Re: [rkhunter] coyote.coyote.den - Daily report
On Monday 27 November 2017 14:35:17 root wrote:
Installed new firefox-esr yesterday, from the wheezy repos. Today,
rkhunter has a cow:
> Warning: The command '/sbin/chkconfig' has been replaced by a script:
> /sbin/chkconfig: Perl script, ASCII text executable Warning: The
> command '/bin/which' has been replaced by a script: /bin/which: POSIX
> shell script, ASCII text executable Warning: The command
> '/usr/sbin/adduser' has been replaced by a script: /usr/sbin/adduser:
> Perl script, ASCII text executable Warning: The command '/usr/bin/ldd'
> has been replaced by a script: /usr/bin/ldd: Bourne-Again shell
> script, ASCII text executable Warning: The following suspicious shared
> memory segments have been found: Process:
> /usr/lib/firefox-esr/firefox-esr PID: 16994 Owner: gene Process:
> /usr/lib/firefox-esr/firefox-esr PID: 16994 Owner: gene Warning:
> Found enabled xinetd service: /etc/xinetd.d/amanda
> Warning: Found enabled xinetd service: /etc/xinetd.d/saned
> Warning: Found enabled xinetd service: /etc/xinetd.d/sshd-xinetd
> Warning: Network TCP port 1524 is being used by /usr/sbin/portsentry.
> Possible rootkit: Possible FreeBSD (FBRK) Rootkit backdoor Use the
> 'lsof -i' or 'netstat -an' command to check this. Warning: Network TCP
> port 6667 is being used by /usr/sbin/portsentry. Possible rootkit:
> Possible rogue IRC bot Use the 'lsof -i' or 'netstat -an' command to
> check this. Warning: Network TCP port 31337 is being used by
> /usr/sbin/portsentry. Possible rootkit: Historical backdoor port Use
> the 'lsof -i' or 'netstat -an' command to check this. Warning: The SSH
> and rkhunter configuration options should be the same: SSH
> configuration option 'PermitRootLogin': yes
> Rkhunter configuration option 'ALLOW_SSH_ROOT_USER': no
> Warning: Hidden directory found: /etc/.java
How should I restore?
Cheers, Gene Heskett
--
"There are four boxes to be used in defense of liberty:
soap, ballot, jury, and ammo. Please use in that order."
-Ed Howdershelt (Author)
Genes Web page <http://geneslinuxbox.net:6309/gene>
Reply to: