Re: system compromised
On Sun, 5 Sep 2010 15:21:50 +0800
Umarzuki Mochlis <umarzuki@gmail.com> wrote:
> Hi,
>
> I ran rkhunter on my debian 5 vps and got all these warnings:
>
> $ grep Warning rkhunter.log
> [06:47:36] Warning: Checking for prerequisites
> [ Warning ] [06:47:36] Warning: WARNING! It is the users
> responsibility to ensure that when the '--propupd' option
> [06:47:39] /bin/which
> [ Warning ] [06:47:39] Warning: The command '/bin/which' has been
> replaced by a script: /bin/which: POSIX shell script text executable
> [06:47:40] /usr/bin/groups
> [ Warning ] [06:47:40] Warning: The command '/usr/bin/groups' has
> been replaced by a script: /usr/bin/groups: POSIX shell script text
> executable
> [06:47:40] /usr/bin/ldd
> [ Warning ] [06:47:40] Warning: The command '/usr/bin/ldd' has been
> replaced by a script: /usr/bin/ldd: Bourne-Again shell script text
> executable
> [06:47:43] /usr/bin/lwp-request
> [ Warning ] [06:47:43] Warning: The command '/usr/bin/lwp-request'
> has been replaced by a script: /usr/bin/lwp-request: a /usr/bin/perl
> -w script text executable
> [06:47:45] /usr/sbin/adduser
> [ Warning ] [06:47:45] Warning: The command '/usr/sbin/adduser' has
> been replaced by a script: /usr/sbin/adduser: a /usr/bin/perl script
> text executable [06:49:35] Checking for string
> 'hdparm' [ Warning ] [06:49:36] Warning: Checking
> for possible rootkit strings [ Warning ] [06:49:37] Checking for
> enabled inetd services [ Warning ] [06:49:38] Warning:
> Found enabled inetd service: talk [06:49:38] Warning: Found enabled
> inetd service: ntalk [06:49:38] Checking loaded kernel
> modules [ Warning ] [06:49:38] Warning: No output
> found from the lsmod command or the /proc/modules file: [06:51:07]
> Checking if SSH root access is allowed [ Warning ]
> [06:51:07] Warning: The SSH and rkhunter configuration options should
> be the same: [06:51:25] Checking version of
> GnuPG [ Warning ] [06:51:25] Warning:
> Application 'gpg', version '1.4.9', is out of date, and possibly a
> security risk. [06:51:25] Checking version of
> OpenSSL [ Warning ] [06:51:25] Warning:
> Application 'openssl', version '0.9.8g', is out of date, and possibly
> a security risk. [06:51:25] Checking version of
> PHP [ Warning ] [06:51:25] Warning:
> Application 'php', version '5.2.6', is out of date, and possibly a
> security risk. [06:51:25] Checking version of
> OpenSSH [ Warning ] [06:51:25] Warning:
> Application 'sshd', version '5.1p1', is out of date, and possibly a
> security risk.
>
> aside from the PermitRootLogin = yes, does this mean that the vps was
> compromised?
>
Probably not. Have you done updates recently? After you installed
rkhunter, did you run it with the --propupd switch?
Odd though, my which resides in /usr/bin opposed to your /bin.
This could be a difference from your Deb 5 and my Sid though.
--
Best regards,
Chris
1AB5FEF8
Reply to: