Re: system compromised

To: Umarzuki Mochlis <umarzuki@gmail.com>
Cc: Debian Users <debian-user@lists.debian.org>
Subject: Re: system compromised
From: Chris <racerx@makeworld.com>
Date: Sun, 5 Sep 2010 02:32:30 -0500
Message-id: <[🔎] 20100905023230.4a9d4ae6@makeworld.com>
In-reply-to: <[🔎] AANLkTinf8a798KdGJrbiWQUGqbh+5OiAKVQVW76iFiM9@mail.gmail.com>
References: <[🔎] AANLkTinf8a798KdGJrbiWQUGqbh+5OiAKVQVW76iFiM9@mail.gmail.com>

On Sun, 5 Sep 2010 15:21:50 +0800
Umarzuki Mochlis <umarzuki@gmail.com> wrote:

> Hi,
> 
> I ran rkhunter on my debian 5 vps and got all these warnings:
> 
> $ grep Warning rkhunter.log
> [06:47:36] Warning: Checking for prerequisites
> [ Warning ] [06:47:36] Warning: WARNING! It is the users
> responsibility to ensure that when the '--propupd' option
> [06:47:39] /bin/which
> [ Warning ] [06:47:39] Warning: The command '/bin/which' has been
> replaced by a script: /bin/which: POSIX shell script text executable
> [06:47:40] /usr/bin/groups
> [ Warning ] [06:47:40] Warning: The command '/usr/bin/groups' has
> been replaced by a script: /usr/bin/groups: POSIX shell script text
> executable
> [06:47:40] /usr/bin/ldd
> [ Warning ] [06:47:40] Warning: The command '/usr/bin/ldd' has been
> replaced by a script: /usr/bin/ldd: Bourne-Again shell script text
> executable
> [06:47:43] /usr/bin/lwp-request
> [ Warning ] [06:47:43] Warning: The command '/usr/bin/lwp-request'
> has been replaced by a script: /usr/bin/lwp-request: a /usr/bin/perl
> -w script text executable
> [06:47:45] /usr/sbin/adduser
> [ Warning ] [06:47:45] Warning: The command '/usr/sbin/adduser' has
> been replaced by a script: /usr/sbin/adduser: a /usr/bin/perl script
> text executable [06:49:35]     Checking for string
> 'hdparm'                  [ Warning ] [06:49:36] Warning: Checking
> for possible rootkit strings    [ Warning ] [06:49:37]   Checking for
> enabled inetd services             [ Warning ] [06:49:38] Warning:
> Found enabled inetd service: talk [06:49:38] Warning: Found enabled
> inetd service: ntalk [06:49:38]   Checking loaded kernel
> modules                  [ Warning ] [06:49:38] Warning: No output
> found from the lsmod command or the /proc/modules file: [06:51:07]
> Checking if SSH root access is allowed          [ Warning ]
> [06:51:07] Warning: The SSH and rkhunter configuration options should
> be the same: [06:51:25]   Checking version of
> GnuPG                       [ Warning ] [06:51:25] Warning:
> Application 'gpg', version '1.4.9', is out of date, and possibly a
> security risk. [06:51:25]   Checking version of
> OpenSSL                     [ Warning ] [06:51:25] Warning:
> Application 'openssl', version '0.9.8g', is out of date, and possibly
> a security risk. [06:51:25]   Checking version of
> PHP                         [ Warning ] [06:51:25] Warning:
> Application 'php', version '5.2.6', is out of date, and possibly a
> security risk. [06:51:25]   Checking version of
> OpenSSH                     [ Warning ] [06:51:25] Warning:
> Application 'sshd', version '5.1p1', is out of date, and possibly a
> security risk.
> 
> aside from the PermitRootLogin = yes, does this mean that the vps was
> compromised?
> 

Probably not. Have you done updates recently? After you installed
rkhunter, did you run it with the --propupd switch?

Odd though, my which resides in /usr/bin opposed to your /bin.
This could be a difference from your Deb 5 and my Sid though.

-- 
Best regards,

Chris
1AB5FEF8

Reply to:

Follow-Ups:
- Re: system compromised
  - From: Sven Joachim <svenjoac@gmx.de>
- Re: system compromised
  - From: Umarzuki Mochlis <umarzuki@gmail.com>
- Re: system compromised
  - From: James Brown <jbrownfirst@gmail.com>

References:
- system compromised
  - From: Umarzuki Mochlis <umarzuki@gmail.com>

Prev by Date: Re: Genius e-Messenger 112 webcam and gspca_pac207
Next by Date: Re: syslog stopped loggin to messages?
Previous by thread: system compromised
Next by thread: Re: system compromised
Index(es):
- Date
- Thread