5个rkhunter警告出现了,我应该担心吗?

时间:2015-03-03 03:12:34

标签: centos

我刚刚找到rkhunter并决定在我的CentOS专用服务器上运行扫描,没有发现rootkit(谢天谢地!)但是有警告,我只是好奇是否有其他人遇到过这些或者如果这是我应该担心或进一步调查的事情?

以下是我从rkhunter收到的警告:

[22:01:58]   /sbin/ifdown                                    [ Warning ]
[22:01:58] Warning: The command '/sbin/ifdown' has been replaced by a script: /sbin/ifdown: Bourne-Again shell script text executable

[22:01:58]   /sbin/ifup                                      [ Warning ]
[22:01:58] Warning: The command '/sbin/ifup' has been replaced by a script: /sbin/ifup: Bourne-Again shell script text executable

[22:02:05]   /usr/bin/GET                                    [ Warning ]
[22:02:05] Warning: The command '/usr/bin/GET' has been replaced by a script: /usr/bin/GET: a /usr/bin/perl -w script text executable

[22:02:05]   /usr/bin/ldd                                    [ Warning ]
[22:02:05] Warning: The command '/usr/bin/ldd' has been replaced by a script: /usr/bin/ldd: Bourne-Again shell script text executable

[22:02:07]   /usr/bin/whatis                                 [ Warning ]
[22:02:07] Warning: The command '/usr/bin/whatis' has been replaced by a script: /usr/bin/whatis: POSIX shell script text executable

[22:03:03] Info: SCAN_MODE_DEV set to 'THOROUGH'
[22:03:05]   Checking /dev for suspicious file types         [ Warning ]
[22:03:05] Warning: Suspicious file types found in /dev:
[22:03:05]          /dev/md/autorebuild.pid: ASCII text
[22:03:05]          /dev/md/md-device-map: ASCII text
[22:03:05]          /dev/.udev/queue.bin: Applesoft BASIC program data
[22:03:05]          /dev/.udev/db/block:md0: ASCII text
[22:03:05]          /dev/.udev/db/block:md1: ASCII text
[22:03:05]          /dev/.udev/db/block:sda1: ASCII text
[22:03:05]          /dev/.udev/db/net:eth1: ASCII text
[22:03:05]          /dev/.udev/db/net:eth0: ASCII text
[22:03:05]          /dev/.udev/db/block:sdb3: ASCII text
[22:03:05]          /dev/.udev/db/block:sdb1: ASCII text
[22:03:05]          /dev/.udev/db/block:sda3: ASCII text
[22:03:05]          /dev/.udev/db/block:sda2: ASCII text
[22:03:05]          /dev/.udev/db/block:sdb2: ASCII text
[22:03:05]          /dev/.udev/db/input:event2: ASCII text
[22:03:05]          /dev/.udev/db/input:event0: ASCII text
[22:03:05]          /dev/.udev/db/block:sda: ASCII text
[22:03:05]          /dev/.udev/db/block:sdb: ASCII text
[22:03:05]          /dev/.udev/db/input:event4: ASCII text
[22:03:05]          /dev/.udev/db/input:mouse1: ASCII text
[22:03:05]          /dev/.udev/db/input:event3: ASCII text
[22:03:05]          /dev/.udev/db/input:event1: ASCII text
[22:03:05]          /dev/.udev/db/block:ram9: ASCII text
[22:03:05]          /dev/.udev/db/block:ram8: ASCII text
[22:03:05]          /dev/.udev/db/block:ram4: ASCII text
[22:03:05]          /dev/.udev/db/block:ram5: ASCII text
[22:03:05]          /dev/.udev/db/block:ram7: ASCII text
[22:03:05]          /dev/.udev/db/block:ram6: ASCII text
[22:03:05]          /dev/.udev/db/block:ram3: ASCII text
[22:03:06]          /dev/.udev/db/block:ram2: ASCII text
[22:03:06]          /dev/.udev/db/block:ram15: ASCII text
[22:03:06]          /dev/.udev/db/block:ram14: ASCII text
[22:03:06]          /dev/.udev/db/block:ram13: ASCII text
[22:03:06]          /dev/.udev/db/block:ram12: ASCII text
[22:03:06]          /dev/.udev/db/block:ram0: ASCII text
[22:03:06]          /dev/.udev/db/block:ram1: ASCII text
[22:03:06]          /dev/.udev/db/block:ram11: ASCII text
[22:03:06]          /dev/.udev/db/block:ram10: ASCII text
[22:03:06]          /dev/.udev/db/block:loop7: ASCII text
[22:03:06]          /dev/.udev/db/block:loop3: ASCII text
[22:03:06]          /dev/.udev/db/block:loop5: ASCII text
[22:03:06]          /dev/.udev/db/block:loop4: ASCII text
[22:03:06]          /dev/.udev/db/block:loop6: ASCII text
[22:03:06]          /dev/.udev/db/block:loop1: ASCII text
[22:03:06]          /dev/.udev/db/block:loop2: ASCII text
[22:03:06]          /dev/.udev/db/block:loop0: ASCII text
[22:03:06]          /dev/.udev/db/usb:2-1: ASCII text
[22:03:06]          /dev/.udev/db/usb:1-1: ASCII text
[22:03:06]          /dev/.udev/db/usb:3-7.1: ASCII text
[22:03:06]          /dev/.udev/db/usb:3-7: ASCII text
[22:03:06]          /dev/.udev/db/usb:usb1: ASCII text
[22:03:06]          /dev/.udev/db/usb:usb3: ASCII text
[22:03:06]          /dev/.udev/db/usb:usb4: ASCII text
[22:03:06]          /dev/.udev/db/usb:usb2: ASCII text
[22:03:06]          /dev/.udev/rules.d/99-root.rules: ASCII text

