CentOS 7サーバーをクリーンインストールし、cpanel / whmをクリーンインストールしました。他のサーバーからcpanelバックアップを復元する前に、すべてがきれいであることを確認/確認しました。
[warning]
cpanelを復元した後、次のファイルを受け取りました。
/usr/sbin/adduser
/usr/sbin/depmod
/usr/sbin/ifdown
/usr/sbin/ifup
/usr/sbin/init
/usr/sbin/insmod
/usr/sbin/lsmod
/usr/sbin/modinfo
/usr/sbin/modprobe
/usr/sbin/rmmod
/usr/sbin/runlevel
/usr/bin/awk
/usr/bin/egrep
/usr/bin/fgrep
/usr/bin/links
/usr/bin/mail
/usr/bin/passwd
/usr/bin/sh
/usr/bin/sudo
sha256sumチェックサムを実行して、私が設定したvirtualboxテストサーバーの対応する値と比較したところ、チェックサムはすべて一致しました。
そこからls -ld
本番サーバーとテストサーバーのすべてのファイルを実行しました。グループ/usr権限がすべて一致しました。
この時点で、私はこれが偽の肯定であると合理的に確信しています。
私の質問は「愚かな」質問です。 rkhunterは警告の原因が何であるかを確認しますか?テストサーバーで警告が発生する原因をどのように確認しますか?
修正する
いくつかの調査の最後に警告が生成された理由を知らせるrkhunterチェックを実行する別の(より便利な)方法が見つかりました(デフォルトではrkhunter.logファイルの内容をミラーリングします)。
[root@host2 ~]# rkhunter -c --rwo
Warning: No hash value found for file '/usr/sbin/adduser' in the 'rkhunter.dat' file.
Warning: The file properties have changed:
File: /usr/sbin/adduser
Current file modification time: 1613637774 (18-Feb-2021 16:42:54)
Stored file modification time : 1565319054 (09-Aug-2019 10:50:54)
Warning: No hash value found for file '/usr/sbin/depmod' in the 'rkhunter.dat' file.
Warning: The file properties have changed:
File: /usr/sbin/depmod
Current file modification time: 1613637781 (18-Feb-2021 16:43:01)
Stored file modification time : 1585709895 (01-Apr-2020 10:58:15)
Warning: The file properties have changed:
File: /usr/sbin/ifdown
Current hash: 69026ac688e78a6f54406fd4a4b92bb655fa9795cb043cafb1ebf7782985a38b
Stored hash : e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
Current size: 1651 Stored size: 0
Current file modification time: 1590144273 (22-May-2020 18:44:33)
Stored file modification time : 1605543307 (17-Nov-2020 00:15:07)
Warning: The command '/usr/sbin/ifdown' has been replaced by a script: /usr/sbin/ifdown: Bourne-Again shell script, ASCII text executable
Warning: The file properties have changed:
File: /usr/sbin/ifup
Current hash: f5ce9f5f014159aa479a88a4754b4a1980f307fac68863477341e62787f8e52c
Stored hash : e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
Current size: 5010 Stored size: 0
Current file modification time: 1590144273 (22-May-2020 18:44:33)
Stored file modification time : 1605543307 (17-Nov-2020 00:15:07)
Warning: The command '/usr/sbin/ifup' has been replaced by a script: /usr/sbin/ifup: Bourne-Again shell script, ASCII text executable
Warning: No hash value found for file '/usr/sbin/init' in the 'rkhunter.dat' file.
Warning: The file properties have changed:
File: /usr/sbin/init
Current file modification time: 1613637783 (18-Feb-2021 16:43:03)
Stored file modification time : 1612283656 (03-Feb-2021 00:34:16)
Warning: No hash value found for file '/usr/sbin/insmod' in the 'rkhunter.dat' file.
Warning: The file properties have changed:
File: /usr/sbin/insmod
Current file modification time: 1613637781 (18-Feb-2021 16:43:01)
Stored file modification time : 1585709895 (01-Apr-2020 10:58:15)
Warning: No hash value found for file '/usr/sbin/lsmod' in the 'rkhunter.dat' file.
