ELS - Easy Linux Security script

Have the problems been fixed? I would like to use this script but I want to make sure the problems have been fixed first!
 
I am getting this portion of the message on "CHKROOTKIT"

Searching for anomalies in shell history files... /usr/bin/find: //proc/19860: No such file or directory
/usr/bin/find: //proc/19861: No such file or directory
/usr/bin/find: //proc/19862: No such file or directory
/usr/bin/find: //proc/20416: No such file or directory
/usr/bin/find: //proc/20417: No such file or directory
nothing found
Checking `asp'... not infected
Checking `bindshell'... not infected
Checking `lkm'... You have 3 process hidden for readdir command
You have 3 process hidden for ps command
chkproc: Warning: Possible LKM Trojan installed
Checking `rexedcs'... not found
Checking `sniffer'... eth0: not promisc and no PF_PACKET sockets
Checking `w55808'... not infected
Checking `wted'... chkwtmp: nothing deleted
Checking `scalper'... not infected
Checking `slapper'... not infected
Checking `z2'... chklastlog: nothing deleted
Checking `chkutmp'... The tty of the following user process(es) were not found
in /var/run/utmp !
! RUID PID TTY CMD
! = 31327 "/[^/]+$");? substr(filename, RSTART + 1, RLENGTH - 1);? if (match(progname, "\\." section "[A-Za-z]+")) {??actual_section = substr(progname, RSTART + 1, RLENGTH - 1);? } else {??actual_section = section;? }? sub(/\..*/, "", progname);? if (use_z! TclX.n)?? 15145 UCTION # and anything at all that begins in Column 1, so ?? # is probably a section header.?? done = 1;?? } else {?? if ($0 ~ progname"-") { # Fix old cat pages???sub(progname"-", progname" - ");?? }?? if ($0 ~ /[^ \\]-$/) {?? sub(/-$/, "");! sub(/^ 0 ment/troff chkutmp: nothing deleted
Click to expand...

Wonder what does this means?
 
Error

Code: 
[root@server ~]# els --imagemagick

ImageMagick is not installed.
ELS can now install ImageMagick.
Proceed? (y/n): y
/usr/bin/md5sum: ImageMagick-6.3.6-6.tar.gz: No such file or directory
Download Failed.
Invalid MD5.
Aborting.
 
H.A said:
Error

Code: 
[root@server ~]# els --imagemagick

ImageMagick is not installed.
ELS can now install ImageMagick.
Proceed? (y/n): y
/usr/bin/md5sum: ImageMagick-6.3.6-6.tar.gz: No such file or directory
Download Failed.
Invalid MD5.
Aborting.
Click to expand...

the same error
 
[root@server els]# els --apf

APF is out of date. Installed: 0.9.6 Latest: 0.9.6-2
ELS can now update APF.
Proceed? (y/n): y
Downloading APF...
Download Successful!
MD5 matches.
Extracting...
Extraction Successful!
Installing...
cp: cannot stat `/etc/apf.bk.last/vnet/*.rules': No such file or directory
APF Install Completed Successfully!
Click to expand...

another error
 
I also get the same error message for image magick and some other packages while trying to do the installation on CentOS 5.2
 
/usr/bin/md5sum: ImageMagick-6.3.6-6.tar.gz: No such file or directory
Download Failed.
Invalid MD5.
Aborting.
 
I got this in the email.

Checking `chkutmp'... The tty of the following user process(es) were not found
in /var/run/utmp !
! RUID PID TTY CMD
! = 31327 "/[^/]+$");? substr(filename, RSTART + 1, RLENGTH - 1);? if (match(progname, "\\." section "[A-Za-z]+")) {??actual_section = substr(progname, RSTART + 1, RLENGTH - 1);? } else {??actual_section = section;? }? sub(/\..*/, "", progname);? if (use_z! TclX.n)?? 15145 UCTION # and anything at all that begins in Column 1, so ?? # is probably a section header.?? done = 1;?? } else {?? if ($0 ~ progname"-") { # Fix old cat pages???sub(progname"-", progname" - ");?? }?? if ($0 ~ /[^ \\]-$/) {?? sub(/-$/, "");! sub(/^ 0 ment/troff chkutmp: nothing deleted
Click to expand...

Anything special?
 
All errors should be reported to Wael Isa. He is the only one developer at the moment.
 
I installed rkhunter & chkrootkit crons and the rkhunter was not working (sending empty mail) so I found out that the current line doesn't output anything.

