I just ran rkhunter --check and all was good except this: Checking if SSH root access is allowed [ Warning] What does this warning mean? SSH root access is not allowed on this system. EDIT #1 Here is how my /etc/ssh/sshd_config is set: PermitRootLogin no and rkhunter.conf root ~ # cat /etc/rkhunter.conf | grep ALLOW_SSH_ROOT_USER #ALLOW_SSH_ROOT_USER=no ALLOW_SSH_ROOT_USER=unset

So I just installed and ran *rkhunter* which shows me green OKs / Not founds for everything except for: **/usr/bin/lwp-request**, like so: /usr/bin/lwp-request [ Warning ] In the log it says: Warning: The command '/usr/bin/lwp-request' has been replaced by a script: /usr/bin/lwp-request: Perl script text executable I already ran rkhunter --propupd and sudo apt-get update && sudo apt-get upgrade which didn't help. I installed Debian 9.0 just a few days ago and am a newcomer to Linux. Any suggestions on what to do? ---- **Edit**: Furthermore *chkrootkit* gives me this: The following suspicious files and directories were found: /usr/lib/mono/xbuild-frameworks/.NETPortable /usr/lib/mono/xbuild-frameworks/.NETPortable/v5.0/SupportedFrameworks/.NET Framework 4.6.xml /usr/lib/mono/xbuild-frameworks/.NETFramework /usr/lib/python2.7/dist-packages/PyQt5/uic/widget-plugins/.noinit /usr/lib/python2.7/dist-packages/PyQt4/uic/widget-plugins/.noinit /usr/lib/mono/xbuild-frameworks/.NETPortable /usr/lib/mono/xbuild-frameworks/.NETFramework I guess that's a separate question? Or is this no issue at all? I don't know how to check if these files/directories are ok and needed. **Edit**: Note I once also got warnings for "Checking for passwd file changes" and "Checking for group file changes" even though I didn't change any such afaik. An earlier and later scan showed no warnings - these just showed once. Any ideas?

I am on Ubuntu, I am trying to install rkhunter. I've tried apt-get install rkhunter success But then, I did rkhunter --update I kept getting > Invalid WEB_CMD configuration option: Relative pathname: "/bin/false"

I have older ASUS notebook with Debian 11 installation. If I run OS and especially when plug in network wire, then I got performance issues. I did advances memory test with Memtest86+, without any errors. Then I created kali-linux live usb to perform some health checks. If I run ┌──(kali㉿kali)-[~] └─$ sudo rkhunter -c or: sudo mkdir /mnt/temp sudo mount /dev/sda1 /mnt/temp ┌──(kali㉿kali)-[/mnt/temp] └─$ sudo rkhunter -c I got the summary: System checks summary ===================== File properties checks... Files checked: 145 Suspect files: 117 Rootkit checks... Rootkits checked : 497 Possible rootkits: 6 Applications checks... All checks skipped The system checks took: 11 minutes and 43 seconds All results have been written to the log file: /var/log/rkhunter.log One or more warnings have been found while checking the system. Please check the log file (/var/log/rkhunter.log) Are those false positive scans? Got the same results after sudo rkhunter --propupd. Does the result belongs only to kali, how to run proper check for /dev/sda? ┌──(kali㉿kali)-[/mnt/temp] └─$ lsblk NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINTS loop0 7:0 0 3.3G 1 loop /usr/lib/live/mount/rootfs/filesystem.squashfs /run/live/rootfs/filesystem.squashfs sda 8:0 0 149.1G 0 disk ├─sda1 8:1 0 500M 0 part /mnt/temp ├─sda2 8:2 0 53.7G 0 part ├─sda3 8:3 0 2.1G 0 part └─sda4 8:4 0 19.8M 0 part sdb 8:16 1 14.5G 0 disk ├─sdb1 8:17 1 3.9G 0 part /usr/lib/live/mount/medium │ /run/live/medium └─sdb2 8:18 1 896K 0 part sr0 11:0 1 1024M 0 rom /var/log/rkhunter.log: ... [09:34:48] Performing file properties checks [09:34:48] Checking for prerequisites [ OK ] [09:35:05] /usr/sbin/adduser [ Warning ] [09:35:06] Warning: File '/usr/sbin/adduser' has the immutable-bit set. [09:35:06] Info: Found file '/usr/sbin/adduser': it is whitelisted for the 'script replacement' check. [09:35:06] /usr/sbin/chroot [ Warning ] [09:35:07] Warning: File '/usr/sbin/chroot' has the immutable-bit set. [09:35:07] /usr/sbin/cron [ Warning ] [09:35:07] Warning: File '/usr/sbin/cron' has the immutable-bit set. [09:35:08] /usr/sbin/depmod [ OK ] [09:35:09] /usr/sbin/fsck [ Warning ] [09:35:09] Warning: File '/usr/sbin/fsck' has the immutable-bit set. [09:35:10] /usr/sbin/groupadd [ Warning ] [09:35:10] Warning: File '/usr/sbin/groupadd' has the immutable-bit set. [09:35:10] /usr/sbin/groupdel [ Warning ] ... [09:43:45] Checking for login backdoors [ None found ] [09:43:45] [09:43:45] Info: Starting test name 'sniffer_logs' [09:43:46] Checking for file '/usr/lib/libice.log' [ Not found ] [09:43:46] Checking for file '/dev/prom/sn.l' [ Not found ] [09:43:46] Checking for file '/dev/fd/.88/zxsniff.log' [ Not found ] [09:43:46] Checking for sniffer log files [ None found ] [09:43:46] [09:43:46] Info: Starting test name 'tripwire' [09:43:46] Checking for software intrusions [ Skipped ] [09:43:46] Info: Check skipped - tripwire not installed [09:43:46] [09:43:46] Info: Starting test name 'susp_dirs' [09:43:46] Checking for directory '/usr/X11R6/bin/.,/copy' [ Not found ] [09:43:46] Checking for directory '/dev/rd/cdb' [ Not found ] [09:43:47] Checking for suspicious directories [ None found ] [09:43:47] [09:43:47] Info: Starting test name 'ipc_shared_mem' [09:43:47] Info: The minimum shared memory segment size to be checked (in bytes): 1048576 (1.0MB) [09:43:48] Checking for suspicious (large) shared memory segments [ Warning ] [09:43:48] Warning: The following suspicious (large) shared memory segments have been found: [09:43:48] Process: /usr/bin/xfce4-taskmanager PID: 2826 Owner: kali Size: 2.0MB (configured size allowed: 1.0MB) [09:43:48] Process: /usr/bin/xfdesktop PID: 1839 Owner: kali Size: 2.0MB (configured size allowed: 1.0MB) [09:43:49] Process: /usr/lib/firefox-esr/firefox-esr PID: 2276 Owner: kali Size: 4.2MB (configured size allowed: 1.0MB) [09:43:49] Process: /usr/lib/firefox-esr/firefox-esr PID: 2276 Owner: kali Size: 4.2MB (configured size allowed: 1.0MB) [09:43:49] Process: /usr/bin/thunar PID: 1834 Owner: kali Size: 16MB (configured size allowed: 1.0MB) [09:43:49] Process: /usr/bin/xfwm4 PID: 1777 Owner: kali Size: 2.0MB (configured size allowed: 1.0MB) [09:43:49] [09:43:49] Info: Starting test name 'trojans' [09:43:49] Performing trojan specific checks [09:43:49] Checking for enabled inetd services [ Skipped ] [09:43:49] Info: Check skipped - file '/etc/inetd.conf' does not exist. [09:43:49] Checking for enabled xinetd services [ Skipped ] [09:43:49] Info: Check skipped - file '/etc/xinetd.conf' does not exist. [09:43:50] Checking for Apache backdoor [ Not found ] [09:43:50] ...

How can I solve the following rkhunter warnings?:

Checking if SSH root access is allowed                   [ Warning ]
Checking if SSH protocol v1 is allowed                   [ Warning ]

and what do they mean? Please, take into account that I'm a newbie with a fresh installation of openSUSE Leap 15.3 KDE.

I have a few false positive scans on my rkhunter. However I did a scan today and these results do kinda worry me, I have 8 warnings now. I will post the warnings that Im not sure about.

/usr/sbin/runlevel                                       [ Warning 
 /usr/bin/sudo                                            [ Warning 
  /usr/bin/systemd                                         [ Warning ]
  /usr/bin/systemctl                                       [ Warning ]
 /usr/lib/systemd/systemd                                 [ Warning ]

These are the new warnings that showed up. I looked into the log and found this.

[23:25:11]   /usr/sbin/runlevel                              [ Warning ]
[23:25:11] Warning: The file properties have changed:
[23:25:11]          File: /usr/sbin/runlevel
[23:25:11]          Current hash: f48396b4d8fbf906a0a12ec5f9581a119fe266b0d61919c251e8320bd099327a
[23:25:11]          Stored hash : a9c198f924de92ab40633d345c55b6e84986e6e58f5569220871af3edeaca069
[23:25:11]          Current inode: 25954758    Stored inode: 25954035
[23:25:11]          Current file modification time: 1679322728 (20-Mar-2023 10:32:08)
[23:25:11]          Stored file modification time : 1677761882 (02-Mar-2023 07:58:02)


