ServerTune Logo Control Panel Licenses Server Management VPS Dedicated Servers Colocation ServerTune.com
 
ServerTune HomeAbout usContact usHelp DeskKnowledgebaseSpecialLIVE Chat ServerTune
DirectAdmin VPS Server Management

Our most popular services/products:

cPanel License:
- VPS $15 /month /license
- Dedicated $35 /month /license
Dedicated Servers: starting $89 /month
 

Issues, Tips, and Solutions

View ServerTune's photos from the cPanel Conference: October 5-7, 2009 in Houston Texas.

*** Follow ServerTune on: ServerTune is on Facebook ServerTune is on Twitter

 
 
Browse by category   Search
 


RKhunter report: The command '/usr/bin/ldd' has been replaced by a script
Printer Friendly
email to a friend
Email to friend
Add comment Add comment
Views: 3041
Votes: 0
Comments: 0
Posted: 02 Feb, 2008
by: Customer Service :: S.
* * * * *
Updated: 02 Feb, 2008
by: Customer Service :: S.

If your system is secure and clean, this is a false alarm. We believe that many Linux distributions (I checked this on CentOS v5) have:

    /usr/bin/ldd
    /usr/bin/whatis
    /usr/bin/fgrep
    /usr/bin/egrep

 

as shell scripts that merely call the grep ELF binary. Helps to maintain some level of script compatibility between different flavors of Linux. It is likely that rkhunter is simply expecting to see an ELF in those spots as opposed to shell scripts. The others are also plain text shell scripts on many distros so that is probably fine as well. One nice thing is that you can view up these scripts using your favorite Linux editor such as: vi, nano, or pico. That makes it easy to verify the contents for safety. Although it's certainly not out of the question, it's probably reasonably safe assumption that no self-respecting rootkit would install itself in such a visible manner. Once again, if your system is secure and clean, you can whitelist these scripts in rkhunter configuration file: /etc/rkhunter.conf under the following header:
# Allow the specified commands to be scripts.
	# One command per line (use multiple SCRIPTWHITELIST lines).
	#
	SCRIPTWHITELIST=/sbin/ldd
	SCRIPTWHITELIST=/sbin/whatis

 

To make sure that your files have been replaced, run this command at the prompt from a trusted and clean system to compare the MD5's of those scripts. That's about the best way to put your mind at ease. Now, if you see a strangely modified binary, we suggest you seek professional help to check on your server .

  • /usr/bin/md5sum /usr/bin/FILE_IN_QUESTION

 



If you get these errors:
    The file of known backdoor ports (backdoorports.dat) is missing or empty.
    If it has been deleted, then you will need to run 'rkhunter --update'.
    The file of unsecure application versions (programs_bad.dat) is missing or empty.
Do the following, run this command to update rkhunter DB:
  • /usr/local/bin/rkhunter --update

Make sure missing files do exist. If not, you can create them, manually. Don't forget to set the correct permission and ownership on them.

Also, you can whitelist hidden directories such as: /etc/.java in the /etc/rkhunter.conf file

Other articles in this Category
document Understanding Attack Techniques
document The Concept of Security
document What Causes High Server Load?
document Security Tips
document Mod Security Rules and SPAM
document Limit the resources for a specific user
document Denial of Services (DoS) Detrimental to Businesses
document Protect Your Company Against DDoS Attacks
document Malecious Random JavaScript Rootkit
document Protect your server against IFRAME JS injection code with "ServerTune Plus Plan"
document Latest findings about the Random JavaScript Rootkit
document Linux kernels v2.6.17+ vmsplice()Root Exploit
document Horde v3.1.6 and earlier is NOT secure
document IFRAME injection code :: infected Web sites and suggestions
document Warning :: A new wave of domain scam/spam
document Your client or your PC might be a zombie in a Botnet
document HowTo scan and stop uploading infected files to your server



RSS

Control Panel Licensing
cPanel Plesk Miva Merchant