I changed the line and now it works fine:

Changed:
/usr/local/bin/rkhunter --update && /usr/local/bin/rkhunter -c --cronjob 2>&1 | mail -s "RKhunter Scan Details"' ${ADMINEMAIL}')'

To:
/usr/local/bin/rkhunter --update && /usr/local/bin/rkhunter -sk -c --nocolors 2>&1 | mail -s "RKhunter Scan Details"' ${ADMINEMAIL}')'

Hope this helps somebody

Cheers

Jose
 
jca said:
I installed rkhunter & chkrootkit crons and the rkhunter was not working (sending empty mail) so I found out that the current line doesn't output anything.

I changed the line and now it works fine:

Changed:
/usr/local/bin/rkhunter --update && /usr/local/bin/rkhunter -c --cronjob 2>&1 | mail -s "RKhunter Scan Details"' ${ADMINEMAIL}')'

To:
/usr/local/bin/rkhunter --update && /usr/local/bin/rkhunter -sk -c --nocolors 2>&1 | mail -s "RKhunter Scan Details"' ${ADMINEMAIL}')'

Hope this helps somebody

Cheers

Jose
Click to expand...

you use old els
this fix come in els 3.0.0.4 and now els 3.0.0.5

Wael
 
Thanks Wael,

I'm using the latest one, yet the problem is there...

els --update
ELS 3.0.0.5 is the latest release, there is no need to update.

I even tried right now,

els --rmrkhuntercron

els --rkhuntercron

And finally:

Code: 
cat /etc/cron.daily/rkhunter.sh
#!/bin/bash
(/usr/local/bin/rkhunter --update && /usr/local/bin/rkhunter -c --cronjob 2>&1 | mail -s "RKhunter Scan Details" [email protected])

So at least for me the bug is still there :(

Any ideas?

Thanks

Jose
 
Hi Wael, it updated fine, I repeated the commands, and it did change, yet it still sends an empty message.

Code: 
 els --update
Updating ELS 3.0.0.5 to 3.0.0.6...
Downloading ELS 3.0.0.6...
Done.
MD5 valid.
Extracting...
Done.

Code: 
cat /etc/cron.daily/rkhunter.sh
#!/bin/bash
(/usr/local/bin/rkhunter --update && /usr/local/bin/rkhunter -sk -c --cronjob 2>&1 | mail -s "RKhunter Scan Details" [email protected])

Code: 
/usr/local/bin/rkhunter -sk -c --cronjob
#

From what I understand, using the command --cronjob makes no print and just logs it to /var/log/rkhunter.log

Code: 
tail /var/log/rkhunter.log
[08:28:40] Rootkits checked : 114
[08:28:40] Possible rootkits: 0
[08:28:40]
[08:28:40] Applications checks...
[08:28:41] Applications checked: 9
[08:28:41] Suspect applications: 0
[08:28:41]
[08:28:41] The system checks took: 1 minute and 44 seconds
[08:28:41]
[08:28:41] Info: End date is Mon Jan 12 08:28:41 CST 2009

If I use /usr/local/bin/rkhunter -sk -c --nocolors it does print, hence sends the email:

Code: 
/usr/local/bin/rkhunter -sk -c --nocolors
[ Rootkit Hunter version 1.3.2 ]

Checking system commands...

  Performing 'strings' command checks
    Checking 'strings' command                               [ OK ]

  Performing 'shared libraries' checks
    Checking for preloading variables                        [ None found ]
    Checking for preload file                                [ Not found ]
    Checking LD_LIBRARY_PATH variable                        [ Not found ]

  Performing file properties checks
    Checking for prerequisites                               [ Warning ]
    /bin/awk                                                 [ OK ]
    /bin/basename                                            [ OK ]
    /bin/bash                                                [ OK ]
    /bin/cat                                                 [ OK ]
    /bin/chmod                                               [ OK ]
    /bin/chown                                               [ OK ]
    /bin/cp                                                  [ OK ]
    /bin/csh                                                 [ OK ]
    /bin/cut                                                 [ OK ]
    /bin/date                                                [ OK ]
    /bin/df                                                  [ OK ]
    /bin/dmesg                                               [ OK ]
    /bin/echo                                                [ OK ]
    /bin/ed                                                  [ OK ]
    /bin/egrep                                               [ OK ]

Hope I made myself clear, and thanks for supporting ELS!

Jose
 
You must log in or register to reply here.
Back
Top