Help with rkhunter.log interpretation and recommendation, thanks.

Help on all MX Re-spins
Post Reply
Message
Author
joejac
Posts: 102
Joined: Sat Apr 30, 2016 1:25 pm

Help with rkhunter.log interpretation and recommendation, thanks.

#1 Post by joejac »

Hello,

Today I discovered that by some mistake I had the firewall of my laptop disabled, probably for months. I tested the ports with ShieldsUp and found 0 Closed, 1 to 1023 stealth and over 1024 closed, and responding to ping ICMP. I immediately activated the UFW with its GUI and set the default: Home and the Basic configuration. Now all ports are stealth and no response to ping.

1.- I installed ClamAV and ran a full test of the home directory, it has scanned 200.000 files, about 70% and is reporting 450 possible threats, it has not finished yet.
2.- I installed:
rkhunter
chkrootkit
>Result of chkrootkit:

Code: Select all


/usr/lib/python2.7/dist-packages/PyQt4/uic/widget-plugins/.noinit /usr/lib/python3/dist-packages/PyQt5/uic/widget-plugins/.noinit /usr/lib/python3/dist-packages/PyQt4/uic/widget-plugins/.noinit /usr/lib/xmind/p2/org.eclipse.equinox.p2.engine/.settings /usr/lib/xmind/p2/org.eclipse.equinox.p2.engine/profileRegistry/XMindProfile.profile/.lock /usr/lib/xmind/p2/org.eclipse.equinox.p2.engine/profileRegistry/XMindProfile.profile/.data /usr/lib/xmind/plugins/org.eclipse.core.runtime.compatibility.registry_3.6.0.v20150318-1505/.api_description /usr/lib/jvm/.java-1.7.0-openjdk-amd64.jinfo /usr/lib/pymodules/python2.7/.path
/usr/lib/xmind/p2/org.eclipse.equinox.p2.engine/.settings /usr/lib/xmind/p2/org.eclipse.equinox.p2.engine/profileRegistry/XMindProfile.profile/.data
eth0: PACKET SNIFFER(/sbin/dhclient[2630])
unable to open wtmp-file wtmp
not tested: not found wtmp and/or lastlog file
 The tty of the following user process(es) were not found
 in /var/run/utmp !
! RUID          PID TTY    CMD
! Times/PluginPowerSaverTiny/Control/PreconnectMore/Default/*QUIC/EnabledNoId/ReportCertificateErrors/ShowAndPossiblySend/SHA1IdentityUIWarning/Enabled/SHA1ToolbarUIJanuary2016/Warning/SHA1ToolbarUIJanuary2017/Error/SSLCommonNameMismatchHandling/Enabled/*SafeBrowsingIncidentReportingService/De       0 on/Enable/PasswordSeparatedSigninFTimes/PluginPowerSaverTiny/Control/PreconnectMore/Default/*QUIC/EnabledNoId/ReportCertificateErrors/ShowAndPossiblySend/SHA1IdentityUIWarning/Enabled/SHA1ToolbarUIJanuary2016/Warning/SHA1ToolbarUIJanuary2017/Error/SSLCommonNameMismatchHandling/Enabled/*SafeBrowsingIncidentReportingService/De /PreconnectMore/Default/*QUIC/EnabledNoId/ReportCertificateErrors/ShowAndPossiblySend/SHA1IdentityUIWarning/Enabled/SHA1ToolbarUIJanuary2016/Warning/SHA1ToolbarUIJanuary2017/Error/SSLCommonNameMismatchHandling/Enabled/*SafeBrowsingIncidentReportingService/De
! --gpu-device-id=0x68c1       0 8,23,26,33,39,52,56 --gpu-driver-vendor=Mesa --gpu-driver-version=10.3.2 --gpu-driver-date --v8-natives-passed-by-fd --v8-snapshot-passed-by-fd
! ateErrors/ShowAndPossiblySend/SHA1IdentityUIWarning/Enabled/SHA1ToolbarUIJanuary2016/Warning/SHA1ToolbarUIJanuary2017/Error/SSLCommonNameMismatchHandling/Enabled/*SafeBrowsingIncidentReportingService/Default/SafeBrowsingUnverifiedDownloads/DisableByParameterMostSbTypes2/SafeBrowsingUpdateFre       0 iny/Control/*PreconnectMore/DefaulateErrors/ShowAndPossiblySend/SHA1IdentityUIWarning/Enabled/SHA1ToolbarUIJanuary2016/Warning/SHA1ToolbarUIJanuary2017/Error/SSLCommonNameMismatchHandling/Enabled/*SafeBrowsingIncidentReportingService/Default/SafeBrowsingUnverifiedDownloads/DisableByParameterMostSbTypes2/SafeBrowsingUpdateFre IdentityUIWarning/Enabled/SHA1ToolbarUIJanuary2016/Warning/SHA1ToolbarUIJanuary2017/Error/SSLCommonNameMismatchHandling/Enabled/*SafeBrowsingIncidentReportingService/Default/SafeBrowsingUnverifiedDownloads/DisableByParameterMostSbTypes2/SafeBrowsingUpdateFre