[22:03:06]   Checking for hidden files and directories       [ Warning ]
[22:03:06] Warning: Hidden directory found: /dev/.mdadm
[22:03:06] Warning: Hidden directory found: /dev/.udev
[22:03:06] Warning: Hidden file found: /usr/share/man/man5/.k5login.5.gz: gzip compressed data, from Unix, max compression
[22:03:06] Warning: Hidden file found: /usr/share/man/man5/.k5identity.5.gz: gzip compressed data, from Unix, max compression
[22:03:06] Warning: Hidden file found: /usr/share/man/man1/..1.gz: gzip compressed data, from Unix, max compression
[22:03:06] Warning: Hidden file found: /usr/bin/.fipscheck.hmac: ASCII text
[22:03:06] Warning: Hidden file found: /usr/bin/.ssh.hmac: ASCII text
[22:03:06] Warning: Hidden file found: /usr/sbin/.sshd.hmac: ASCII text

3 个答案:

答案 0 :(得分:1)

ifdown和ldd等等,它们是bash shell脚本,可以直接由shell执行。

file /sbin/ifdown   

您可以获取详细信息。

当然,有一些隐藏文件(名称以其开头。)和dev文件会导致警告,这是正常的。

答案 1 :(得分:1)

在这里运行CentOS 7.3.1611,最近也发现rkhunter警告某些命令:

Warning: The command '/usr/sbin/ifdown' has been replaced by a script: /usr/sbin/ifdown: Bourne-Again shell script, ASCII text executable
Warning: The command '/usr/sbin/ifup' has been replaced by a script: /usr/sbin/ifup: Bourne-Again shell script, ASCII text executable
Warning: The command '/usr/bin/egrep' has been replaced by a script: /usr/bin/egrep: POSIX shell script, ASCII text executable
Warning: The command '/usr/bin/fgrep' has been replaced by a script: /usr/bin/fgrep: POSIX shell script, ASCII text executable

首先,我找到了这些命令所属的位置:

# rpm -qf /usr/sbin/ifdown /usr/sbin/ifup /usr/bin/egrep /usr/bin/fgrep
initscripts-9.49.37-1.el7_3.1.x86_64
initscripts-9.49.37-1.el7_3.1.x86_64
grep-2.20-2.el7.x86_64
grep-2.20-2.el7.x86_64

然后,我验证了这些包裹:

# rpm -V initscripts grep && echo OK
OK

最后,我将这些行添加到/etc/rkhunter.conf.local以禁用这些警告:

SCRIPTWHITELIST=/usr/sbin/ifdown
SCRIPTWHITELIST=/usr/sbin/ifup
SCRIPTWHITELIST=/usr/bin/fgrep
SCRIPTWHITELIST=/usr/bin/egrep

再次检查:

# rkhunter --check --rwo && echo OK
OK

希望这有帮助!

答案 2 :(得分:0)

要检查文件是否被感染,您可以检查包含这些文件的软件包,例如,/usr/bin/ldd使用

apt install debsums apt-file
apt-file update
debsums $(apt-file search -F --package-only /usr/bin/ldd)

如果仅看到确定,则可以将文件自由添加到rkhunter忽略列表:

for example add these lines to `/etc/rkhunter.conf.local` to disable those warnings:

SCRIPTWHITELIST=/usr/sbin/ifdown
SCRIPTWHITELIST=/usr/sbin/ifup
SCRIPTWHITELIST=/usr/bin/fgrep
SCRIPTWHITELIST=/usr/bin/egrep

也可以禁用其他警告,请参见´/ etc / rkhunter.conf´