII text /dev/.udev/db/block:vdb: ASCII text /dev/.udev/db/input:mouse2: ASCII text /dev/.udev/db/input:event4: ASCII text /dev/.udev/db/input:event2: ASCII text /dev/.udev/db/block:vda: ASCII text /dev/.udev/db/block:ram6: ASCII text /dev/.udev/db/block:ram7: ASCII text /dev/.udev/db/block:ram9: ASCII text /dev/.udev/db/block:ram8: ASCII text /dev/.udev/db/block:ram11: ASCII text /dev/.udev/db/block:loop4: ASCII text /dev/.udev/db/block:ram3: ASCII text /dev/.udev/db/block:ram13: ASCII text /dev/.udev/db/block:ram4: ASCII text /dev/.udev/db/block:loop6: ASCII text /dev/.udev/db/block:loop5: ASCII text /dev/.udev/db/block:ram2: ASCII text /dev/.udev/db/block:ram14: ASCII text /dev/.udev/db/block:loop7: ASCII text /dev/.udev/db/block:ram15: ASCII text /dev/.udev/db/block:ram5: ASCII text /dev/.udev/db/block:ram0: ASCII text /dev/.udev/db/block:loop0: ASCII text /dev/.udev/db/block:loop1: ASCII text /dev/.udev/db/block:ram1: ASCII text /dev/.udev/db/block:ram10: ASCII text /dev/.udev/db/block:loop2: ASCII text /dev/.udev/db/block:ram12: ASCII text /dev/.udev/db/block:loop3: ASCII text /dev/.udev/db/usb:1-1: ASCII text /dev/.udev/db/usb:usb1: ASCII text /dev/.udev/db/serio:serio0: ASCII text /dev/.udev/rules.d/99-root.rules: ASCII text Warning: Hidden directory found: /etc/.java Warning: Hidden directory found: /dev/.udev Warning: Hidden file found: /etc/.brand: ASCII text Warning: Hidden file found: /etc/.domainips.swp: Vim swap file, version 7.4 Warning: Hidden file found: /usr/share/man/man5/.k5login.5.gz: gzip compressed data, from Unix, max compression Warning: Hidden file found: /usr/share/man/man5/.k5identity.5.gz: gzip compressed data, from Unix, max compression Warning: Hidden file found: /usr/share/man/man1/..1.gz: gzip compressed data, from Unix, max compression Warning: Hidden file found: /usr/bin/.ssh.hmac: ASCII text Warning: Hidden file found: /usr/bin/.fipscheck.hmac: ASCII text Warning: Hidden file found: /usr/sbin/.sshd.hmac: ASCII text
After reading various posts, I ran the following: root@web [~]# rpm -qf /usr/sbin/sssd error: file /usr/sbin/sssd: No such file or directory root@web [~]# /var/cpanel/updatelogs/last -bash: /var/cpanel/updatelogs/last: Permission denied
I am using OpenSSL for most clients currently. I'm not sure why I got a Permission denied on checking the logs. So I did a 'crontab' and got the following: root@web [~]# crontab -l SHELL="/bin/bash" 0 8,20 * * * /root/chkrootkit.sh | grep -v .packlist SHELL="/bin/bash" 0 8,20 * * * /root/rkhunter.sh SHELL="/bin/bash" 10 0 * * * perl /usr/mscpanel/mscpanel.pl > /dev/null 2>&1 SHELL="/bin/bash" # 20 0 * * * /usr/sbin/service clamd restart > /dev/null 2>&1 SHELL="/bin/bash" 0 6 * * * /usr/local/cpanel/scripts/exim_tidydb > /dev/null 2>&1 SHELL="/bin/bash" 30 5 * * * /usr/local/cpanel/scripts/optimize_eximstats > /dev/null 2>&1 SHELL="/bin/bash" 48 15 * * 0 (/usr/local/cpanel/scripts/fix-cpanel-perl; /usr/local/cpanel/scripts/upcp --cron) SHELL="/bin/bash" 36 4 * * * /usr/local/cpanel/scripts/cpbackup SHELL="/bin/bash" 35 * * * * /usr/bin/test -x /usr/local/cpanel/bin/tail-check && /usr/local/cpanel/bin/tail-check SHELL="/bin/bash" SHELL="/bin/bash" 30 */4 * * * /usr/bin/test -x /usr/local/cpanel/scripts/update_db_cache && /usr/local/cpanel/scripts/update_db_cache SHELL="/bin/bash" 25 */2 * * * /usr/local/cpanel/bin/mysqluserstore >/dev/null 2>&1 SHELL="/bin/bash" 15 */2 * * * /usr/local/cpanel/bin/dbindex >/dev/null 2>&1 SHELL="/bin/bash" 15 */6 * * * /usr/local/cpanel/scripts/autorepair recoverymgmt >/dev/null 2>&1 SHELL="/bin/bash" */5 * * * * /usr/local/cpanel/scripts/dcpumon-wrapper >/dev/null 2>&1 SHELL="/bin/bash" 48 22 * * * /usr/local/cpanel/whostmgr/docroot/cgi/cpaddons_report.pl --notify SHELL="/bin/bash" 8,23,38,53 * * * * /usr/local/cpanel/whostmgr/bin/dnsqueue > /dev/null 2>&1 SHELL="/bin/bash" 0 2 * * * /usr/local/cpanel/bin/backup SHELL="/bin/bash" 25 3 * * * /root/bin/sys-snap --cron SHELL="/bin/bash" 17 20 * * * /usr/local/cpanel/3rdparty/quickinstall/scripts/getCache.pl SHELL="/bin/bash" SHELL="/bin/bash" @reboot /usr/local/cpanel/bin/onboot_handler 40 0 * * * /usr/local/cpanel/3rdparty/bin/freshclam --quiet --no-warnings 5,20,35,50 * * * * /usr/local/cpanel/scripts/eximstats_spam_check 2>&1 0 */2 * * * /usr/local/cpanel/scripts/shrink_modsec_ip_database -x 2>&1 12 2 * * 0 /usr/local/cpanel/bin/cloudflare_update.sh >/dev/null 2>&1 09,39 * * * * /usr/local/cpanel/scripts/clean_user_php_sessions > /dev/null 2>&1 root@web [~]#
I regret my lack of knowledge but any useful feedback would be greatly appreciated.