[23:25:18]   /usr/bin/sudo                                   [ Warning ]
[23:25:18] Warning: The file properties have changed:
[23:25:18]          File: /usr/bin/sudo
[23:25:18]          Current hash: 7d3c2983ad2f278d9e799b5792f13f57bf890bd3b03d10b36e53bf0b6677895e
[23:25:18]          Stored hash : 49278c0ebbc089cc04cfa6136a8011519fbaca9d99106443212e43c2141a7ff9
[23:25:18]          Current inode: 25957682    Stored inode: 25953068
[23:25:18]          Current file modification time: 1680544844 (03-Apr-2023 14:00:44)
[23:25:18]          Stored file modification time : 1677679177 (01-Mar-2023 08:59:37)


[23:25:19] Warning: The file properties have changed:
[23:25:19]          File: /usr/bin/systemd
[23:25:19]          Current hash: 477209848fabcaf52c060d98287f880845cb07fc9696216dbcfe9b6ea8e72bcd
[23:25:19]          Stored hash : c76a78e1572f62e0b28e0e5c459bd475917eb92177bdbeedf965d22c261b0f82
[23:25:19]          Current inode: 25957781    Stored inode: 25956458
[23:25:19]          Current file modification time: 1679322728 (20-Mar-2023 10:32:08)
[23:25:19]          Stored file modification time : 1677761882 (02-Mar-2023 07:58:02)
[23:25:19]   /usr/bin/systemctl                              [ Warning ]
[23:25:19] Warning: The file properties have changed:
[23:25:19]          File: /usr/bin/systemctl
[23:25:19]          Current hash: f48396b4d8fbf906a0a12ec5f9581a119fe266b0d61919c251e8320bd099327a
[23:25:19]          Stored hash : a9c198f924de92ab40633d345c55b6e84986e6e58f5569220871af3edeaca069
[23:25:19]          Current inode: 25953751    Stored inode: 25954081
[23:25:19]          Current size: 1119856    Stored size: 1115760
[23:25:19]          Current file modification time: 1679322728 (20-Mar-2023 10:32:08)
[23:25:19]          Stored file modification time : 1677761882 (02-Mar-2023 07:58:02)


23:25:22]   /usr/lib/systemd/systemd                        [ Warning ]
[23:25:22] Warning: The file properties have changed:
[23:25:22]          File: /usr/lib/systemd/systemd
[23:25:22]          Current hash: 477209848fabcaf52c060d98287f880845cb07fc9696216dbcfe9b6ea8e72bcd
[23:25:22]          Stored hash : c76a78e1572f62e0b28e0e5c459bd475917eb92177bdbeedf965d22c261b0f82
[23:25:22]          Current inode: 25954768    Stored inode: 25956371
[23:25:22]          Current file modification time: 1679322728 (20-Mar-2023 10:32:08)
[23:25:22]          Stored file modification time : 1677761882 (02-Mar-2023 07:58:02)

I really need help on this to find out if this is a false positive or not. Systemd does concern me along with the other warnings. Thanks. Update A user told me to look at recent updates and I remember I did do some updates linux wanted me to do in the past 2 days and I found in history of updates some lines libsystemd0, systemd-coredump, libnss-systemd,systemd, libpam-systemd and other updates. Seeing all these updates involving systemd is a sure sign of false positives. I need to look at my update history more after these scans. Im gonna look at the man page in rkhunter to restore every warning to OK. Its solved.

*OS: Linux Mint 18.2 Cinnamon 64-bit* Although I don't use the rkhunter much, probably several times a year, today I decided to look at it. I found in rkhunter log: /var/log/rkhunter.log that it seems to lack some skdet binary in the following section: Performing Suckit Rookit additional checks where it states, that: Running skdet command [ Skipped ] Info: Unable to find the 'skdet' command Since there's no available package under this name, I wonder what it actually is, and quite frankly, how to install it?

Today I installed Ubuntu 18.10 and ran *rkhunter* on it. At first it said that there are 4 possible rootkits, but after second check it detected 7. During checking there was everything green and ok, except one warning:
Checking for suspicious (large) shared memory segments [ Warning ] But I don't think that this would cause rkhunter's suspicion that there are some rootkits, would it? Or is it possible that I really got any rootkit even though there was no red "found" at any of those "known rootkits" check? There is the output from the last check: System checks summary ===================== File properties checks... Files checked: 149 Suspect files: 0 Rootkit checks... Rootkits checked : 479 Possible rootkits: 7 Applications checks... All checks skipped Any ideas? ---------- **Edit:** I tried to install Fedora instead of Ubuntu and everything seems fine, even that warning is no longer here. So maybe Fedora somehow fixed that warning, thus rkhunter doesn't think that there is any danger whatsoever, not sure.

rkhunter is giving warning on /dev/shm/mono.*. I couldn't find anywhere in the web reference to this file related to rkhunter warnings.

