I ran Rootkit Hunter 1.4.0 on a Debian Wheezy server and I am confused by the output.
I enabled every tests using the following piece of configuration:
ENABLE_TESTS="all"
DISABLE_TESTS="none"
The output is the following:
Warning: The following processes are using deleted files:
Process: /usr/sbin/mysqld PID: 2036 File: /tmp/ibi1WkYB
Process: /usr/sbin/cron PID: 7468 File: /tmp/tmpf73tnoh
Process: /bin/dash PID: 7469 File: /tmp/tmpf73tnoh
Process: /bin/run-parts PID: 7470 File: /tmp/tmpf73tnoh
Process: /var/virtualenvs/project_foo/bin/python PID: 28542 File: /tmp/wgunicorn-cIAtc2
Process: /var/virtualenvs/project_foo/bin/python PID: 28547 File: /tmp/wgunicorn-cIAtc2
Process: /var/virtualenvs/project_foo/bin/python PID: 28548 File: /tmp/wgunicorn-cIAtc2
Process: /var/virtualenvs/project_foo/bin/python PID: 28549 File: /tmp/wgunicorn-cIAtc2
Warning: Process '/sbin/dhclient' (PID 1328) is listening on the network.
Most of them must be false positive, but I would like to understand what is happening behind these false positive and fix those who aren't false positives. This report did not appear from nowhere, I had these lines since the very first run of RKHunter.
About the deleted files
RKHunter runs on a daily basis through a cron, which explains why /usr/sbin/cron
, /bin/run-parts
(and maybe /bin/dash
too?) show up here.
However, I don't understand why:
1) All these deleted files are used by processes. Does this report means that each of these processes is trying to use a file that has been deleted, or that it has used at some point a file that existed at the time but got deleted afterwards? I reckon if the answer is the first option, it might be a problem. Can / Should it be fixed?
2) 4 processes of the same program are using the same deleted file. Even if the use of the deleted file is a false positive, is there something in this report that indicates that these 4 processes are an error (instead of having just one)? I understand that this might be completely app-specific and that there might be no answer from the report here, but I am just trying to understand why they are here. For information, they refer to a web application that is running in only once throughout the server (which is mono-threaded and mono-core).
About the listening process
I indeed have DHCP running on this server (out-of-the-box, I haven't tweaked it nor know much details about DHCP).
3) Is it normal that RKHunter reports a warning about it? If it is a false positive, is there an obvious reason why no other processes listening to the network are reported here (like sshd
, …)?
Of course, I will try to provide as much information as possible if needed, feel free to ask in case I forgot to bring specific helpful data.
Best Answer
Firstly, these are not "false-positives". rkhunter is reporting facts; it is not applying any interpretation to those facts.
The report is showing you processes that had a file open at the time it was deleted. You need to determine if that is legitimate/acceptable behaviour for those processes.
What do you think the error is? There are 4 separate processes (as shown by the different PID numbers) so that is what rkhunter is reporting.
rkhunter come with a generic configuration; there is no way for it to know that you expect dhcpd to be running on that particular machine -- you have to do some configuration. Section 6 of the rkhunter FAQ details how to whitelist a process/daemon/etc