RKHunter Warnings?

[jreidsma]

Hi,
I just did a scan on two of my linux conputers with chkrootkit and Rkhunter. chkrootkit showed nothing on both. But rkhunter said otherwise, it didn't find any rootkits or malware, but gave me a couple warnings and told me to check the .log file it made. I tried on both computer to look at that file but the computer said I can't, and in the permissions of the file it is set up for root to view it.

So anyone know how to view the file as root?

Also, here's a direct copy and paste from the terminal of the "warnings"

First computer, Kororaa 15:
Performing file properties checks
Checking for prerequisites [ Warning ]

Second computer, MoonOS laptop:
Performing filesystem checks
Checking /dev for suspicious file types [ Warning ]
Checking for hidden files and directories [ Warning ]


So anyone know what that means? Should I be worried about any of the warnings? And if anyone knows how, it might help to be able to see the logs it left with info on this.

[jayd512]

Many of the warnings given by rkhunter can be false positives, caused by a hidden folder or something similar. Even if you created it it yourself.
And to read the logs, you need root permissions.

Code:

sudo cat /var/log/rkhunter.log

If you don't have sudo enabled, simply do:

Code:

 su -
<enter root password>
cat /var/log/rkhunter.log

[jreidsma]

Hi,
Ok, thanks

I did what you posted, and will put the warnings on here.

Here's the warnings for the MoonOS laptop:
[16:04:34] Performing filesystem checks
[16:04:34] Info: Starting test name 'filesystem'
[16:04:34] Info: SCAN_MODE_DEV set to 'THOROUGH'
[16:04:35] Checking /dev for suspicious file types [ Warning ]
[16:04:35] Warning: Suspicious file types found in /dev:
[16:04:35] /dev/shm/pulse-shm-2455246965: data
[16:04:35] /dev/shm/pulse-shm-1513986577: data
[16:04:35] /dev/shm/mono-shared-1000-shared_fileshare-jreidsma-Presario-V2000-EH458UA-ABA-Linux-i686-36-12-0: data
[16:04:35] /dev/shm/mono-shared-1000-shared_data-jreidsma-Presario-V2000-EH458UA-ABA-Linux-i686-312-12-0: data
[16:04:35] /dev/shm/mono.2034: data
[16:04:35] /dev/shm/pulse-shm-4265638741: data
[16:04:35] /dev/shm/pulse-shm-509220867: data
[16:04:35] /dev/shm/ecryptfs-jreidsma-Private: ASCII text
[16:04:35] /dev/shm/pulse-shm-3542168363: data
[16:04:35] Checking for hidden files and directories [ Warning ]
[16:04:35] Warning: Hidden directory found: /dev/.udev
[16:04:35] Warning: Hidden directory found: /dev/.initramfs
[16:04:48]

I went on the kororaa computer and put in the codes you put. But it says there is no such file or directory. So I will hunt for the file, it might take a couple minutes.

[jayd512]

Looks okay to me.
Mine reports similar warnings.
Hidden files can be something as simple as a system preference file.

I wouldn't worry about it.

[jreidsma]

Hi,
ok Thanks

On the kororaa one it was:
sudo cat /var/log/rkhunter/rkhunter.log

And it didn't show the warning it had. So I am guessing it wasn't anything to worry about either. It did have some stuff put on there as hidden but white listed. In fact, it was the same items the other computer had as warnings.

I am kind of paranoid when it comes to security Not that that's a bad thing Better to be slightly paranoid then to not care at all.

[jayd512]

Better to be slightly paranoid then to not care at all.

Absolutely!
And I just ran through my most recent log (from about a week ago) and one hidden folder was for some java settings. So just look through the files or directories that are brought to your attention, and you should be fine.