rkhunter warnings on fresh ASL install Centos 6.2

pdietrich · **Posted:** Mon Feb 13, 2012 11:05 am

Ever since I installed asl on Centos 6.2, rkhunter has been sending me warning messages. I finally got around to digging through the logs, and one of the things that it's warning about is a "hidden" port:

[09:54:10] Checking for hidden ports [ Warning ]
[09:54:11] Warning: Hidden ports found:
[09:54:11] Port number: 631

I've googled, and run this:
netstat -anp |grep 631
udp 0 0 0.0.0.0:631 0.0.0.0:* 1063/portreserve

Someone wrote that in Centos when you disable cups, it still does a portreserve. I'm not sure what that is - but is there a way to tell rkhunter to ignore that (if it's a false positive)?

Second warning pertains to a hidden file:
[09:54:23] Checking for hidden files and directories [ Warning ]
[09:54:23] Warning: Hidden file found: /sbin/.cryptsetup.hmac: ASCII text

Again, should I do a custom ignore for this? I just wanted to mention it since this was a fresh installation and maybe the Atomic team wants to build in suppression if these are false positives. Thanks in advance.

Kalimari · **Posted:** Mon Feb 13, 2012 12:48 pm

Seeing a very similar issue, also running CentOS 6:

Code:

---------------------- Start Rootkit Hunter Scan ----------------------
Warning: Hidden ports found:
        Port number: 783
----------------------- End Rootkit Hunter Scan -----------------------

Code:

netstat -anp |grep 783
udp        0      0 0.0.0.0:783                 0.0.0.0:*                               1449/portreserve

After Googling port 783, turns out it is sometimes used by the spamd daemon or hp-alarm-mgr and harmless.

Had similar issue with hidden file, added it to the rkhunter files whitelist after checking it was harmless/FP.

mikeshinn · **Posted:** Mon Feb 13, 2012 4:51 pm

Its actually not a false positive, portreserve is actually hiding the port. And the mechanisms rkhunter has to "detect" that this is legitimate are limited. If you allow this currently then you open the possibility of a piece of malware calling itself "portreserve" to hide ports (and to do so without any warning to the user).

With that said, unless you are using portmap (and unless you are using NFS or some other RPC services then you probably are not), you don't need portreserve. Disable the service (and portmap).

chkconfig portreserve off

chkconfig portmap off

Kalimari · **Posted:** Mon Feb 13, 2012 5:27 pm

Thanks for input Mike, really useful.
I should have been clearer, that port is blocked in/out via iptables. Edit: service portreserve stop + chkconfig portreserve off does the job even better.
Whitelisting only applied to .cryptsetup.hmac

mikeshinn · **Posted:** Mon Feb 13, 2012 5:54 pm

Quote:

Whitelisting only applied to .cryptsetup.hmac

Ah, my mistake for missing that. Sure we can add that in.

gaia · **Joined:** Tue Jun 09, 2009 12:57 pm **Posts:** 134

mikeshinn wrote:

Quote:

Whitelisting only applied to .cryptsetup.hmac

Ah, my mistake for missing that. Sure we can add that in.

I also see this warning, so +1 for getting it added in.

Thanks

mikeshinn · **Posted:** Mon Jun 25, 2012 6:30 pm

Done. Please upgrade rkhunter from the asl respository.

gaia · **Joined:** Tue Jun 09, 2009 12:57 pm **Posts:** 134

mikeshinn wrote:

Done. Please upgrade rkhunter from the asl respository.

I ran a yum update and got a 404 on https://www.atomicorp.com/channels/asl- ... x86_64.rpm, which yum says I should update.

mikeshinn · **Posted:** Tue Jun 26, 2012 1:47 pm

Clean your yum cache. Run this as root:

yum clean all

gaia · **Joined:** Tue Jun 09, 2009 12:57 pm **Posts:** 134

mikeshinn wrote:

Clean your yum cache. Run this as root:

yum clean all

that worked, thanks

rkhunter warnings on fresh ASL install Centos 6.2

Who is online