rkhunter worries?

If none of the more specific forums is the right place to ask

rkhunter worries?

Postby mkthnx001 » 2009-11-30 04:23

So I ran a scan with rkhunter, and noticed this in the output:
Code: Select all
[21:46:14]   Checking version of Exim MTA                    [ Warning ]
[21:46:14] Warning: Application 'exim', version '4.69', is out of date, and possibly a security risk.
[21:46:14]   Checking version of GnuPG                       [ Warning ]
[21:46:14] Warning: Application 'gpg', version '1.4.9', is out of date, and possibly a security risk.
[21:46:14] Info: Application 'httpd' not found.
[21:46:14] Info: Application 'named' not found.
[21:46:14]   Checking version of OpenSSL                     [ Warning ]
[21:46:14] Warning: Application 'openssl', version '0.9.8g', is out of date, and possibly a security risk.
[21:46:14]   Checking version of OpenSSH                     [ Warning ]
[21:46:14] Warning: Application 'sshd', version '5.1p1', is out of date, and possibly a security risk.


I'm pretty sure these are the latest versions of these programs released in Debian's packages, but I know they're not the latest ones released by said programs' developers.

Should I be worried, or not? Should I install the latest versions manually?
mkthnx001
 
Posts: 8
Joined: 2009-07-02 03:51

Re: rkhunter worries?

Postby Bulkley » 2009-11-30 05:58

Try chkrootkit. Even rkhunter suggests that you supplement it with chkrootkit.
Bulkley
 
Posts: 5826
Joined: 2006-02-11 18:35

Re: rkhunter worries?

Postby dfirvida » 2009-11-30 15:37

I think that not is a problem with a rootkit.

Today I have the same errors in 2 debian hosts and 2 ubuntu hosts. I think that is a problem with rkhunter packet or db.

Anyone have more info ?¿
dfirvida
 
Posts: 2
Joined: 2009-11-30 15:31

Re: rkhunter worries?

Postby julian67 » 2009-11-30 15:54

It isn't a problem with either rkhunter or the Debian packages. The messages are in plain English, how about reading them and considering what they are saying?

version '#.##', is out of date, and possibly a security risk.


It's identifying packages which have a newer version available, that's all. Sometimes a newer package version is available upstream than in a distribution repository. This is usually going to be the case, especially with Debian stable. It doesn't mean there is a security issue. If you are worried you can check why a newer version was released (possible reasons being bugfix, security issue, feature enhancement, for the hell of it) and if it's a security issue then have a look at http://www.debian.org/security/ and reassure yourself that Debian issued a patch, and make sure that you keep your system up to date, at least with the security repo. Sometimes people get very excited about version numbers and assume that Debian stable contains older/vulnerable packages but generally the fixes are patched without upgrading to the latest version. Example: http://www.debian.org/security/2009/dsa-1933

Aaron Siegel discovered that the web interface of cups, the Common UNIX Printing System, is prone to cross-site scripting attacks.

For the oldstable distribution (etch), this problem has been fixed in version 1.2.7-4+etch9.

For the stable distribution (lenny), this problem has been fixed in version 1.3.8-1+lenny7.


So you can see the same fix has been applied to very different (and both old) versions of the package and anyone who keeps their system up to date needn't be concerned. Panic over.

rkhunter can be a very useful tool but it requires the end user to be familiar with their distro's release and security policies and practices.
Wisdom from my inbox: "do not mock at your pottenocy"
User avatar
julian67
 
Posts: 4648
Joined: 2007-04-06 14:39
Location: Just hanging around

Re: rkhunter worries?

Postby dfirvida » 2009-12-02 10:49

dfirvida
 
Posts: 2
Joined: 2009-11-30 15:31

Re: rkhunter worries?

Postby advocatux » 2009-12-09 20:00

Hi, just for the record and added information see http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=560157

As Julien Valroff points:

You can use the APP_WHITELIST option to whitelist application versions you trust.

I think what happened is that upstream released version 1.3.6 very recently, and database were updated (either automatically through the weekly cronjob if you use it, or by hand running rkhunter --update)
Omnis enim res, quae dando non deficit, dum habetur et non datur, nondum habetur, quomodo habenda est (Augustine of Hippo promoting Free Software in the 4th century).
User avatar
advocatux
 
Posts: 164
Joined: 2009-11-07 20:20
Location: /Earth/EU/ES/And/Co


Return to General Questions

Who is online

Users browsing this forum: No registered users and 8 guests

fashionable