Skip to main content

rkhunter warnings: Hidden Processes and Processes Listening On The Network

logfile-/var/log/rkhunter.log starts
[partial starts]
19:19:36] Info: Starting test name 'running_procs'
[19:19:39]   Checking running processes for suspicious files [ None found ]
[19:19:39]
[19:19:39] Info: Starting test name 'hidden_procs'
[19:19:39] Info: Unable to find the 'unhide' command
[19:19:39] Info: Unable to find the 'unhide-linux' command
[19:19:39]   Checking for hidden processes                   [ Skipped ]
[partial ends]
logfile-var/log/rkhunter.log ends

What rkhunter is telling you here is that it is unable to unhide the process because your system is lacking an application, "unhide" and "unhide-tcp". Install it first with : #pacman -S unhide unhide-tcp #to install unhide and unhide-tcp, forensic tools

Running rkhunter this time it gave me this bit of warning.

logfile-/var/log/rkhunter.log starts
[partial starts]
[19:19:46] Info: Starting test name 'packet_cap_apps'
[19:19:46]   Checking for packet capturing applications      [ Warning ]
[19:19:46] Warning: Process '/usr/bin/dhcpcd' (PID 527) is listening on the network.
[19:19:46] Warning: Process '/usr/bin/dhcpcd' (PID 527) is listening on the network.
[19:19:46] Warning: Process '/usr/bin/dhcpcd' (PID 527) is listening on the network.
[19:19:46] Warning: Process '/usr/bin/wpa_supplicant' (PID 565) is listening on the network.
[19:19:46] Warning: Process '/usr/bin/wpa_supplicant' (PID 565) is listening on the network.
[partial ends]
logfile-/var/log/rkhunter.log ends

dhcpcd and wpa_supplicant are valid services obviously. So to whitelist these processes in /etc/rkhunter.conf all I did was to remove the #.

file-/etc/rkhunter.conf starts
[partial starts]
# Allow the specified process to listen on any network interface.
#
# This option may be specified more than once, and may use wildcard characters.
#
# The default value is the null string.
#
#ALLOWPROCLISTEN=/sbin/dhclient
ALLOWPROCLISTEN=/usr/bin/dhcpcd
ALLOWPROCLISTEN=/usr/bin/wpa_supplicant
#ALLOWPROCLISTEN=/usr/sbin/tcpdump
#ALLOWPROCLISTEN=/usr/sbin/snort-plain
[partial ends]
file-/etc/rkhunter.conf ends

Running rkhunter again I get this non-warnings.

logfile-/var/log/rkhunter.log starts
[partial starts]
[20:00:48] Info: Starting test name 'hidden_ports'
[20:00:48] Info: Found the 'unhide-tcp' command: /usr/bin/unhide-tcp 
[20:00:48]   Checking for hidden ports                       [ None found ]
[20:00:48]
[20:00:48] Performing checks on the network interfaces
[20:00:48] Info: Starting test name 'promisc'
[20:00:48]   Checking for promiscuous interfaces             [ None found ]
[20:00:48]
[20:00:48] Info: Starting test name 'packet_cap_apps'
[20:00:49]   Checking for packet capturing applications      [ None found ]
[20:00:49] Info: Found process '/usr/bin/dhcpcd': it is whitelisted.
[20:00:49] Info: Found process '/usr/bin/wpa_supplicant': it is whitelisted.
[partial ends]
logfile-/var/log/rkhunter.log ends

Important: After modifying /etc/rkhunter.conf run #rkhunter -C to check the config file.

Comments

Popular posts from this blog

Donald Trump Is The 45th President of the United States

     and he is preparing to move with his transition team into the Oval Office. His election is a shock to many political observers and the world in general. Donald Trump, the president-elect, ran against Hillary Clinton, former Secretary of State and for many the most qualified candidate for the presidency in many years. This has led to many post election analysis of how this upset happened. The numbers of votes for each candidate and the comparisons with previous presidential elections point to the fact that the white vote for Mr. Trump is solid all throughout but the minority and black votes did not come for Mrs. Clinton. This is what happened in crucial States like Michigan and Florida. The Republicans kept Congress and the Senate. It is quite notable that Russia and in particular, Vladimir Putin, is happy that they are going to talk to Mr. Trump rather than Mrs. Clinton. It is also a ...

Mailvelope, Encryption for Webmail

Encryption is the topic of week. I wrote about it in a related post here. While encryption is a very good idea, doing it and doing it every day as part of your work flow is another thing. My view is that if you're already using an email client then it is easier, simpler and more convenient to adopt encryption. That is not the case if you're using a webmail service. If you are using the browser to check, compose and send your email, what are your options? The answer is: it's complicated. Looking for a way to do encryption with Google Chrome and Gmail, I found this. I also read that Google just released code for email encryption as open source. But it's a long way to being used by end users. The extension for Google Chrome works fine if the recipient also uses Google Chrome. But I went ahead and check this on Evolution.

Remembering Sesame Street

I was around seven years old when I saw Big Bird and her yellow feathers on tv the first time. Channel 9 airs Sesame Street twice a day for the kids who are having classes in the morning there's the afternoon schedule. The show is a hit. It captured us kids. We would shut up and sit on the floor once the familiar theme music starts. I wonder about the american street scene of course. It felt alien to me but the people and the muppets just made their home in my imagination. It didn't matter if we had muddy streets instead of the cobblestones. Years will pass and the locals will produce their own version of this show called Batibot. Why not? It's time we take back television for our kids. Who would have guessed that fast forward to 2012, Sesame Street will be mentioned prominently in a US presidential debate. One candidate was questioning the source of funding for these kind of shows. Try explaining money to a five year old and why he can't ...