Skip to main content

rkhunter warnings: Hidden Processes and Processes Listening On The Network

logfile-/var/log/rkhunter.log starts
[partial starts]
19:19:36] Info: Starting test name 'running_procs'
[19:19:39]   Checking running processes for suspicious files [ None found ]
[19:19:39]
[19:19:39] Info: Starting test name 'hidden_procs'
[19:19:39] Info: Unable to find the 'unhide' command
[19:19:39] Info: Unable to find the 'unhide-linux' command
[19:19:39]   Checking for hidden processes                   [ Skipped ]
[partial ends]
logfile-var/log/rkhunter.log ends

What rkhunter is telling you here is that it is unable to unhide the process because your system is lacking an application, "unhide" and "unhide-tcp". Install it first with : #pacman -S unhide unhide-tcp #to install unhide and unhide-tcp, forensic tools

Running rkhunter this time it gave me this bit of warning.

logfile-/var/log/rkhunter.log starts
[partial starts]
[19:19:46] Info: Starting test name 'packet_cap_apps'
[19:19:46]   Checking for packet capturing applications      [ Warning ]
[19:19:46] Warning: Process '/usr/bin/dhcpcd' (PID 527) is listening on the network.
[19:19:46] Warning: Process '/usr/bin/dhcpcd' (PID 527) is listening on the network.
[19:19:46] Warning: Process '/usr/bin/dhcpcd' (PID 527) is listening on the network.
[19:19:46] Warning: Process '/usr/bin/wpa_supplicant' (PID 565) is listening on the network.
[19:19:46] Warning: Process '/usr/bin/wpa_supplicant' (PID 565) is listening on the network.
[partial ends]
logfile-/var/log/rkhunter.log ends

dhcpcd and wpa_supplicant are valid services obviously. So to whitelist these processes in /etc/rkhunter.conf all I did was to remove the #.

file-/etc/rkhunter.conf starts
[partial starts]
# Allow the specified process to listen on any network interface.
#
# This option may be specified more than once, and may use wildcard characters.
#
# The default value is the null string.
#
#ALLOWPROCLISTEN=/sbin/dhclient
ALLOWPROCLISTEN=/usr/bin/dhcpcd
ALLOWPROCLISTEN=/usr/bin/wpa_supplicant
#ALLOWPROCLISTEN=/usr/sbin/tcpdump
#ALLOWPROCLISTEN=/usr/sbin/snort-plain
[partial ends]
file-/etc/rkhunter.conf ends

Running rkhunter again I get this non-warnings.

logfile-/var/log/rkhunter.log starts
[partial starts]
[20:00:48] Info: Starting test name 'hidden_ports'
[20:00:48] Info: Found the 'unhide-tcp' command: /usr/bin/unhide-tcp 
[20:00:48]   Checking for hidden ports                       [ None found ]
[20:00:48]
[20:00:48] Performing checks on the network interfaces
[20:00:48] Info: Starting test name 'promisc'
[20:00:48]   Checking for promiscuous interfaces             [ None found ]
[20:00:48]
[20:00:48] Info: Starting test name 'packet_cap_apps'
[20:00:49]   Checking for packet capturing applications      [ None found ]
[20:00:49] Info: Found process '/usr/bin/dhcpcd': it is whitelisted.
[20:00:49] Info: Found process '/usr/bin/wpa_supplicant': it is whitelisted.
[partial ends]
logfile-/var/log/rkhunter.log ends

Important: After modifying /etc/rkhunter.conf run #rkhunter -C to check the config file.

Comments

Post a Comment

Popular posts from this blog

Password Issues On Ubuntu Login

I found myself unable to enter my login credentials when prompted to do so in Ubuntu. I think I might have changed it then forget about it. I've been running the current session for more days than I should have. I forget. So what's the solution to my problem. How do I get in to my system now? It involved getting into the grub menu somehow. I am uncertain as to how to do that exactly in your system. So there's a couple of ways to do it (finger's crossed). When booting at system start, use the esc key or the shift key. The first one worked for me. The timing is key. Wait until the bios banner shows then hit the esc key once. I am using Ubuntu 22.04.4 here. I have a current version of grub. The grub menu will give you options and the one you want is: root. Yes you want root privileges to set the root password. It should give you a terminal access where you can issue commands. Type: #mount -rw -o -s remount / ==> this command mounts the filesyste...
Post a Comment
Read more

Pacman Has to Get Better

I finally got my printers working. I got cups (and cupsd in the /etc/rc.conf) I installed hpoj and a group of printer drivers. So to get my Arch linux to recognize there's a usb printer connected to my system I have to run a daemon (ptal-init setup) and include it in /etc/rc.conf. That finally enabled (after a reboot) my GNOME control center to acknowledge that there is indeed an HP-3900 at the end of my usb port. The real personal story behind my saga with a printer is pacman. It is now throwing 'network not reachable' everytime I start it. Every download and sync. I ran --debug and ping ip addresses and so far I will conclude that it's a really really slow ftp server. The server is so slow pacman is timing out connections. It's unusable guys. My first rolling release distro and I've decided that Arch rises and falls with the performance of their package manager. Great distro for the DIY community. But sorry I can't recommend Arch linux to my mother who jus...
Post a Comment
Read more

Webapps in Unity

So it has been 4 months since Ubuntu 14.04 came out. This is LTS and supported for 6 years by Canonical. The first mobile device with Ubuntu pre-installed is promised to come out later this year, 2014. It's time to check out how the apps perform so far. It is a good idea. I use Gmail and Twitter and Facebook. Why not a webapp in a desktop? So I start the Twitter and Gmail webapp. So far it has crashed my computer 6 times. Not a very good sign. On the other hand it does work but not as stable as opening them in Firefox. -- Use my PGP key if you want to encrypt your replies/messages to me. You are invited to also send me your PGP keys so we can communicate in private.
Post a Comment
Read more