Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

rkhunter


  • Please log in to reply
54 replies to this topic

#1 frogbreath

frogbreath

  • Members
  • 122 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bromley
  • Local time:07:35 PM

Posted 01 July 2017 - 10:11 AM

Hello linux people :)

I am new to Linux and it has taken me 2 days to get rkhunter on my machine and figure how to work it I'm not very computer minded. Any way it says I have 9 suspect files what do I do I have updated it and run it again and still have them listed.

So what should I do now please?

I have listed the warning suspect files under this line of text.

 

 

 /usr/bin/last                                            [ Warning ]
 
 /usr/bin/logger                                          [ Warning ]
 
/usr/bin/whereis                                         [ Warning ]
   
 /usr/bin/lwp-request                                     [ Warning ]
   
  /sbin/fsck                                               [ Warning ]
 
/bin/dmesg                                               [ Warning ]
 
/sbin/sulogin                                            [ Warning ]
 
/bin/more                                                [ Warning ]
 
/bin/mount                                               [ Warning ]
 
Performing filesystem checks
    Checking /dev for suspicious file types                  [ Warning ]
    Checking for hidden files and directories                [ Warning ]
 
System checks summary
=====================
 
File properties checks...
    Files checked: 143
    Suspect files: 9
 
Rootkit checks...
    Rootkits checked : 365
    Possible rootkits: 0
 
Applications checks...
    All checks skipped
 
 
 
 
 
 

 



BC AdBot (Login to Remove)

 


#2 pcpunk

pcpunk

  • Members
  • 6,004 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:02:35 PM

Posted 01 July 2017 - 07:38 PM

Those all look normal to me, rkhunter is a very advanced tool for folks that know what they are doing.  I was also curious like you at one time but don't run it anymore.  Unless you know how to use it and maintain your system carefully it won't be of much help IMO.  Would be nice to know but I don't have that kind of time or need.  Have you looked at these sites?  

 

http://manpages.ubuntu.com/manpages/zesty/en/man8/rkhunter.8.html

Scroll to "Initial Test Runs" 

https://www.digitalocean.com/community/tutorials/how-to-use-rkhunter-to-guard-against-rootkits-on-an-ubuntu-vps

This one gives some good tips also:

https://help.ubuntu.com/community/RKhunter


sBCcBvM.png

Created by Mike_Walsh

 

KDE, Ruler of all Distro's

eps2.4_m4ster-s1ave.aes_pcpunk_leavemehere

 


#3 mremski

mremski

  • Members
  • 497 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NH
  • Local time:02:35 PM

Posted 02 July 2017 - 02:43 AM

I'd start by looking into WHY rkhunter tagged those with a Warning.  That said, those are normal system files that if you tried to delete, you'd wind up in a world of hurt with an unbootable system.  /bin/mount is used to mount disk partitions;  delete it and you're going to learn how to boot with Linux Live CD to fix.  Same for fsck and logger.


FreeBSD since 3.3, only time I touch Windows is to fix my wife's computer


#4 frogbreath

frogbreath
  • Topic Starter

  • Members
  • 122 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bromley
  • Local time:07:35 PM

Posted 02 July 2017 - 03:54 AM

@pcpunk Hello and thanks for the help. I haven't seen the first 2 links but the 3rd I have seen. thank you. 

I did come across lots of sites that said about false positives but never know what is written by people who know there stuff.

So you reckon they are false positives. I'm very new to linux and still don't get much of it so feel like a pea in the sea.

OK I'll put them down to FP's as nothing came up on comodo av or sophos either, both of which have problems comodo 64 bit wont work had to use 32 bit and sophos didn't like something on this version of mint and it doesn't seem like they will be fixing it.

Can you recommend an anti virus for mint please as other people use the same network as me on mac and windows machines so don't want to pass anything on if I do get infected and from what I have been reading linux can get malware but uncommon so they say but a lot of malware references in recent times I have been reading about. Sorry for all the questions like I say I'm new at linux and don't have 1 clue. I can install stuff and find directories/files using cd and not much else so far. I installed gfuw for a firewall.

Thanks for your time bud



#5 frogbreath

frogbreath
  • Topic Starter

  • Members
  • 122 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bromley
  • Local time:07:35 PM

Posted 02 July 2017 - 03:56 AM

@mremski thanks for your help.  I have looked at what they do but get different answers from the net so unsure as I am not familiar with linux. I'll put them down to FP's

Thanks bud



#6 pcpunk

pcpunk

  • Members
  • 6,004 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:02:35 PM

Posted 02 July 2017 - 10:35 AM

mremski will be of much more help than I, and some of the other members here.  I never worried about infecting Windows users because I never sent anything to them that had the slightest chance of infection.  

