Web lists-archives.com

Re: [rkhunter] coyote.coyote.den - Daily report




On Monday 27 November 2017 14:35:17 root wrote:

Installed new firefox-esr yesterday, from the wheezy repos. Today, 
rkhunter has a cow:

> Warning: The command '/sbin/chkconfig' has been replaced by a script:
> /sbin/chkconfig: Perl script, ASCII text executable Warning: The
> command '/bin/which' has been replaced by a script: /bin/which: POSIX
> shell script, ASCII text executable Warning: The command
> '/usr/sbin/adduser' has been replaced by a script: /usr/sbin/adduser:
> Perl script, ASCII text executable Warning: The command '/usr/bin/ldd'
> has been replaced by a script: /usr/bin/ldd: Bourne-Again shell
> script, ASCII text executable Warning: The following suspicious shared
> memory segments have been found: Process:
> /usr/lib/firefox-esr/firefox-esr    PID: 16994    Owner: gene Process:
> /usr/lib/firefox-esr/firefox-esr    PID: 16994    Owner: gene Warning:
> Found enabled xinetd service: /etc/xinetd.d/amanda
> Warning: Found enabled xinetd service: /etc/xinetd.d/saned
> Warning: Found enabled xinetd service: /etc/xinetd.d/sshd-xinetd
> Warning: Network TCP port 1524 is being used by /usr/sbin/portsentry.
> Possible rootkit: Possible FreeBSD (FBRK) Rootkit backdoor Use the
> 'lsof -i' or 'netstat -an' command to check this. Warning: Network TCP
> port 6667 is being used by /usr/sbin/portsentry. Possible rootkit:
> Possible rogue IRC bot Use the 'lsof -i' or 'netstat -an' command to
> check this. Warning: Network TCP port 31337 is being used by
> /usr/sbin/portsentry. Possible rootkit: Historical backdoor port Use
> the 'lsof -i' or 'netstat -an' command to check this. Warning: The SSH
> and rkhunter configuration options should be the same: SSH
> configuration option 'PermitRootLogin': yes
>          Rkhunter configuration option 'ALLOW_SSH_ROOT_USER': no
> Warning: Hidden directory found: /etc/.java

How should I restore?

Cheers, Gene Heskett
-- 
"There are four boxes to be used in defense of liberty:
 soap, ballot, jury, and ammo. Please use in that order."
-Ed Howdershelt (Author)
Genes Web page <http://geneslinuxbox.net:6309/gene>