we opted for a new system after running redhat for 6 years on various servers. Our system centOS 5 raid 1 3060 4 g ram, whebhost mgr, (though we never requested raid and now do not have backup ) php5 mysql 5. updated Apache. whm etc, Installed firewall-modsecurity-locked down ports- installed 60 gigs web sites. set up certs. and ' all services and sites are running:
with Centos 5 being new to us we ran checkrootkit, rkhunter, rootcheck and received the following:
./checkrootkit
Checking `bindshell'... PuTTYINFECTED (PORTS: 465)
root@secure [~/chkrootkit]# PuTTYPuTTYPuTTYPuTTYPuTTYPuTTY
rkhunter:
Warning: No hash value found for file '/usr/bin/curl' in the rkhunter.dat file.
Warning: No hash value found for file '/usr/bin/elinks' in the rkhunter.dat file.
'/usr/bin/GET' has been replaced by a script: /usr/bin/GET: perl script text executable
The command '/usr/bin/groups' has been replaced by a script: /usr/bin/groups: Bourne shell script text executable
'/usr/bin/ldd' has been replaced by a script: /usr/bin/ldd: Bourne shell script text executable
Warning: No hash value found for file '/usr/bin/links' in the rkhunter.dat file.
'/usr/bin/whatis' has been replaced by a script: /usr/bin/whatis: Bourne shell script text executable
Warning: The command '/sbin/ifdown' has been replaced by a script: /sbin/ifdown: Bourne-Again shell script text executable
Warning: The command '/sbin/ifup' has been replaced by a script: /sbin/ifup: Bourne-Again shell script text executable
[16:19:44] Warning: The command '/sbin/ifdown' has been replaced by a script: /sbin/ifdown: Bourne-Again shell script text executable
[16:19:44] Warning: The command '/sbin/ifup' has been replaced by a script: /sbin/ifup: Bourne-Again shell script text executable
[16:21:52] Warning: Hidden directory found: /dev/.udev
[16:21:52] Warning: Hidden file found: /etc/.fstab.swp: data
[16:21:52] Warning: Hidden file found: /usr/share/man/man1/..1.gz: gzip compressed data, from Unix, max compression
any feedback or info would be appreciated
rock
thanks
Full Version: centos 5 and security
All in all, those programs are pretty useless. They're not updated frequently enough to account for new versions, and use pretty much old info. From the looks, you're not infected with anything those programs could find, if you are infected at all.
Greetings:
Since TCP port 465 is often set up for secure SMTP, it is a typical false positive for chkrootkit.
While root kit scanners -- chkrootkit, rootkit hunter, ossec rootcheck -- have their place, they only check for one genre of compromise on the server, root kits.
Therefore, in addition to having multiple layers of security protecting both inflow and outflow from the server, you should be using multiple tools to check the server.
For cpanel users, I do recommend Clam Anti-Virus clamscan (make sure DetectPUA is turned on), as well as NobodyCheck from http://www.webhostgear.com/353.html
Thank you.
Since TCP port 465 is often set up for secure SMTP, it is a typical false positive for chkrootkit.
While root kit scanners -- chkrootkit, rootkit hunter, ossec rootcheck -- have their place, they only check for one genre of compromise on the server, root kits.
Therefore, in addition to having multiple layers of security protecting both inflow and outflow from the server, you should be using multiple tools to check the server.
For cpanel users, I do recommend Clam Anti-Virus clamscan (make sure DetectPUA is turned on), as well as NobodyCheck from http://www.webhostgear.com/353.html
Thank you.
