Both of these are quite old now. Is there a more up to date instruction somewhere? This server is running so well I don’t want to do something which will mess it all up.
Many thanks for reading and any advice you can offer.
Yeah, while those apps are available in Debian and Ubuntu, they’re unfortunately not included in the CentOS yum repository.
So to install them, you’ll either have to build them manually, or find a trustworthy source with a .rpm file containing those.
Note that I don’t recommend enabling a third party repository, but downloading a couple of apps such as what you’re after from a third party source is typically fine.
Whenever it gives you all that info, it would typically be during a comparison to the last time rkhunter ran. Is it possible a version of rkhunter was already installed, and had been run awhile ago?
Anyhow –
You should get a notice about users added to the /etc/passwd file since the last time it ran. There’s no need to run --propupd for that, it’ll always tell you that information once. I’d suggest each time you see those, doing a quick review of the users to make sure they’re all legitimate.
As far as the file warnings go – after installing rkhunter, one of the first things you should do is run “–propupd”. That’ll generate a database of certain files on your system. Each time you run rkhunter from here on out, it’ll compare your files to what’s in that database. The only time those files should be different is if you recently ran a package update that changed them.
Thanks Eric for making me feel a little more confident in what I was doing and Ronald for pointing me in the right direction.
But you knew I would be back with some questions I guess.
I started with rkhunter and install via Webmin>System>Software Packages went like a dream. Brilliant!
Then I ran rkhunter and got many (maybe hundreds) warnings like this
/bin/cat [ Warning ]
Warning: The file properties have changed:
File: /bin/cat
Current hash: a12455633de1b36ce0e0b50e6999eee38588b442
Stored hash : 76e738a04dcaa29189e50852cf13bc67a9fe355e
Current file modification time: 1301505162 (30-Mar-2011 18:12:42)
Stored file modification time : 1256609348 (27-Oct-2009 02:09:08)
None of the dates I see coincide with the dates that the update was run via YUM or the times I would have been working on the server.
I Googled and found that this is most likely all false positives and I should run with the ‘–propupd’ option but I should check the hash with a known good file, I did find some references to doing that but where could I find a list/method of doing that with the Webmin installation?
I also see many (maybe for all users) of these:
Warning: Changes found in the passwd file for user ‘somebody.rothlp’:
Warning: User ‘another.rothlp’ has been removed from the passwd file.
Warning: User ‘aperson.rothlp’ has been added to the passwd file.
I couldn’t find a reliable post confirming that these would also be resolved when running with ‘–propupd’ option.
I wasn’t happy with things and decided to do some more digging around.
Unfortunately the box must have been compromised.
There are a number of signs that I see reported elsewhere that conforms this. :o(
The worst part of all this is that although I took backups of the os and configs and sites, I did that to a second drive in the same server. The OS and config backups have been deleted.
LESSON LEARNED !
Do I sound bitter and twisted ?
Well, if the feeling that you want to kick someones teeth so far down theit throat that they have to see a proctologist instead of a dentist, then yes, I guess I am bitter and twisted. :o)