• 

  ES - George

  • February 01, 2019 17:46

  root@web [~]# /var/cpanel/updatelogs/last -bash: /var/cpanel/updatelogs/last: Permission denied
  I am using OpenSSL for most clients currently. I'm not sure why I got a Permission denied on checking the logs.

  
  To view this log, you'll need to use a text editor, such as cat, or nano, for example: # cat /var/cpanel/updatelogs/last In relation to your crontab, to give you a bit of perspective and food for thought, below is a completely clean/standard copy on a freshly installed cPanel machine, you may like to compare it against what you've got, looking at any cron jobs you don't recognize, and finding out what they do: [root@linux /]# crontab -l @reboot /usr/local/cpanel/bin/onboot_handler 4 3 * * * /usr/local/cpanel/whostmgr/docroot/cgi/cpaddons_report.pl --notify 39 2 * * * (/usr/local/cpanel/scripts/fix-cpanel-perl; /usr/local/cpanel/scripts/upcp --cron) 0 1 * * * /usr/local/cpanel/scripts/cpbackup 0 2 * * * /usr/local/cpanel/bin/backup 35 * * * * /usr/bin/test -x /usr/local/cpanel/bin/tail-check && /usr/local/cpanel/bin/tail-check 0 6 * * * /usr/local/cpanel/scripts/exim_tidydb > /dev/null 2>&1 30 5 * * * /usr/local/cpanel/scripts/optimize_eximstats > /dev/null 2>&1 5,20,35,50 * * * * /usr/local/cpanel/scripts/eximstats_spam_check 2>&1 45 */4 * * * /usr/bin/test -x /usr/local/cpanel/scripts/update_mailman_cache && /usr/local/cpanel/scripts/update_mailman_cache 30 */4 * * * /usr/bin/test -x /usr/local/cpanel/scripts/update_db_cache && /usr/local/cpanel/scripts/update_db_cache 25 */2 * * * /usr/local/cpanel/bin/mysqluserstore >/dev/null 2>&1 15 */2 * * * /usr/local/cpanel/bin/dbindex >/dev/null 2>&1 15 */6 * * * /usr/local/cpanel/scripts/autorepair recoverymgmt >/dev/null 2>&1 */5 * * * * /usr/local/cpanel/scripts/dcpumon-wrapper >/dev/null 2>&1 0 */2 * * * /usr/local/cpanel/scripts/shrink_modsec_ip_database -x 2>&1 09,39 * * * * /usr/local/cpanel/scripts/clean_user_php_sessions > /dev/null 2>&1 0,15,30,45 * * * * /usr/local/cpanel/whostmgr/bin/dnsqueue > /dev/null 2>&1 [root@linux /]#
  If in doubt, I suggest hiring a systems administrator with experience dealing with such matters. There's a list of potential candidates, here:

  0
• 

  cPanelMichael

  • February 04, 2019 18:27

  Hello @LukeDouglas, In addition to what @ES - George wrote, here's another response to the topic of RKHunter results to review: Thank you.

  0

Please sign in to leave a comment.