# Rkhunter Results

## oldnavy23

Should i be worried about the results of this scan?

```

[03:39:43] Running Rootkit Hunter version 1.3.6 on ns1

[03:39:43]

[03:39:43] Info: Start date is Sun Feb 20 03:39:43 CST 2011

[03:39:43]

[03:39:43] Checking configuration file and command-line options...

[03:39:53] /usr/bin/ldd                                      [ Warning ]

[03:39:53] Warning: The command '/usr/bin/ldd' has been replaced by a script: /usr/bin/ldd: Bourne-Again shell script text executable

[03:39:56] /usr/bin/whatis                                   [ Warning ]

[03:39:56] Warning: The command '/usr/bin/whatis' has been replaced by a script: /usr/bin/whatis: POSIX shell script text executable

[03:39:57] /usr/bin/lwp-request                              [ Warning ]

[03:39:57] Warning: The command '/usr/bin/lwp-request' has been replaced by a script: /usr/bin/lwp-request: a /usr/bin/perl -w script text executable

[03:40:44] Warning: Checking for possible rootkit strings    [ Warning ]

[03:40:44]          Found string 'hdparm' in file '/etc/init.d/pciparm'. Possible rootkit: Xzibit Rootkit

[03:40:44]          Found string 'hdparm' in file '/etc/init.d/hdparm'. Possible rootkit: Xzibit Rootkit

[03:40:44]

[03:40:44] Performing malware checks

[03:40:44] Info: Starting test name 'malware'

[03:40:44]

[03:40:44] Info: Test 'deleted_files' disabled at users request.

[03:40:44] Info: Starting test name 'running_procs'

[03:40:44]   Checking running processes for suspicious files [ None found ]

[03:40:44]

[03:40:44] Info: Test 'hidden_procs' disabled at users request.

[03:40:44]

[03:40:44] Info: Test 'suspscan' disabled at users request.

[03:40:44]

[03:40:44]   Performing check for login backdoors

[03:40:44] Info: Starting test name 'other_malware'

[03:40:44]     Checking for '/bin/.login'                    [ Not found ]

[03:40:44]     Checking for '/sbin/.login'                   [ Not found ]

[03:40:44]   Checking for login backdoors                    [ None found ]

[03:40:44]

[03:40:44]   Performing check for suspicious directories

[03:40:44]     Checking for directory '/usr/X11R6/bin/.,/copy' [ Not found ]

[03:40:44]     Checking for directory '/dev/rd/cdb'          [ Not found ]

[03:40:44]   Checking for suspicious directories             [ None found ]

[03:40:44]

[03:40:44]   Checking for software intrusions                [ Skipped ]

[03:40:44] Info: Check skipped - tripwire not installed

[03:40:45]

[03:40:45]   Performing check for sniffer log files

[03:40:45]     Checking for file '/usr/lib/libice.log'       [ Not found ]

[03:40:45]     Checking for file '/dev/prom/sn.l'            [ Not found ]

[03:40:45]     Checking for file '/dev/fd/.88/zxsniff.log'   [ Not found ]

[03:40:45]   Checking for sniffer log files                  [ None found ]

[03:40:45]

[03:40:45] Performing trojan specific checks

[03:40:45] Info: Starting test name 'trojans'

[03:40:45]   Checking for enabled inetd services             [ Skipped ]

[03:40:45] Info: Check skipped - file '/etc/inetd.conf' does not exist.

[03:40:45]

[03:40:45]   Performing check for enabled xinetd services

[03:40:45]   Checking for enabled xinetd services            [ Skipped ]

[03:40:45] Info: Check skipped - file '/etc/xinetd.conf' does not exist.

[03:40:45] Info: Apache backdoor check skipped: Apache modules and configuration directories not found.

[03:40:45]

[03:40:45] Performing Linux specific checks

[03:40:45] Info: Starting test name 'os_specific'

[03:40:45]   Checking loaded kernel modules                  [ OK ]

[03:40:45] Info: Using modules pathname of '/lib/modules/2.6.35-gentoo-r5'

[03:40:45]   Checking kernel module names                    [ OK ]

[03:41:20]

[03:41:20] Checking the network...

[03:41:20] Info: Starting test name 'network'

[03:41:20] Info: Starting test name 'ports'

[03:41:20]

[03:41:21] Performing checks on the network interfaces

[03:41:21] Info: Starting test name 'promisc'

[03:41:21] Info: Promiscuous network interface check using 'ip' command skipped - unable to find the 'ip' command.

[03:41:21]   Checking for promiscuous interfaces             [ None found ]

[03:41:21]

[03:41:21] Info: Test 'packet_cap_apps' disabled at users request.

[03:41:23]

[03:41:23] Checking the local host...

[03:41:23] Info: Starting test name 'local_host'

[03:41:23]

[03:41:23] Performing system boot checks

[03:41:23] Info: Starting test name 'startup_files'

[03:41:23]   Checking for local host name                    [ Found ]

[03:41:23] Info: Starting test name 'startup_malware'

[03:41:23]   Checking for system startup files               [ Found ]

[03:41:24]   Checking system startup files for malware       [ Warning ]

[03:41:24] Warning: Found string '/usr/bin/.etc' in file '/etc/init.d/net.lo'. Possible rootkit: Dica-Kit Rootkit