QUOTE (rockster @ Mar 15 2009, 04:05 PM) 
we opted for a new system after running redhat for 6 years on various servers. Our system centOS 5 raid 1 3060 4 g ram, whebhost mgr, (though we never requested raid and now do not have backup ) php5 mysql 5. updated Apache. whm etc, Installed firewall-modsecurity-locked down ports- installed 60 gigs web sites. set up certs. and ' all services and sites are running:
with Centos 5 being new to us we ran checkrootkit, rkhunter, rootcheck and received the following:
./checkrootkit
Checking `bindshell'... PuTTYINFECTED (PORTS: 465)
root@secure [~/chkrootkit]# PuTTYPuTTYPuTTYPuTTYPuTTYPuTTY
rkhunter:
Warning: No hash value found for file '/usr/bin/curl' in the rkhunter.dat file.
Warning: No hash value found for file '/usr/bin/elinks' in the rkhunter.dat file.
'/usr/bin/GET' has been replaced by a script: /usr/bin/GET: perl script text executable
The command '/usr/bin/groups' has been replaced by a script: /usr/bin/groups: Bourne shell script text executable
'/usr/bin/ldd' has been replaced by a script: /usr/bin/ldd: Bourne shell script text executable
Warning: No hash value found for file '/usr/bin/links' in the rkhunter.dat file.
'/usr/bin/whatis' has been replaced by a script: /usr/bin/whatis: Bourne shell script text executable
Warning: The command '/sbin/ifdown' has been replaced by a script: /sbin/ifdown: Bourne-Again shell script text executable
Warning: The command '/sbin/ifup' has been replaced by a script: /sbin/ifup: Bourne-Again shell script text executable
[16:19:44] Warning: The command '/sbin/ifdown' has been replaced by a script: /sbin/ifdown: Bourne-Again shell script text executable
[16:19:44] Warning: The command '/sbin/ifup' has been replaced by a script: /sbin/ifup: Bourne-Again shell script text executable
[16:21:52] Warning: Hidden directory found: /dev/.udev
[16:21:52] Warning: Hidden file found: /etc/.fstab.swp: data
[16:21:52] Warning: Hidden file found: /usr/share/man/man1/..1.gz: gzip compressed data, from Unix, max compression
any feedback or info would be appreciated
rock
thanks
with Centos 5 being new to us we ran checkrootkit, rkhunter, rootcheck and received the following:
./checkrootkit
Checking `bindshell'... PuTTYINFECTED (PORTS: 465)
root@secure [~/chkrootkit]# PuTTYPuTTYPuTTYPuTTYPuTTYPuTTY
rkhunter:
Warning: No hash value found for file '/usr/bin/curl' in the rkhunter.dat file.
Warning: No hash value found for file '/usr/bin/elinks' in the rkhunter.dat file.
'/usr/bin/GET' has been replaced by a script: /usr/bin/GET: perl script text executable
The command '/usr/bin/groups' has been replaced by a script: /usr/bin/groups: Bourne shell script text executable
'/usr/bin/ldd' has been replaced by a script: /usr/bin/ldd: Bourne shell script text executable
Warning: No hash value found for file '/usr/bin/links' in the rkhunter.dat file.
'/usr/bin/whatis' has been replaced by a script: /usr/bin/whatis: Bourne shell script text executable
Warning: The command '/sbin/ifdown' has been replaced by a script: /sbin/ifdown: Bourne-Again shell script text executable
Warning: The command '/sbin/ifup' has been replaced by a script: /sbin/ifup: Bourne-Again shell script text executable
[16:19:44] Warning: The command '/sbin/ifdown' has been replaced by a script: /sbin/ifdown: Bourne-Again shell script text executable
[16:19:44] Warning: The command '/sbin/ifup' has been replaced by a script: /sbin/ifup: Bourne-Again shell script text executable
[16:21:52] Warning: Hidden directory found: /dev/.udev
[16:21:52] Warning: Hidden file found: /etc/.fstab.swp: data
[16:21:52] Warning: Hidden file found: /usr/share/man/man1/..1.gz: gzip compressed data, from Unix, max compression
any feedback or info would be appreciated
rock
thanks
It is a false positive. I actually contacted the author of chkrootkit about this almost 2 years ago. He basically said he wasn't changing it.
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.