Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Rkhunter Help?


  • Please log in to reply
6 replies to this topic

#1 auto1571

auto1571

  • Members
  • 331 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:25 AM

Posted 01 June 2017 - 07:46 AM

Hi, after running rkhunter in root using the Debian Distro I found a few warning messages which I am not sure if these are false positives or something else. The information I am concerned about mainly is as follows:

 


Checking for backdoor ports                              [ Warning ]

Checking if SSH root access is allowed              [ Warning ]
Checking /dev for suspicious file types                [ Warning ]
Checking for hidden files and directories              [ Warning ]

[13:13:59]   Checking for software intrusions                [ Skipped ]
[13:13:59] Info: Check skipped - tripwire not installed
[13:13:59] Info: Starting test name 'trojans'
[13:13:59] Performing trojan specific checks
[13:13:59]   Checking for enabled inetd services             [ Skipped ]
[13:13:59] Info: Check skipped - file '/etc/inetd.conf' does not exist.
[13:13:59]
[13:13:59]   Performing check for enabled xinetd services
[13:13:59]   Checking for enabled xinetd services            [ Skipped ]
[13:13:59] Info: Check skipped - file '/etc/xinetd.conf' does not exist.
[13:13:59] Info: Apache backdoor check skipped: Apache modules and configuration directories not found.
[13:14:01]     Checking for TCP port 6667                    [ Found ]
[13:14:01] Warning: Network TCP port 6667 is being used by /usr/sbin/bitlbee. Possible rootkit: Possible rogue IRC bot
[13:14:02] Info: Starting test name 'startup_files'
[13:14:02] Performing system boot checks
[13:14:02]   Checking for local host name                    [ Found ]
[13:14:02]
[13:14:02] Info: Starting test name 'startup_malware'
[13:14:02]   Checking for system startup files               [ Found ]
Rootkit checks...
Rootkits checked : 379
Possible rootkits: 1

[/quote

[13:14:02] Info: Starting test name 'group_accounts'
[13:14:02] Performing group and account checks
[13:14:02]   Checking for passwd file                        [ Found ]
[13:14:02]   Checking for an SSH configuration file          [ Found ]
[13:14:02] Info: Found an SSH configuration file: /etc/ssh/sshd_config
[13:14:02] Warning: The SSH and rkhunter configuration options should be the same:
[13:14:02]          SSH configuration option 'PermitRootLogin': without-password
[13:14:02]          Rkhunter configuration option 'ALLOW_SSH_ROOT_USER': no
[13:14:02]   Checking if SSH protocol v1 is allowed          [ Not allowed ]
[13:14:02]   Checking for a running system logging daemon    [ Found ]
[13:14:02] Info: A running 'rsyslog' daemon has been found.
[13:14:02] Info: A running 'systemd-journald' daemon has been found.
[13:14:02] Info: Found an rsyslog configuration file: /etc/rsyslog.conf
[13:14:02] Info: Found a systemd configuration file: /etc/systemd/journald.conf
[13:14:02]   Checking for a system logging configuration file [ Found ]
[13:14:02]   Checking if syslog remote logging is allowed    [ Not allowed ]
[13:14:02] Info: Starting test name 'filesystem'
[13:14:02] Performing filesystem checks
[13:14:02] Info: SCAN_MODE_DEV set to 'THOROUGH'
[13:14:03]   Checking /dev for suspicious file types         [ Warning ]
[13:14:03] Warning: Suspicious file types found in /dev:
[13:14:03]          /dev/shm/pulse-shm-4068574506: data
[13:14:03]          /dev/shm/pulse-shm-2371334495: data
[13:14:03]          /dev/shm/pulse-shm-3630157293: data
[13:14:03]          /dev/shm/pulse-shm-4265033882: data
[13:14:03]          /dev/shm/pulse-shm-1454792377: data
[13:14:03]   Checking for hidden files and directories       [ Warning ]
[13:14:03] Warning: Hidden directory found: /etc/.java
[13:14:03]   Checking for missing log files                  [ Skipped ]
[13:14:03]   Checking for empty log files                    [ Skipped ]
[13:14:06]
[/quote]

 

I've only posted some info from the log file that I think might be most relevant. Everything else seemed to be okay.

However looking at this log myself just now it looks like BitlBee is being detected. But from what I remember BitlBee is supposed to be a legitimate IM application.

 

Anyway any help with this would be much appreciated. Thank you.
 

 

 

 



BC AdBot (Login to Remove)

 


#2 mremski

mremski

  • Members
  • 498 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NH
  • Local time:06:25 AM

Posted 01 June 2017 - 08:29 AM

Most of the issues with "rootkit potential" on a *nix system have to do with application bugs and listening sockets.

netstat -aln will get you a list of ports on your system that are listening:  this means that someone could connect to them.  You have to see what address they are bound to:  localhost (127.0.0.1) or any (0.0.0.0).  Then take into account any firewall you may have in place:  if it's set up to be default deny inbound from the internet (the correct default stance in my opinion) then you've reduced the impact of the port being open.

That all applies to TCP port 6667 and BitlBee.  You need to research what BitlBee is, figure out if you need it and take appropriate action.  Noone can tell you this;  it's your call.

CUPS is another good example (printer interface).  If you do not have a locally attached printer or a network printer, why do you need CUPS running?  Waste of resources.

 

Suspicious file types:  dive into the rkhunter documentation to understand if these are important or not.

Hidden directories:  you know they exist, go see whats in them.  If you look in your $HOME you'll see tons of hidden files and directories.  ls -altr will show them all.

 

I know this sounds like I didn't help you, but you are in the best position to know what is normal on your system, just a bit of work with rkhunter docs or internet searches should help you figure it out.  Besides I may say "turn that off"  someone else may say "it's no biggie, leave it alone"  Who you going to believe then?  :)


FreeBSD since 3.3, only time I touch Windows is to fix my wife's computer


#3 GoofProg

GoofProg

  • Banned
  • 224 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:25 AM

Posted 01 June 2017 - 12:57 PM

I thought port 6667 was an old official bittorrent port.ohh possible IRC bot.  Are you hacking up a zombie for the umbrella corporation?



#4 Al1000

Al1000

  • Global Moderator
  • 8,120 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Scotland
  • Local time:10:25 AM

Posted 01 June 2017 - 01:18 PM

I suggest uploading /usr/sbin/bitlbee to VirusTotal.

#5 DeimosChaos

DeimosChaos

  • BC Advisor
  • 1,445 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:United States, Delaware
  • Local time:05:25 AM

Posted 01 June 2017 - 01:48 PM

Looks like bitlebee is some chat client. Probably not malicious. But never hurts to be safe.


OS - Ubuntu 14.04/16.04 & Windows 10
Custom Desktop PC / Lenovo Y580 / Sager NP8258 / Dell XPS 13 (9350)
_____________________________________________________
Bachelor of Science in Computing Security from Drexel University
Security +


#6 auto1571

auto1571
  • Topic Starter

  • Members
  • 331 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:25 AM

Posted 01 June 2017 - 02:40 PM

Thanks for all the help. Even though the Bitlbee was legit I removed it anyway. Then did another updated scan and no more back door port warnings were found and neither possible rootkits. Thanks for all the help guys.



#7 Gary R

Gary R

    MRU Admin


  • Malware Response Team
  • 917 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:25 AM

Posted 01 June 2017 - 11:59 PM

I thought port 6667 was an old official bittorrent port.ohh possible IRC bot.  Are you hacking up a zombie for the umbrella corporation?

 

https://www.grc.com/port_6667.htm

 

IRCU ... https://en.wikipedia.org/wiki/Ircu






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users