[12:38:29]   Checking /dev for suspicious file types         [ Warning ]
[12:38:29] Warning: Suspicious file types found in /dev:
[12:38:29]          /dev/shm/mono.1254: data

Is this a false positive? --- Output of df -h

Filesystem                                 Size  Used Avail Use% Mounted on
udev                                       7.8G     0  7.8G   0% /dev
tmpfs                                      1.6G  2.1M  1.6G   1% /run
/dev/sdb2                                  916G  357G  513G  41% /
tmpfs                                      7.8G  121M  7.7G   2% /dev/shm
tmpfs                                      5.0M  4.0K  5.0M   1% /run/lock
tmpfs                                      7.8G     0  7.8G   0% /sys/fs/cgroup
/dev/sdb1                                  511M  4.5M  507M   1% /boot/efi
/dev/sda1                                  1.8T   87G  1.7T   5% /mnt/HDD_Toshiba
tmpfs                                      1.6G     0  1.6G   0% /run/user/0
SynologyNas.local:/volumeUSB2/usbshare2-1  2.3T  1.6T  683G  71% /mnt/synologyDrive
tmpfs                                      1.6G   20K  1.6G   1% /run/user/121
tmpfs                                      1.6G   48K  1.6G   1% /run/user/1000

[17:16:52] Checking for preloaded libraries [ Warning ] [17:16:53] Warning: Found preloaded shared library: /usr/lib/arm-linux-gnueabihf/libarmmem-${PLATFORM}.so ######## #ls /usr/lib/arm-linux-gnueabihf/libarmmem-* /usr/lib/arm-linux-gnueabihf/libarmmem-aarch64.so /usr/lib/arm-linux-gnueabihf/libarmmem-v7l.so /usr/lib/arm-linux-gnueabihf/libarmmem-v6l.so /usr/lib/arm-linux-gnueabihf/libarmmem-v8l.so And I have zero idea what that means. I have installed rkhunter on a dirty system so the file hashes are not reliable but that doesn't sound relevant to the above warning.

rkhunter reported that [17:15:45] Checking for hidden files and directories [ Warning ] [17:15:45] Warning: Hidden file found: /etc/.updated: ASCII text [17:15:45] Warning: Hidden file found: /usr/share/man/man5/.k5identity.5.gz: gzip compressed data, max compression, from Unix, truncated [17:15:45] Warning: Hidden file found: /usr/share/man/man5/.k5login.5.gz: gzip compressed data, max compression, from Unix, truncate Looking at the files vorac@msi:/usr/share/man/man5$ ll .k5* -rw-r--r-- 1 root root 42 Nov 13 20:07 .k5identity.5.gz -rw-r--r-- 1 root root 39 Nov 13 20:07 .k5login.5.gz vorac@msi:/usr/share/man/man5$ file .k5* .k5identity.5.gz: gzip compressed data, max compression, from Unix, truncated .k5login.5.gz: gzip compressed data, max compression, from Unix, truncated vorac@msi:/usr/share/man/man5$ pacman -F .k5* core/krb5 1.19.2-2 [installed] usr/share/man/man5/.k5identity.5.gz core/krb5 1.19.2-2 [installed] usr/share/man/man5/.k5login.5.gz Are those possibly malicious?

I tried to create a systemd startup script that starts an rkhunter scan 30 minutes after system start of my laptop, like this:

[Unit]
Description=starts rkhunter and displays any findings with zenity

[Service]
ExecStartPre=/bin/sleep 1800
ExecStart=/usr/local/sbin/rkhunter-check

[Install]
WantedBy=default.target

But this fails with a timeout error Job for rkhunter.service failed because a timeout was exceeded. It seems like the ExecStartPre does not work like this. How do I solve this? A perfect solution would be: - first run 30 minutes after boot - repeat every 48 hours (in case you never shutdown your laptop)