 

Suspect files means exactly that, they are just suspect and will need looking into by someone with higher knowledge than me.  You need to start using Rkhunter with a clean slate, using those tutorials will help you achieve this.  The most important Command would be "sudo rkhunter --propupd" after you know you have a clean system.  Running Updates will produce False Positives also, because the Checksum Signature of the Files has changed.

 

Here is a good Post that describes in layman's terms how Rkhunter works.

https://ubuntuforums.org/showthread.php?t=2177662&p=12804258#post12804258

File properties checks...
    Files checked: 143
    Suspect files: 9

At least this tells us that there are no Rootkits

Rootkit checks...
    Rootkits checked : 365
    Possible rootkits: 0

Remember, you don't have to download and install many Programs unless you want the latest version, mint comes with the stable versions of most of these Malware programs, all you have to do is install via the Terminal with "apt-get" or Software Manager.  EG: "sudo apt-get install rkhunter" would have only taken a few minutes...seconds.

 

Why don't you post exactly which distro you are running in case someone want's to help you with this.  Run this command in the Terminal, Copy Paste it into you next post and save it to a Txt document for later use.

inxi -Fz

I've never had a system infection if that helps, and don't think you have one now, but let some of the staff or more knowledgeable members take a look at those.

 

You may also want to post the "/var/log/rkhunter.log" in a Spoiler.  After Copying it, go to the Third Icon from Left at the Top of the Post.  When it opens, under BBC click on "Select" and scroll down till you see "Spoiler", and Paste the outcome of the log.


sBCcBvM.png

Created by Mike_Walsh

 

KDE, Ruler of all Distro's

eps2.4_m4ster-s1ave.aes_pcpunk_leavemehere

 


#7 frogbreath

frogbreath
  • Topic Starter

  • Members
  • 122 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bromley
  • Local time:07:35 PM

Posted 02 July 2017 - 01:27 PM

Thank you Pcpunk

 

Kernel: 4.4.0-78-generic x86_64 (64 bit)
Desktop: MATE 1.14.1  
Distro: Linux Mint 18 Sarah
 
I'm unsure how to find the log file I will have to post that once I work it out :)


#8 frogbreath

frogbreath
  • Topic Starter

  • Members
  • 122 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bromley
  • Local time:07:35 PM

Posted 02 July 2017 - 02:51 PM

Here's the log.

I did an update and some other things and I got the warnings down to 1.

Thanks for those links again they helped.

 

 

Spoiler
*>



#9 mremski

mremski

  • Members
  • 497 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NH
  • Local time:02:35 PM

Posted 03 July 2017 - 02:27 AM

Updating the tool is usually a good first step.  As you saw, it reduced the false positives (yes, those were false positives in the OP).    One of the first things you could have (should have?) done with the original list of warnings was to read the man page (*nix help system).  From  a terminal window  type in "man" followed by the command name:

 

  man logger

 

and read what it says.

 

The warning above for lwp-request looks like it's trying to say "this command is a script instead of a binary"  (think .bat vs .exe in Windows).  I'd chalk that up as another false positive.

The other warnings (talking about /dev files and hidden files) are also likely false positives.  the /dev/shm/pulse-audio files are likely memory mapped areas for audio devices, the /etc/.java is likely from insallation, the /etc/.hosts.swap.data is probably a leftover editor recovery file.


FreeBSD since 3.3, only time I touch Windows is to fix my wife's computer


#10 frogbreath

frogbreath
  • Topic Starter

  • Members
  • 122 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bromley
  • Local time:07:35 PM

Posted 03 July 2017 - 04:39 AM

@mremski Hello yeah I'm still on windows user brain as I'm new to the linux way of doing things it's a lot to learn. I will have to read more your right. I am surprised linux doesn't have a easy to use malwarescanner that scans for linux/mac/windows malware very surprised.

Thank you very much for your help I will learn better how to use rkhunter and linux. Learning to code css and html to and still use linux it's a lot to learn but I think worth it as windows has gone right down hill and mac is to much of a money making gimmick for me.

Thanks again every one for the help



#11 Al1000

Al1000

  • Global Moderator
  • 7,883 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Scotland
  • Local time:07:35 PM

Posted 03 July 2017 - 06:53 AM

While I use Windows Defender and Malwarebytes with Windows, I don't use any anti-malware products with Linux because of the lack of malware for Linux. However I have tried Sophos, and recall it being easy to use:

https://www.bleepingcomputer.com/forums/t/578679/sophos-antivirus-for-linux/

#12 frogbreath

frogbreath
  • Topic Starter

  • Members
  • 122 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bromley
  • Local time:07:35 PM

Posted 03 July 2017 - 07:17 AM

@AL1000 Hello I have tried sophos and it appears that it doesn't work right with current versions of mint I didn't understand why I think something to do with the kernel I tried to find a fix but can't see anything I understand. I am pretty new at linux I have been using it for a small amount of time and tried it a while back but that only lasted a week. I am now determined to stick with it and learn. I also tried comodo but again there seem to be problems and no immediate fix. Clam gets awful results I am about to try bit defenders av for linux but not for a few days maybe weeks. pretty busy atm.

