6

I got paranoid and ran both chkrootkit and rkhunter to scan for rootkits. Doesn't look like chkrootkit found anything, but rkhunter returned some warnings. I think many might be false positives, but I'm mostly worried about the 'possible rootkit strings' and the three suspect files. Any explanations would be greatly appreciated!! Thank you!

Performing file properties checks
/usr/bin/fuser                                           [ Warning ]
/usr/bin/whatis                                          [ Warning ]
/usr/bin/shasum                                          [ Warning ]

Performing additional rootkit checks
Checking for possible rootkit strings                    [ Warning ]

Performing checks on the network interfaces
Checking for promiscuous interfaces                      [ Warning ]

Performing system boot checks
Checking for system startup files                        [ Warning ]

Performing system configuration file checks
Checking if SSH root access is allowed                   [ Warning ]
Checking if SSH protocol v1 is allowed                   [ Warning ]

Performing filesystem checks
Checking for hidden files and directories                [ Warning ]

Warnings in the log file:

[17:00:44] Info: No mail-on-warning address configured
[17:01:25]   /usr/bin/fuser                                  [ Warning ]
[17:01:25] Warning: The command '/usr/bin/fuser' has been replaced by a script: /usr/bin/fuser: a /usr/bin/perl -w script text executable, ASCII text
[17:01:36]   /usr/bin/whatis                                 [ Warning ]
[17:01:36] Warning: The command '/usr/bin/whatis' has been replaced by a script: /usr/bin/whatis: POSIX shell script text executable, ASCII text
[17:01:37]   /usr/bin/shasum                                 [ Warning ]
[17:01:37] Warning: The command '/usr/bin/shasum' has been replaced by a script: /usr/bin/shasum: a /usr/bin/perl script text executable, ASCII text
[17:03:28] Warning: Checking for possible rootkit strings    [ Warning ]
[17:04:07]   Checking for promiscuous interfaces             [ Warning ]
[17:04:07] Warning: Possible promiscuous interfaces:
[17:04:09]   Checking for system startup files               [ Warning ]
[17:04:09] Warning: No system startup files found.
[17:04:10]   Checking if SSH root access is allowed          [ Warning ]
[17:04:10] Warning: The SSH configuration option 'PermitRootLogin' has not been set.
[17:04:10]   Checking if SSH protocol v1 is allowed          [ Warning ]
[17:04:10] Warning: The SSH configuration option 'Protocol' has not been set.
[17:04:17]   Checking for hidden files and directories       [ Warning ]
[17:04:17] Warning: Hidden file found: /usr/share/man/man5/.rhosts.5: troff or preprocessor input text, ASCII text
ljhan
  • 61
  • 1
  • 3
  • 2
    Same output on Mojave. Inspected the contents of the files with `cat` and they seemed standard. Applied suggestions to SSH server config at `/etc/ssh/sshd_config`. Hidden file is legit for `man .rhosts` command. String warning was due to files it couldn't find. No "failures" in the end, only "warnings", so no big deal. – deizel. Oct 01 '18 at 20:37
  • 1
    Thanks for taking the time! Appreciate it :) – ljhan Oct 02 '18 at 22:28
  • What OS is the OP on? Out of the box, rkhunter is configured with a generic Linux box like BSD in mind. OSX differs from them at a few points, and at those points of deviation, rkhunter is likely to trip a false positive. It is possible to adjust your configuration file to prevent some of them, but OSX, for instance, replaces some binaries with scripts and rkhunter doesn't like that. Most of those can be safely ignored, but it's generally smart to inspect each incident and ensure its ok yourself. – acagliano Sep 15 '21 at 16:18

0 Answers0