如何验证 Rkhunter 误报

tag-icon tag-icon rkhunter
如何验证 Rkhunter 误报

我全新安装了 CentOS 7 服务器,并全新安装了 cpanel/whm。在从不同的服务器恢复我的 cpanel 备份之前,我检查/验证了一切都干净。

cpanel 恢复后我收到[warning]以下文件:

    /usr/sbin/adduser                                
    /usr/sbin/depmod                                       
    /usr/sbin/ifdown                                         
    /usr/sbin/ifup                                          
    /usr/sbin/init                                           
    /usr/sbin/insmod                                        
    /usr/sbin/lsmod                                          
    /usr/sbin/modinfo                                      
    /usr/sbin/modprobe                                  
    /usr/sbin/rmmod                                         
    /usr/sbin/runlevel                                       
    /usr/bin/awk                                           
    /usr/bin/egrep                                           
    /usr/bin/fgrep                                        
    /usr/bin/links                                         
    /usr/bin/mail                                            
    /usr/bin/passwd                                          
    /usr/bin/sh                                              
    /usr/bin/sudo

我运行了 sha256sum 校验和,并将这些值与我设置的 virtualbox 测试服务器上的对应值进行比较,并且所有校验和都匹配。

从那里我运行了ls -ld生产和测试服务器上的所有文件..并且组/usr权限都匹配。

在这一点上,我有理由确信这些都是误报。

我的问题是一个“菜鸟”问题,rkhunter 看到了什么导致了警告?我如何验证是什么原因导致我的测试服务器发出警告?

更新

经过一番挖掘后,发现了一种不同的(更有用的方法)来运行 rkhunter 检查,告诉您为什么生成警告(本质上反映了 rkhunter.log 文件中的内容)