I have a fresh install of CentOS 7 server with a fressh install of cpanel/whm. I checked / verified everything was clean, prior to restoring my cpanel backup from a different server. After the cpanel restoration I received [warning] for the following files: /usr/sbin/adduser /usr/sbin/depmod /usr/sbin/ifdown /usr/sbin/ifup /usr/sbin/init /usr/sbin/insmod /usr/sbin/lsmod /usr/sbin/modinfo /usr/sbin/modprobe /usr/sbin/rmmod /usr/sbin/runlevel /usr/bin/awk /usr/bin/egrep /usr/bin/fgrep /usr/bin/links /usr/bin/mail /usr/bin/passwd /usr/bin/sh /usr/bin/sudo I ran sha256sum checksums and compared the values to corresponding on a virtualbox test server that I setup and al of the checksums match. From there I ran ls -ld against all the files on production & test servers.. and the group/usr permissions all matched. At this point, I am reasonably sure that these are false positives. My question is a "noobie" question, what is rkhunter seeing that causes the warning? And how can I verify what it is causing the warning against my test server? **UPDATE** After some digging found a different (more useful way) to run a rkhunter check that tells you why the warning was being generated (essentially a reflection of what is in the rkhunter.log file) [root@host2 ~]# rkhunter -c --rwo Warning: No hash value found for file '/usr/sbin/adduser' in the 'rkhunter.dat' file. Warning: The file properties have changed: File: /usr/sbin/adduser Current file modification time: 1613637774 (18-Feb-2021 16:42:54) Stored file modification time : 1565319054 (09-Aug-2019 10:50:54) Warning: No hash value found for file '/usr/sbin/depmod' in the 'rkhunter.dat' file. Warning: The file properties have changed: File: /usr/sbin/depmod Current file modification time: 1613637781 (18-Feb-2021 16:43:01) Stored file modification time : 1585709895 (01-Apr-2020 10:58:15) Warning: The file properties have changed: File: /usr/sbin/ifdown Current hash: 69026ac688e78a6f54406fd4a4b92bb655fa9795cb043cafb1ebf7782985a38b Stored hash : e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 Current size: 1651 Stored size: 0 Current file modification time: 1590144273 (22-May-2020 18:44:33) Stored file modification time : 1605543307 (17-Nov-2020 00:15:07) Warning: The command '/usr/sbin/ifdown' has been replaced by a script: /usr/sbin/ifdown: Bourne-Again shell script, ASCII text executable Warning: The file properties have changed: File: /usr/sbin/ifup Current hash: f5ce9f5f014159aa479a88a4754b4a1980f307fac68863477341e62787f8e52c Stored hash : e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 Current size: 5010 Stored size: 0 Current file modification time: 1590144273 (22-May-2020 18:44:33) Stored file modification time : 1605543307 (17-Nov-2020 00:15:07) Warning: The command '/usr/sbin/ifup' has been replaced by a script: /usr/sbin/ifup: Bourne-Again shell script, ASCII text executable Warning: No hash value found for file '/usr/sbin/init' in the 'rkhunter.dat' file. Warning: The file properties have changed: File: /usr/sbin/init Current file modification time: 1613637783 (18-Feb-2021 16:43:03) Stored file modification time : 1612283656 (03-Feb-2021 00:34:16) Warning: No hash value found for file '/usr/sbin/insmod' in the 'rkhunter.dat' file. Warning: The file properties have changed: File: /usr/sbin/insmod Current file modification time: 1613637781 (18-Feb-2021 16:43:01) Stored file modification time : 1585709895 (01-Apr-2020 10:58:15) Warning: No hash value found for file '/usr/sbin/lsmod' in the 'rkhunter.dat' file. Warning: The file properties have changed: File: /usr/sbin/lsmod Current file modification time: 1613637781 (18-Feb-2021 16:43:01) Stored file modification time : 1585709895 (01-Apr-2020 10:58:15) Warning: No hash value found for file '/usr/sbin/modinfo' in the 'rkhunter.dat' file. Warning: The file properties have changed: File: /usr/sbin/modinfo Current file modification time: 1613637781 (18-Feb-2021 16:43:01) Stored file modification time : 1585709895 (01-Apr-2020 10:58:15) Warning: No hash value found for file '/usr/sbin/modprobe' in the 'rkhunter.dat' file. Warning: The file properties have changed: File: /usr/sbin/modprobe Current file modification time: 1613637781 (18-Feb-2021 16:43:01) Stored file modification time : 1585709895 (01-Apr-2020 10:58:15) Warning: No hash value found for file '/usr/sbin/rmmod' in the 'rkhunter.dat' file. Warning: The file properties have changed: File: /usr/sbin/rmmod Current file modification time: 1613637781 (18-Feb-2021 16:43:01) Stored file modification time : 1585709895 (01-Apr-2020 10:58:15) Warning: No hash value found for file '/usr/sbin/runlevel' in the 'rkhunter.dat' file. Warning: The file properties have changed: File: /usr/sbin/runlevel Current file modification time: 1613637783 (18-Feb-2021 16:43:03) Stored file modification time : 1612283656 (03-Feb-2021 00:34:16) Warning: No hash value found for file '/usr/bin/awk' in the 'rkhunter.dat' file. Warning: The file properties have changed: File: /usr/bin/awk Current file modification time: 1562813534 (11-Jul-2019 10:52:14) Stored file modification time : 1498686765 (29-Jun-2017 05:52:45) Warning: The command '/usr/bin/egrep' has been replaced by a script: /usr/bin/egrep: POSIX shell script, ASCII text executable Warning: The command '/usr/bin/fgrep' has been replaced by a script: /usr/bin/fgrep: POSIX shell script, ASCII text executable Warning: The file properties have changed: File: /usr/bin/links Current hash: 52d888a65f7e8c4e9837eb98d0c617af3ffbf5c51426036f69deeb31e93a2d37 Stored hash : e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 Current permissions: 0777 Stored permissions: 0644 Current size: 23 Stored size: 0 Current file modification time: 1613662786 (18-Feb-2021 23:39:46) Stored file modification time : 1547139654 (11-Jan-2019 01:00:54) Current symbolic link target: '/usr/bin/links' -> '/usr/bin/elinks' Stored symbolic link target : '/usr/bin/links' -> '/usr/bin' Warning: No hash value found for file '/usr/bin/mail' in the 'rkhunter.dat' file. Warning: The file properties have changed: File: /usr/bin/mail Current file modification time: 1562814013 (11-Jul-2019 11:00:13) Stored file modification time : 1523430473 (11-Apr-2018 15:07:53) Warning: The file properties have changed: File: /usr/bin/passwd Current permissions: 4755 Stored permissions: 04755 Warning: No hash value found for file '/usr/bin/sh' in the 'rkhunter.dat' file. Warning: The file properties have changed: File: /usr/bin/sh Current file modification time: 1613637759 (18-Feb-2021 16:42:39) Stored file modification time : 1585707450 (01-Apr-2020 10:17:30) Warning: The file properties have changed: File: /usr/bin/sudo Current permissions: 4111 Stored permissions: 04111 Warning: The following processes are using deleted files: Process: /usr/local/cpanel/libexec/tailwatch/tailwatchd PID: 1973 File: /var/cpanel/apnspush.sqlite3-wal What is especially confusing is the current vs stored hash values for some files like /usr/sbin/ifup because I verified the hash in a clean virtualbox install. Is this a case of simply runnin rkhunter --propupd?