[03:41:24]

[03:41:24] Performing group and account checks

[03:41:24] Info: Starting test name 'group_accounts'

[03:41:24]   Checking for passwd file                        [ Found ]

[03:41:24] Info: Found password file: /etc/passwd

[03:41:24]   Checking for root equivalent (UID 0) accounts   [ None found ]

[03:41:24] Info: Found shadow file: /etc/shadow

[03:41:24]   Checking for passwordless accounts              [ None found ]

[03:41:24] Info: Starting test name 'passwd_changes'

[03:41:24]   Checking for passwd file changes                [ None found ]

[03:41:24] Info: Starting test name 'group_changes'

[03:41:24]   Checking for group file changes                 [ None found ]

[03:41:24]   Checking root account shell history files       [ OK ]

[03:41:24]

[03:41:24] Performing system configuration file checks

[03:41:24] Info: Starting test name 'system_configs'

[03:41:24]   Checking for SSH configuration file             [ Found ]

[03:41:24] Info: Found SSH configuration file: /etc/ssh/sshd_config

[03:41:24] Info: Rkhunter option ALLOW_SSH_ROOT_USER set to 'no'.

[03:41:24] Info: Rkhunter option ALLOW_SSH_PROT_V1 set to '0'.

[03:41:24]   Checking if SSH root access is allowed          [ Not allowed ]

[03:41:24]   Checking if SSH protocol v1 is allowed          [ Warning ]

[03:41:24] Warning: The SSH configuration option 'Protocol' has not been set.

           The default value may be '2,1', to allow the use of protocol version 1.

[03:41:24]   Checking for running syslog daemon              [ Found ]

[03:41:24]   Checking for syslog configuration file          [ Found ]

[03:41:24] Info: Found syslog configuration file: /etc/syslog-ng/syslog-ng.conf

[03:41:24]   Checking if syslog remote logging is allowed    [ Not allowed ]

[03:41:24]

[03:41:24] Performing filesystem checks

[03:41:24] Info: Starting test name 'filesystem'

[03:41:24] Info: SCAN_MODE_DEV set to 'THOROUGH'

[03:41:25]   Checking /dev for suspicious file types         [ Warning ]

[03:41:25] Warning: Suspicious file types found in /dev:

[03:41:25]          /dev/shm/mono.24864: data

[03:41:25]   Checking for hidden files and directories       [ Warning ]

[03:41:25] Warning: Hidden directory found: /dev/.udev

[03:41:25] Warning: Hidden file found: /etc/._cfg0000_DIR_COLORS: ASCII English text

[03:41:25] Warning: Hidden file found: /etc/._cfg0000_dispatch-conf.conf: ASCII English text

[03:41:25] Warning: Hidden file found: /etc/._cfg0000_etc-update.conf: ASCII English text

[03:41:25] Warning: Hidden file found: /etc/._cfg0000_gkrellmd.conf: ASCII English text

[03:41:25] Warning: Hidden file found: /etc/._cfg0000_man.conf: ASCII English text

[03:41:25] Warning: Hidden file found: /etc/._cfg0000_rmt: POSIX shell script text executable

[03:41:25] Warning: Hidden file found: /etc/._cfg0001_DIR_COLORS: ASCII English text

[03:41:25] Warning: Hidden file found: /etc/._cfg0001_dispatch-conf.conf: ASCII English text

[03:41:26]

[03:41:26] Checking application versions...

[03:41:27] Info: Starting test name 'apps'

[03:41:27] Info: Application 'exim' not found.

[03:41:27]   Checking version of GnuPG                       [ OK ]

[03:41:27] Info: Application 'gpg' version '2.0.17' found.

[03:41:27] Info: Application 'httpd' not found.

[03:41:27] Info: Application 'named' not found.

[03:41:27]   Checking version of OpenSSL                     [ OK ]

[03:41:27] Info: Application 'openssl' version '1.0.0d' found.

[03:41:27]   Checking version of PHP                         [ OK ]

[03:41:27] Info: Application 'php' version '5.3.5' found.

[03:41:27]   Checking version of Procmail MTA                [ OK ]

[03:41:27] Info: Application 'procmail' version '3.22' found.

[03:41:27]   Checking version of ProFTPd                     [ Skipped ]

[03:41:27] Info: Unable to obtain version number for 'proftpd': version option gives: ProFTPD Version 1.3.4rc1

[03:41:27]   Checking version of OpenSSH                     [ OK ]

[03:41:27] Info: Application 'sshd' version '5.8p1-hpn13v10' found.

[03:41:27] Info: Applications checked: 6 out of 9

[03:41:27]

[03:41:27] System checks summary

[03:41:27] =====================

[03:41:27]

[03:41:27] File properties checks...

[03:41:27] Files checked: 137

[03:41:27] Suspect files: 3

[03:41:27]

[03:41:27] Rootkit checks...

[03:41:27] Rootkits checked : 245

[03:41:27] Possible rootkits: 3

[03:41:27] Rootkit names    : Xzibit Rootkit, Xzibit Rootkit, Dica-Kit Rootkit

[03:41:27]

[03:41:27] Applications checks...

[03:41:27] Applications checked: 6

[03:41:27] Suspect applications: 0

[03:41:27]

[03:41:27] The system checks took: 1 minute and 43 seconds

[03:41:27]

[03:41:27] Info: End date is Sun Feb 20 03:41:27 CST 2011

```

----------

## chithanh

Compare the results on your system with the results on a freshly extracted stage3.

----------

