Re: [rkhunter] coyote.coyote.den - Daily report

To: debian-user@lists.debian.org
Subject: Re: [rkhunter] coyote.coyote.den - Daily report
From: Gene Heskett <gheskett@shentel.net>
Date: Mon, 27 Nov 2017 15:46:55 -0500
Message-id: <[🔎] 201711271546.55952.gheskett@shentel.net>
In-reply-to: <E1eJPBV-0004pp-2s@coyote.coyote.den>
References: <E1eJPBV-0004pp-2s@coyote.coyote.den>

On Monday 27 November 2017 14:35:17 root wrote:

Installed new firefox-esr yesterday, from the wheezy repos. Today, 
rkhunter has a cow:

> Warning: The command '/sbin/chkconfig' has been replaced by a script:
> /sbin/chkconfig: Perl script, ASCII text executable Warning: The
> command '/bin/which' has been replaced by a script: /bin/which: POSIX
> shell script, ASCII text executable Warning: The command
> '/usr/sbin/adduser' has been replaced by a script: /usr/sbin/adduser:
> Perl script, ASCII text executable Warning: The command '/usr/bin/ldd'
> has been replaced by a script: /usr/bin/ldd: Bourne-Again shell
> script, ASCII text executable Warning: The following suspicious shared
> memory segments have been found: Process:
> /usr/lib/firefox-esr/firefox-esr    PID: 16994    Owner: gene Process:
> /usr/lib/firefox-esr/firefox-esr    PID: 16994    Owner: gene Warning:
> Found enabled xinetd service: /etc/xinetd.d/amanda
> Warning: Found enabled xinetd service: /etc/xinetd.d/saned
> Warning: Found enabled xinetd service: /etc/xinetd.d/sshd-xinetd
> Warning: Network TCP port 1524 is being used by /usr/sbin/portsentry.
> Possible rootkit: Possible FreeBSD (FBRK) Rootkit backdoor Use the
> 'lsof -i' or 'netstat -an' command to check this. Warning: Network TCP
> port 6667 is being used by /usr/sbin/portsentry. Possible rootkit:
> Possible rogue IRC bot Use the 'lsof -i' or 'netstat -an' command to
> check this. Warning: Network TCP port 31337 is being used by
> /usr/sbin/portsentry. Possible rootkit: Historical backdoor port Use
> the 'lsof -i' or 'netstat -an' command to check this. Warning: The SSH
> and rkhunter configuration options should be the same: SSH
> configuration option 'PermitRootLogin': yes
>          Rkhunter configuration option 'ALLOW_SSH_ROOT_USER': no
> Warning: Hidden directory found: /etc/.java

How should I restore?

Cheers, Gene Heskett
-- 
"There are four boxes to be used in defense of liberty:
 soap, ballot, jury, and ammo. Please use in that order."
-Ed Howdershelt (Author)
Genes Web page <http://geneslinuxbox.net:6309/gene>

Reply to:

Follow-Ups:
- Re: [rkhunter] coyote.coyote.den - Daily report
  - From: Brian <ad44@cityscape.co.uk>
- Re: [rkhunter] coyote.coyote.den - Daily report
  - From: deloptes <deloptes@gmail.com>

Prev by Date: Re: unsure how to track down kernel stack traces in debian 9.2 on vmware ESXi
Next by Date: Re: [rkhunter] coyote.coyote.den - Daily report
Previous by thread: Re: unsure how to track down kernel stack traces in debian 9.2 on vmware ESXi
Next by thread: Re: [rkhunter] coyote.coyote.den - Daily report
Index(es):
- Date
- Thread