I have an Ubuntu 18.04 system running with rkhunter installed. I keep getting warnings in the rkhunter.log after unattended-upgrades has upgraded the system. The solution to this would be running rkhunter --propupd after every automatic upgrade. [I found this](https://help.ubuntu.com/community/RKhunter) which mentions /etc/apt/apt.conf.d/90rkhunter, however, this file doesn't exist on my system. How can I make sure rkhunter --propupd is being executed after unattended-upgrades are done?

I am get this same output after checking hashes of rmmod, modprobe, modinfo, modinfo, lsmod, insmod, depmod root@user:/var/log/apt# md5sum /sbin/modprobe 150aa565f1e37e2fd200523b6b4fcedf /sbin/modprobe root@user:/var/log/apt# md5sum /sbin/modinfo 150aa565f1e37e2fd200523b6b4fcedf /sbin/modinfo root@user:/var/log/apt# md5sum /sbin/lsmod 150aa565f1e37e2fd200523b6b4fcedf /sbin/lsmod root@user:/var/log/apt# md5sum /sbin/insmod 150aa565f1e37e2fd200523b6b4fcedf /sbin/insmod root@user:/var/log/apt# md5sum /sbin/depmod 150aa565f1e37e2fd200523b6b4fcedf /sbin/depmod rkhunter log: [22:41:02] Warning: The file properties have changed: [22:41:02] File: /bin/lsmod [22:41:02] Current hash: fcaa05d1888ba56f72194b80cab50de49b351354116adf1d2a578c6a3c626f44 [22:41:03] Stored hash : 31e9e2579309d2c68a812d63710cb8257601970bb73344b5ff454d362bde1695 [22:41:03] Current inode: 27304 Stored inode: 72 [22:41:03] Current file modification time: 1583955426 (11-Mar-2020 20:37:06) [22:41:03] Stored file modification time : 1578801885 (12-Jan-2020 05:04:45) [22:41:13] /bin/kmod [ Warning ] [22:41:13] Warning: The file properties have changed: [22:41:14] File: /bin/kmod [22:41:14] Current hash: fcaa05d1888ba56f72194b80cab50de49b351354116adf1d2a578c6a3c626f44 [22:41:14] Stored hash : 31e9e2579309d2c68a812d63710cb8257601970bb73344b5ff454d362bde1695 [22:41:14] Current inode: 11350 Stored inode: 60 [22:41:14] Current file modification time: 1583955426 (11-Mar-2020 20:37:06) [22:41:14] Stored file modification time : 1542059677 (12-Nov-2018 22:54:37) [22:40:48] Warning: The file properties have changed: [22:40:48] File: /sbin/rmmod [22:40:48] Current hash: fcaa05d1888ba56f72194b80cab50de49b351354116adf1d2a578c6a3c626f44 [22:40:48] Stored hash : 31e9e2579309d2c68a812d63710cb8257601970bb73344b5ff454d362bde1695 [22:40:48] Current inode: 27594 Stored inode: 11327 [22:40:48] Current file modification time: 1583955426 (11-Mar-2020 20:37:06) [22:40:48] Stored file modification time : 1578801890 (12-Jan-2020 05:04:50) [22:40:46] /sbin/modprobe [ Warning ] [22:40:46] Warning: The file properties have changed: [22:40:46] File: /sbin/modprobe [22:40:46] Current hash: fcaa05d1888ba56f72194b80cab50de49b351354116adf1d2a578c6a3c626f44 [22:40:46] Stored hash : 31e9e2579309d2c68a812d63710cb8257601970bb73344b5ff454d362bde1695 [22:40:46] Current inode: 27591 Stored inode: 11330 [22:40:46] Current file modification time: 1583955426 (11-Mar-2020 20:37:06) [22:40:46] Stored file modification time : 1578801890 (12-Jan-2020 05:04:50) [22:40:45] /sbin/modinfo [ Warning ] [22:40:45] Warning: The file properties have changed: [22:40:45] File: /sbin/modinfo [22:40:45] Current hash: fcaa05d1888ba56f72194b80cab50de49b351354116adf1d2a578c6a3c626f44 [22:40:45] Stored hash : 