[root@host2 ~]# rkhunter -c --rwo
Warning: No hash value found for file '/usr/sbin/adduser' in the 'rkhunter.dat' file.
Warning: The file properties have changed:
         File: /usr/sbin/adduser
         Current file modification time: 1613637774 (18-Feb-2021 16:42:54)
         Stored file modification time : 1565319054 (09-Aug-2019 10:50:54)
Warning: No hash value found for file '/usr/sbin/depmod' in the 'rkhunter.dat' file.
Warning: The file properties have changed:
         File: /usr/sbin/depmod
         Current file modification time: 1613637781 (18-Feb-2021 16:43:01)
         Stored file modification time : 1585709895 (01-Apr-2020 10:58:15)
Warning: The file properties have changed:
         File: /usr/sbin/ifdown
         Current hash: 69026ac688e78a6f54406fd4a4b92bb655fa9795cb043cafb1ebf7782985a38b
         Stored hash : e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
         Current size: 1651    Stored size: 0
         Current file modification time: 1590144273 (22-May-2020 18:44:33)
         Stored file modification time : 1605543307 (17-Nov-2020 00:15:07)
Warning: The command '/usr/sbin/ifdown' has been replaced by a script: /usr/sbin/ifdown: Bourne-Again shell script, ASCII text executable
Warning: The file properties have changed:
         File: /usr/sbin/ifup
         Current hash: f5ce9f5f014159aa479a88a4754b4a1980f307fac68863477341e62787f8e52c
         Stored hash : e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
         Current size: 5010    Stored size: 0
         Current file modification time: 1590144273 (22-May-2020 18:44:33)
         Stored file modification time : 1605543307 (17-Nov-2020 00:15:07)
Warning: The command '/usr/sbin/ifup' has been replaced by a script: /usr/sbin/ifup: Bourne-Again shell script, ASCII text executable
Warning: No hash value found for file '/usr/sbin/init' in the 'rkhunter.dat' file.
Warning: The file properties have changed:
         File: /usr/sbin/init
         Current file modification time: 1613637783 (18-Feb-2021 16:43:03)
         Stored file modification time : 1612283656 (03-Feb-2021 00:34:16)
Warning: No hash value found for file '/usr/sbin/insmod' in the 'rkhunter.dat' file.
Warning: The file properties have changed:
         File: /usr/sbin/insmod
         Current file modification time: 1613637781 (18-Feb-2021 16:43:01)
         Stored file modification time : 1585709895 (01-Apr-2020 10:58:15)
Warning: No hash value found for file '/usr/sbin/lsmod' in the 'rkhunter.dat' file.
Warning: The file properties have changed:
         File: /usr/sbin/lsmod
         Current file modification time: 1613637781 (18-Feb-2021 16:43:01)
         Stored file modification time : 1585709895 (01-Apr-2020 10:58:15)
Warning: No hash value found for file '/usr/sbin/modinfo' in the 'rkhunter.dat' file.
Warning: The file properties have changed:
         File: /usr/sbin/modinfo
         Current file modification time: 1613637781 (18-Feb-2021 16:43:01)
         Stored file modification time : 1585709895 (01-Apr-2020 10:58:15)
Warning: No hash value found for file '/usr/sbin/modprobe' in the 'rkhunter.dat' file.
Warning: The file properties have changed:
         File: /usr/sbin/modprobe
         Current file modification time: 1613637781 (18-Feb-2021 16:43:01)
         Stored file modification time : 1585709895 (01-Apr-2020 10:58:15)
Warning: No hash value found for file '/usr/sbin/rmmod' in the 'rkhunter.dat' file.
Warning: The file properties have changed:
         File: /usr/sbin/rmmod
         Current file modification time: 1613637781 (18-Feb-2021 16:43:01)
         Stored file modification time : 1585709895 (01-Apr-2020 10:58:15)
Warning: No hash value found for file '/usr/sbin/runlevel' in the 'rkhunter.dat' file.
Warning: The file properties have changed:
         File: /usr/sbin/runlevel
         Current file modification time: 1613637783 (18-Feb-2021 16:43:03)
         Stored file modification time : 1612283656 (03-Feb-2021 00:34:16)
Warning: No hash value found for file '/usr/bin/awk' in the 'rkhunter.dat' file.
Warning: The file properties have changed:
         File: /usr/bin/awk
         Current file modification time: 1562813534 (11-Jul-2019 10:52:14)
         Stored file modification time : 1498686765 (29-Jun-2017 05:52:45)
Warning: The command '/usr/bin/egrep' has been replaced by a script: /usr/bin/egrep: POSIX shell script, ASCII text executable
Warning: The command '/usr/bin/fgrep' has been replaced by a script: /usr/bin/fgrep: POSIX shell script, ASCII text executable
Warning: The file properties have changed:
         File: /usr/bin/links
         Current hash: 52d888a65f7e8c4e9837eb98d0c617af3ffbf5c51426036f69deeb31e93a2d37
         Stored hash : e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
         Current permissions: 0777    Stored permissions: 0644
         Current size: 23    Stored size: 0
         Current file modification time: 1613662786 (18-Feb-2021 23:39:46)
         Stored file modification time : 1547139654 (11-Jan-2019 01:00:54)
         Current symbolic link target: '/usr/bin/links' -> '/usr/bin/elinks'
         Stored symbolic link target : '/usr/bin/links' -> '/usr/bin'
Warning: No hash value found for file '/usr/bin/mail' in the 'rkhunter.dat' file.
Warning: The file properties have changed:
         File: /usr/bin/mail
         Current file modification time: 1562814013 (11-Jul-2019 11:00:13)
         Stored file modification time : 1523430473 (11-Apr-2018 15:07:53)
Warning: The file properties have changed:
         File: /usr/bin/passwd
         Current permissions: 4755    Stored permissions: 04755
Warning: No hash value found for file '/usr/bin/sh' in the 'rkhunter.dat' file.
Warning: The file properties have changed:
         File: /usr/bin/sh
         Current file modification time: 1613637759 (18-Feb-2021 16:42:39)
         Stored file modification time : 1585707450 (01-Apr-2020 10:17:30)
Warning: The file properties have changed:
         File: /usr/bin/sudo
         Current permissions: 4111    Stored permissions: 04111
Warning: The following processes are using deleted files:
         Process: /usr/local/cpanel/libexec/tailwatch/tailwatchd    PID: 1973    File: /var/cpanel/apnspush.sqlite3-wal

特别令人困惑的是某些文件的当前哈希值与存储的哈希值,例如/usr/sbin/ifup 因为我在干净的虚拟机安装中验证了哈希值。这只是简单的跑步吗rkhunter --propupd

相关内容