! ateErrors/ShowAndPossiblySend/SHA1IdentityUIWarning/Enabled/SHA1ToolbarUIJanuary2016/Warning/SHA1ToolbarUIJanuary2017/Error/SSLCommonNameMismatchHandling/Enabled/*SafeBrowsingIncidentReportingService/Default/SafeBrowsingUnverifiedDownloads/DisableByParameterMostSbTypes2/SafeBrowsingUpdateFre       0 iny/Control/*PreconnectMore/DefaulateErrors/ShowAndPossiblySend/SHA1IdentityUIWarning/Enabled/SHA1ToolbarUIJanuary2016/Warning/SHA1ToolbarUIJanuary2017/Error/SSLCommonNameMismatchHandling/Enabled/*SafeBrowsingIncidentReportingService/Default/SafeBrowsingUnverifiedDownloads/DisableByParameterMostSbTypes2/SafeBrowsingUpdateFre IdentityUIWarning/Enabled/SHA1ToolbarUIJanuary2016/Warning/SHA1ToolbarUIJanuary2017/Error/SSLCommonNameMismatchHandling/Enabled/*SafeBrowsingIncidentReportingService/Default/SafeBrowsingUnverifiedDownloads/DisableByParameterMostSbTypes2/SafeBrowsingUpdateFre
! cateErrors/ShowAndPossiblySend/SHA1IdentityUIWarning/Enabled/SHA1ToolbarUIJanuary2016/Warning/SHA1ToolbarUIJanuary2017/Error/SSLCommonNameMismatchHandling/Enabled/*SafeBrowsingIncidentReportingService/Default/SafeBrowsingUnverifiedDownloads/DisableByParameterMostSbTypes2/*SafeBrowsingUpdateF       0 Tiny/Control/*PreconnectMore/DefaucateErrors/ShowAndPossiblySend/SHA1IdentityUIWarning/Enabled/SHA1ToolbarUIJanuary2016/Warning/SHA1ToolbarUIJanuary2017/Error/SSLCommonNameMismatchHandling/Enabled/*SafeBrowsingIncidentReportingService/Default/SafeBrowsingUnverifiedDownloads/DisableByParameterMostSbTypes2/*SafeBrowsingUpdateF 1IdentityUIWarning/Enabled/SHA1ToolbarUIJanuary2016/Warning/SHA1ToolbarUIJanuary2017/Error/SSLCommonNameMismatchHandling/Enabled/*SafeBrowsingIncidentReportingService/Default/SafeBrowsingUnverifiedDownloads/DisableByParameterMostSbTypes2/*SafeBrowsingUpdateF
! cateErrors/ShowAndPossiblySend/SHA1IdentityUIWarning/Enabled/SHA1ToolbarUIJanuary2016/Warning/SHA1ToolbarUIJanuary2017/Error/SSLCommonNameMismatchHandling/Enabled/*SafeBrowsingIncidentReportingService/Default/SafeBrowsingUnverifiedDownloads/DisableByParameterMostSbTypes2/*SafeBrowsingUpdateF       0 Tiny/Control/*PreconnectMore/DefaucateErrors/ShowAndPossiblySend/SHA1IdentityUIWarning/Enabled/SHA1ToolbarUIJanuary2016/Warning/SHA1ToolbarUIJanuary2017/Error/SSLCommonNameMismatchHandling/Enabled/*SafeBrowsingIncidentReportingService/Default/SafeBrowsingUnverifiedDownloads/DisableByParameterMostSbTypes2/*SafeBrowsingUpdateF 1IdentityUIWarning/Enabled/SHA1ToolbarUIJanuary2016/Warning/SHA1ToolbarUIJanuary2017/Error/SSLCommonNameMismatchHandling/Enabled/*SafeBrowsingIncidentReportingService/Default/SafeBrowsingUnverifiedDownloads/DisableByParameterMostSbTypes2/*SafeBrowsingUpdateF
! root         2579 tty7   /usr/bin/X -dpi $DPI :0 -seat seat0 -auth /var/run/lightdm/root/:0 -nolisten tcp vt7 -novtswitch

unhide [/b]
3.- I ran rkhunter, this is the first time I use those tools and I do not know how to analyze the results, attached is the file:
/var/log/rkhunter.log

I appreciate a lot your help in looking at this file and the result of chkrootkit and suggesting recommendations, .