31e9e2579309d2c68a812d63710cb8257601970bb73344b5ff454d362bde1695 [22:40:45] Current inode: 27589 Stored inode: 11331 [22:40:45] Current file modification time: 1583955426 (11-Mar-2020 20:37:06) [22:40:45] Stored file modification time : 1578801890 (12-Jan-2020 05:04:50) [22:40:42] Warning: The file properties have changed: [22:40:42] File: /sbin/insmod [22:40:42] Current hash: fcaa05d1888ba56f72194b80cab50de49b351354116adf1d2a578c6a3c626f44 [22:40:42] Stored hash : 31e9e2579309d2c68a812d63710cb8257601970bb73344b5ff454d362bde1695 [22:40:42] Current inode: 27585 Stored inode: 11334 [22:40:42] Current file modification time: 1583955426 (11-Mar-2020 20:37:06) [22:40:42] Stored file modification time : 1578801890 (12-Jan-2020 05:04:50) apt log: root@user:/var/log/apt# cat /var/log/apt/history.log.1 | grep -n1 2020-03-11 21- 22:Start-Date: 2020-03-11 17:37:43 23-Commandline: apt upgrade -y 24-Upgrade: libsqlite3-0:amd64 (3.22.0-1ubuntu0.2, 3.22.0-1ubuntu0.3) 25:End-Date: 2020-03-11 17:37:43 26- ls -l output: root@user:~# ls -l /sbin/rmmod /sbin/modprobe /sbin/modinfo /sbin/modinfo /sbin/lsmod /sbin/insmod /sbin/depmod lrwxrwxrwx 1 root root 9 Mar 11 20:37 /sbin/depmod -> /bin/kmod lrwxrwxrwx 1 root root 9 Mar 11 20:37 /sbin/insmod -> /bin/kmod lrwxrwxrwx 1 root root 9 Mar 11 20:37 /sbin/lsmod -> /bin/kmod lrwxrwxrwx 1 root root 9 Mar 11 20:37 /sbin/modinfo -> /bin/kmod lrwxrwxrwx 1 root root 9 Mar 11 20:37 /sbin/modinfo -> /bin/kmod lrwxrwxrwx 1 root root 9 Mar 11 20:37 /sbin/modprobe -> /bin/kmod lrwxrwxrwx 1 root root 9 Mar 11 20:37 /sbin/rmmod -> /bin/kmod my operating system: Distributor ID: Ubuntu Description: Ubuntu 18.04.4 LTS Release: 18.04 Codename: bionic rkhunter log for kmod root@user:~# cat /var/log/rkhunter.log | grep -n10 kmod 419:[22:41:13] /bin/kmod [ Warning ] 420-[22:41:13] Warning: The file properties have changed: 421:[22:41:14] File: /bin/kmod 422-[22:41:14] Current hash: fcaa05d1888ba56f72194b80cab50de49b351354116adf1d2a578c6a3c626f44 423-[22:41:14] Stored hash : 31e9e2579309d2c68a812d63710cb8257601970bb73344b5ff454d362bde1695 424-[22:41:14] Current inode: 11350 Stored inode: 60 425-[22:41:14] Current file modification time: 1583955426 (11-Mar-2020 20:37:06) 426-[22:41:14] Stored file modification time : 1542059677 (12-Nov-2018 22:54:37) **QUESTIONS** - Why i am get this results? - Why hashes of commands are the same? I am asking this because this command are give different outputs. - Does these results show that really I am hacked or possible rootkits are exists?

At the bottom of rkhunter.conf (I also tried placing it separately in rkhunter.conf.local), and after checking for invisible chars, > Unknown configuration file option: CRON_DAILY_RUN="false" > > Unknown configuration file option: CRON_DB_UPDATE="true" > > Unknown configuration file option: APT_AUTOGEN="true" Comes up for rkhunter -C. rkhunter is Version 1.4.6-5 from Maintainer: Debian Security Tools on Debian 10.1. I already tried purging and reinstalling. Inserting other options in rkhunter.conf.local, such as UPDATE_MIRRORS=1 or ALLOW_SSH_ROOT_USER = yes, does not trigger a warning. Only these three give issues. PS: I say rkhunter.conf.local but it doesn't matter, the result is the same if I edit rkhunter.conf directly.