Warning: The file properties have changed:
File: /usr/sbin/lsmod
Current file modification time: 1613637781 (18-Feb-2021 16:43:01)
Stored file modification time : 1585709895 (01-Apr-2020 10:58:15)
Warning: No hash value found for file '/usr/sbin/modinfo' in the 'rkhunter.dat' file.
Warning: The file properties have changed:
File: /usr/sbin/modinfo
Current file modification time: 1613637781 (18-Feb-2021 16:43:01)
Stored file modification time : 1585709895 (01-Apr-2020 10:58:15)
Warning: No hash value found for file '/usr/sbin/modprobe' in the 'rkhunter.dat' file.
Warning: The file properties have changed:
File: /usr/sbin/modprobe
Current file modification time: 1613637781 (18-Feb-2021 16:43:01)
Stored file modification time : 1585709895 (01-Apr-2020 10:58:15)
Warning: No hash value found for file '/usr/sbin/rmmod' in the 'rkhunter.dat' file.
Warning: The file properties have changed:
File: /usr/sbin/rmmod
Current file modification time: 1613637781 (18-Feb-2021 16:43:01)
Stored file modification time : 1585709895 (01-Apr-2020 10:58:15)
Warning: No hash value found for file '/usr/sbin/runlevel' in the 'rkhunter.dat' file.
Warning: The file properties have changed:
File: /usr/sbin/runlevel
Current file modification time: 1613637783 (18-Feb-2021 16:43:03)
Stored file modification time : 1612283656 (03-Feb-2021 00:34:16)
Warning: No hash value found for file '/usr/bin/awk' in the 'rkhunter.dat' file.
Warning: The file properties have changed:
File: /usr/bin/awk
Current file modification time: 1562813534 (11-Jul-2019 10:52:14)
Stored file modification time : 1498686765 (29-Jun-2017 05:52:45)
Warning: The command '/usr/bin/egrep' has been replaced by a script: /usr/bin/egrep: POSIX shell script, ASCII text executable
Warning: The command '/usr/bin/fgrep' has been replaced by a script: /usr/bin/fgrep: POSIX shell script, ASCII text executable
Warning: The file properties have changed:
File: /usr/bin/links
Current hash: 52d888a65f7e8c4e9837eb98d0c617af3ffbf5c51426036f69deeb31e93a2d37
Stored hash : e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
Current permissions: 0777 Stored permissions: 0644
Current size: 23 Stored size: 0
Current file modification time: 1613662786 (18-Feb-2021 23:39:46)
Stored file modification time : 1547139654 (11-Jan-2019 01:00:54)
Current symbolic link target: '/usr/bin/links' -> '/usr/bin/elinks'
Stored symbolic link target : '/usr/bin/links' -> '/usr/bin'
Warning: No hash value found for file '/usr/bin/mail' in the 'rkhunter.dat' file.
Warning: The file properties have changed:
File: /usr/bin/mail
Current file modification time: 1562814013 (11-Jul-2019 11:00:13)
Stored file modification time : 1523430473 (11-Apr-2018 15:07:53)
Warning: The file properties have changed:
File: /usr/bin/passwd
Current permissions: 4755 Stored permissions: 04755
Warning: No hash value found for file '/usr/bin/sh' in the 'rkhunter.dat' file.
Warning: The file properties have changed:
File: /usr/bin/sh
Current file modification time: 1613637759 (18-Feb-2021 16:42:39)
Stored file modification time : 1585707450 (01-Apr-2020 10:17:30)
Warning: The file properties have changed:
File: /usr/bin/sudo
Current permissions: 4111 Stored permissions: 04111
Warning: The following processes are using deleted files:
Process: /usr/local/cpanel/libexec/tailwatch/tailwatchd PID: 1973 File: /var/cpanel/apnspush.sqlite3-wal
特に混乱は、現在のハッシュといくつかのファイルの保存されたハッシュです。たとえば、/usr/sbin/ifup
新しいVMインストールでハッシュを確認したためです。これは単なる実行ですかrkhunter --propupd
?