Thanks and best regards
joejac

jimallyn
Posts: 3
Joined: Wed Apr 22, 2015 7:47 pm

Re: Help with rkhunter.log interpretation and recommendation, thanks.

#2 Post by jimallyn »

It is my understanding that running ClamAV is pretty much useless. It will find Windows viruses and return a bunch of false positives on Linux.

User avatar
Jerry3904
Administrator
Posts: 21881
Joined: Wed Jul 19, 2006 6:13 am

Re: Help with rkhunter.log interpretation and recommendation, thanks.

#3 Post by Jerry3904 »

Some background from the Wikipedia:
Rootkit detection is difficult because a rootkit may be able to subvert the software that is intended to find it. Detection methods include using an alternative and trusted operating system, behavioral-based methods, signature scanning, difference scanning, and memory dump analysis. Removal can be complicated or practically impossible, especially in cases where the rootkit resides in the kernel; reinstallation of the operating system may be the only available solution to the problem. When dealing with firmware rootkits, removal may require hardware replacement, or specialized equipment.
Production: 5.10, MX-23 Xfce, AMD FX-4130 Quad-Core, GeForce GT 630/PCIe/SSE2, 16 GB, SSD 120 GB, Data 1TB
Personal: Lenovo X1 Carbon with MX-23 Fluxbox and Windows 10
Other: Raspberry Pi 5 with MX-23 Xfce Raspberry Pi Respin

aus9
Posts: 128
Joined: Sat Jul 02, 2016 1:14 am

Re: Help with rkhunter.log interpretation and recommendation, thanks.

#4 Post by aus9 »

Hi

I hope you don't mind a comment on RKH only. You are supposed to run RKH from an install or from an unpack...on a clean install.....so you know any positives you might get are all false positives.

Your log finds no rootkits...this is good!

If interested there is a wiki on unhide

https://sourceforge.net/p/rkhunter/wiki/unhide/


3) When I left MS about 2001 I would use clamav all the time....but as jimallyn suggests its not worth worrying about.

the security of your web browser is more important to me.

joejac
Posts: 102
Joined: Sat Apr 30, 2016 1:25 pm

Re: Help with rkhunter.log interpretation and recommendation, thanks.

#5 Post by joejac »

Hello and thanks to all,
Yes ClamAV detected PDF documents that are valid, I read them, and it also reported .exe files that are also valid they are good programs that I run under Wine.

Yes I have read the problems with rootkits, and it had to be run just after the new installation. I think the IPS modem protected me because it had the main ports stealth and the others closed. The browser is my main concern, because some times I investigate technical information and I download documents from places with a lot of advertising. I have entered into banks all these months and I have not found any issue with my accounts, but that is not a guarantee.

I still need to run unhide, last night was late.

Any additional information or link on a good tutorial on how to secure a laptop/desktop and its browser is very welcomed, I am not an expert.

A note apart: I am very pleased with MX-15 unofficial KDE :)

Best regards
joejac

aus9
Posts: 128
Joined: Sat Jul 02, 2016 1:14 am

Re: Help with rkhunter.log interpretation and recommendation, thanks.

#6 Post by aus9 »

regarding unhide

its possible you are running the debian package for unhide. Correct me if I am wrong but me thinks you may not have unhide-tcp
so it takes seconds to compile the unhide stuff.....as per RHH wiki

after compiling it you can run just the unhide tests like this

Code: Select all

rkhunter --enable 'hidden_ports hidden_procs' -sk
and log snippets are
snip
[07:01:00] Info: Starting test name 'hidden_procs'
[07:01:00] Info: Found the 'unhide' command: /usr/local/bin/unhide
[07:01:00] Info: Found 'unhide' command version: 20121229
[07:01:15] Using command '/usr/local/bin/unhide sys' [ None found ]
[07:01:15] Checking for hidden processes [ None found ]
snip
[07:01:15] Info: Starting test name 'hidden_ports'
[07:01:15] Info: Found the 'unhide-tcp' command: /usr/local/bin/unhide-tcp
[07:01:15] Checking for hidden ports [ None found ]

[07:01:15] The system checks took: 15 seconds

Post Reply

Return to “MX Respins”