Thanks for the information bud.

I was in Scotland not long ago Campbeltown I was walking the Kintyre way and went on the last Megabus Gold found deer antla and as a bonus sold it and it pay'd for my trip. trippy huh. I was amazed how many homeless there where in Glasgow incredible amount. 



#13 pcpunk

pcpunk

  • Members
  • 6,004 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:02:35 PM

Posted 03 July 2017 - 10:37 AM

 

I am about to try bit defenders av for linux but not for a few days maybe weeks.

Please tell me how this goes?  

 

While I don't believe I need an AV for Linux sometimes I get browser infections that BitDefender may help, also just curious.  Most of them are not up-to-date for linux, or unneeded, but I can't help myself LOL.  I tried Sophos once too, but it was a lot of work for little in return, mostly for other members helping me.

 

I think Clearing your Browser Cache properly will be the best thing we can do as Linux users, in addition to running rkhunter and chkrootkit.  You can also do Integrity Checks with the original Install media that may fix or show Infections?  I've used it to fix corrupt filesystems, with help from others.


sBCcBvM.png

Created by Mike_Walsh

 

KDE, Ruler of all Distro's

eps2.4_m4ster-s1ave.aes_pcpunk_leavemehere

 


#14 frogbreath

frogbreath
  • Topic Starter

  • Members
  • 122 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bromley
  • Local time:07:35 PM

Posted 03 July 2017 - 12:34 PM

@pcpunk I will let you know what it's like, ie if it is easy to use as for detection rate I looked it up it's said it has one of the best but that's others saying that and I am no way an expert on av's wouldn't know where to start to check detection rate apart from running that test virus but I don't think that's a proper real world test myself.

 

How or what tool do you use to run an integrity test for Linux please.

 

Thank you Pcpunk



#15 cat1092

cat1092

    Bleeping Cat


  • BC Advisor
  • 7,018 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina, USA
  • Local time:02:35 PM

Posted 03 July 2017 - 01:52 PM

frogbreath,  :welcome: to the Linux Community of Bleeping Computer Forums! :)

 

Looks like you have experience, exactly what we need here & hope that you'll feel right at home here. Unlike 'dedicated' Linux sites, we don't get into bashing members over our chosen OS, even if dual booting with another, or running another on a different computer, that's our choice. Rather, we focus on learning & assisting one another to the best of our knowledge, even if the 'cure' is a link from another Forum. 

 

That stated, should you choose a security app, avoid ESET NOD32 for Linux like the plague, while it can be useful in some situations, for most, only causes negative issues, such as not shutting down, or a long delay before a reboot. If running a SSD, this is not good for the drive to force shutdowns. I discovered that the app was the cause after a clean install of Linux Mint 18 on the notebook my wife uses, the difference in shutdown/reboot was like day & night, does either in no time. Then Installed NOD32 & that's when things went downhill again, so removed it not only from that computer, the rest also. All that it did was detect Windows threats, which may be good if running a Mail server for Windows machines, most of us aren't that deep into this. All we want is an OS that properly runs & does what's needed/desired :)

 

I recall the Sophos Topic sometime back, although didn't bother with setup because of the complicated steps involved. However their free edition provides excellent active security on a Windows computer & installs easily. Would be fantastic if Sophos for Linux was offered as a .deb file, or a similar one for non'Ubuntu based Linux versions. there are several, some with entirely different file systems (type of formatting). 

 

As to rkhunter, I've ran it, came back with a lot of false positives, same with a similar app, chkrootkit & were on new installs with the ufw Firewall enabled by default, therefore shouldn't had been infected. I used to run these tools regularly, although stopped because of this & just make sure to securely close the browser, deleting coolies & private data. Click & Clean can do this for Google Chrome, while available for Firefox, am unsure if it works the same, so have the Better Privacy app installed, which deletes LSO cookies that are hard to find & lingers if not purged. 

 

When making a transaction, I now use the latest bootable version of Linux Mint on DVD (the non-RW type), which runs in memory only & the optical media has been finalized, why it's imperative for security to use + or -R media, and not a USB stick. Then I'm assured of a clean environment, as long as I've not been browsing around & get to business Malware free, regardless of the condition of the installed OS on the internal drive, be it Linux or Windows. 

 

Good Luck with your OS, hopefully the integrity test that I've never ran will come back clean. :)

 

Cat


Performing full disc images weekly and keeping important data off of the 'C' drive as generated can be the best defence against Malware/Ransomware attacks, as well as a wide range of other issues. 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users