I'm getting a warning from rkhunter, even though the sshd and rkhunter options for **root login** are both set to "no". Running Centos 7.6.1810 with rkhunter 1.4.6. Here are grep results which verify that the sshd and rkhunter config settings are both set to "no":

$grep PermitRootLogin /etc/ssh/sshd_config  
PermitRootLogin no

$grep ALLOW_SSH_ROOT_USER /etc/rkhunter.conf    
ALLOW_SSH_ROOT_USER=no

For clarity, note that the protocol options are set as follows:

$grep Protocol /etc/ssh/sshd_config
Protocol 2

$grep ALLOW_SSH_PROT_V1 /etc/rkhunter.conf
ALLOW_SSH_PROT_V1=0

The rkhunter log clearly shows that sshd and rkhunter config are both set to indicate **no root login**, yet I get a warning about ssh root access:

[13:43:33] Info: Using configuration file '/etc/rkhunter.conf'

[13:48:21] Info: Starting test name 'system_configs_ssh'  
[13:48:21]   Checking for an SSH configuration file          [ Found ]  
[13:48:21] Info: Found an SSH configuration file: /etc/ssh/sshd_config  
[13:48:21] Info: Rkhunter option ALLOW_SSH_ROOT_USER set to 'no'.  
[13:48:21] Info: Rkhunter option ALLOW_SSH_PROT_V1 set to '0'.  
[13:48:21]   Checking if SSH root access is allowed          [ Warning ]  
[13:48:21] Warning: The SSH and rkhunter configuration options should be the same:  
[13:48:21]          SSH configuration option 'PermitRootLogin': no  
[13:48:21]          Rkhunter configuration option   'ALLOW_SSH_ROOT_USER': no  
[13:48:21]   Checking if SSH protocol v1 is allowed          [ Not allowed ]  
[13:48:21]   Checking for other suspicious configuration settings [ None found ]

Similarly, the email I receive from rkhunter gives me a warning, yet it also confirms that the settings are already the same:

---------------------- Start Rootkit Hunter Scan ----------------------
Warning: The SSH and rkhunter configuration options should be the same:
         SSH configuration option 'PermitRootLogin': no
         Rkhunter configuration option 'ALLOW_SSH_ROOT_USER': no

----------------------- End Rootkit Hunter Scan -----------------------

Any ideas of what is causing this rkhunter warning and how to fix it??

I received these rkhunter results; what are these files, and are they dangerous? [23:17:48] Checking for hidden files and directories [ Warning ] [23:17:48] Warning: Hidden file found: /etc/.sudoers.tmp.swl: Vim swap file, version 7.4 [23:17:48] Warning: Hidden file found: /etc/.sudoers.tmp.swm: Vim swap file, version 7.4 [23:17:48] Warning: Hidden file found: /etc/.sudoers.tmp.swn: Vim swap file, version 7.4 [23:17:49] Warning: Hidden file found: /etc/.sudoers.tmp.swo: Vim swap file, version 7.4 [23:17:49] Warning: Hidden file found: /etc/.sudoers.tmp.swp: Vim swap file, version 7.4

When I use rkhunter it always shows two warnings and possible 4 rootkit information: Checking for suspicious (large) shared memory segments [ Warning ] Checking for hidden files and directories [ Warning ] File properties checks... Files checked: 149 Suspect files: 0 Rootkit checks... Rootkits checked : 480 Possible rootkits: 4 Applications checks... All checks skipped The rest is ok. Using chkrootkit i always get only one alert: tcpd INFECTED. I used: sudo sha1sum /usr/sbin/tcpd and the answer was: 9ee346a9400f52e16576db35c310a72af391e199 /usr/sbin/tcpd I found out that it should be: cd9cfc19df7f0e4b7f9adfa4fe8c5d74caa53d86 /usr/sbin/tcpd Is it posible that my system is infected? I have Linux Mint 19 mate.

System: Linux Mint 19 Cinnamon 64-bit, based on Ubuntu 18.04. RKHunter: packaged version 1.4.6-2. Unfortunately, when I try to update its database, I get error: ------------------------------ $ sudo rkhunter --update [ Rootkit Hunter version 1.4.6 ] Checking rkhunter data files... Checking file mirrors.dat [ Skipped ] Checking file programs_bad.dat [ Update failed ] Checking file backdoorports.dat [ Update failed ] Checking file suspscan.dat [ Update failed ] Checking file i18n versions [ Update failed ] Please check the log file (/var/log/rkhunter.log) ----------------------- I checked the log with no real result.