rkhunter issues after update

[click]

Hi all,

I`ve updated rkhunter yesterday the new port deleted my old configuration and now I`m getting some strange reports:

FreeBSD wolfdale 8.1-RELEASE-p1 FreeBSD 8.1-RELEASE-p1 #0: Sun Oct 10 15:57:09 EEST 2010
Rootkit Hunter 1.3.8

Warning: Differences found between sockstat and netstat output:
         Sockstat output (ports in use): 139 2094 2095 21 22 25 3306 445 47763 80
         Netstat output (ports in use): 139 2094 2095 21 22 25 3306 445 80

I looked into this "new" port 47763 and found it was not even a port

[root@wolfdale ~/scripts]# netstat -an | grep 47763
ffffff005e78db40 stream      0      0 ffffff000b6e9000        0        0        0 /tmp/ssh-kbxohRioPN/agent.47763
[root@wolfdale ~/scripts]# sockstat -p 47763 
USER     COMMAND    PID   FD PROTO  LOCAL ADDRESS         FOREIGN ADDRESS      
click    sshd       47763 4  stream -> ??
click    sshd       47763 9  stream /tmp/ssh-kbxohRioPN/agent.47763
root     sshd       47761 5  stream -> ??
root     cron       15312 4  dgram  -> /var/run/logpriv
root     syslogd    15167 4  dgram  /var/run/log
root     syslogd    15167 5  dgram  /var/run/logpriv
88       mysqld     15088 14 stream /tmp/mysql.sock
root     cron       14818 4  dgram  -> /var/run/logpriv
root     syslogd    14621 4  dgram  /var/run/log
root     syslogd    14621 5  dgram  /var/run/logpriv
root     cron       14475 4  dgram  -> /var/run/logpriv
root     syslogd    14338 4  dgram  /var/run/log
root     syslogd    14338 5  dgram  /var/run/logpriv
root     cron       14189 4  dgram  -> /var/run/logpriv
root     syslogd    14044 4  dgram  /var/run/log
root     syslogd    14044 5  dgram  /var/run/logpriv
root     cron       13896 4  dgram  -> /var/run/logpriv
root     syslogd    13756 4  dgram  /var/run/log
root     syslogd    13756 5  dgram  /var/run/logpriv
root     cron       3173  5  dgram  -> /var/run/logpriv
smmsp    sendmail   3166  3  dgram  -> /var/run/log
root     sendmail   3162  3  dgram  -> /var/run/logpriv
root     monit      1184  3  dgram  -> /var/run/logpriv
root     syslogd    1042  4  dgram  /var/run/log
root     syslogd    1042  5  dgram  /var/run/logpriv
root     devd       859   6  stream /var/run/devd.pipe
_pflogd  pflogd     557   5  stream -> ??
root     pflogd     554   4  stream -> ??
root     pflogd     554   5  dgram  -> /var/run/logpriv

Is that issue observed only by me, maybe I missconfigured something? Is it normal portupgrade to delete the old configuration file?

 

[SirDice]

Is it normal portupgrade to delete the old configuration file?

No, it's not customary and it's not portupgrade that does it. It's the installer.sh script from rkhunter that does this.

 

[click]

Hm that is "nice" ok thanks for that info. Any idea which module perform the test for netstat/sockstat so I can disable it? I tryed the man page found

TESTS
[This section to be written]

Which is very informative . If my logic is correct the module should be hidden_ports, but is already disabled by default?

[root@wolfdale ~/scripts]# grep "hidden_ports" /usr/local/etc/rkhunter.conf 
DISABLE_TESTS="suspscan hidden_ports hidden_procs deleted_files packet_cap_apps"

 

[SirDice]

It does look that way. But I have to admit that I don't use rkhunter.

 

[DutchDaemon]

[cmd=]cd /usr/ports/security/rkhunter && make maintainer[/cmd] should be able to address these issues.

 

[uxp]

This is a month old, but I seem to have the same issue. I did notice that with sockstat, grep was able to pick up the additional "ports" not found in netstat, but they are not actual ports. They are PIDs for a process with open ports, but not the port the process is listening on. Such as, right now I have a server with rkhunter complaining that 1368 is open in sockstat but not netstat. Upon grepping the output of sockstat (sockstat | grep 1368), I can find this line:

nobody   dovecot-au 1368  9  stream -> /var/run/dovecot/auth-worker.1368

with dovecot-auth actually listening on it's correct SSL ports for my configuration, 993 and 995.

I haven't opened up rkhunter to see how it identifies the open ports, and I don't have any Linux or other *nix boxes to test if they suffer from the same mis-identification, though I'll probably put together a VM this weekend and see if I can fix it, or get a proper bug report together.

Hope this helps.

 

[click]

No it is BSD only issue since sockstat is not avaliable in Linux - tested it this check is bypassed.

Here is the code itself

SOCKSTAT_OUTPUT=`${SOCKSTAT_CMD} ${RKHTMPVAR} | awk '{ print $6 }' |grep '[:.][0-9][0-9]*$' | sed -e 's/^.*[:.]\([0-9]*\)$/\1/' | sort | uniq`
NETSTAT_OUTPUT=`${NETSTAT_CMD} -an |  awk '{ print $4 }' |grep '[:.][0-9][0-9]*$' | sed -e 's/^.*[:.]\([0-9]*\)$/\1/' | sort | uniq`

in function bsd_specific_checks().

So the rkhunter sees

[root@wolfdale ~]# sockstat | awk '{ print $6 }' |grep '[:.][0-9][0-9]*$' | sed -e 's/^.*[:.]\([0-9]*\)$/\1/' | sort | uniq 
139
2094
2095
21
22
25
3306
445
80
[root@wolfdale ~]# netstat -an |  awk '{ print $4 }' |grep '[:.][0-9][0-9]*$' | sed -e 's/^.*[:.]\([0-9]*\)$/\1/' | sort | uniq
139
2094
2095
21
22
25
3306
41380
43660
445
44580
55421
63315
80

And sometimes adds the output of sockstat if the filename ends in .NUMBER

Since this test was useless anyway in mine situation I just wiped it out. But why not fix it now

netstat -an | [B]grep "LISTEN"[/B]|  awk '{ print $4 }' |grep '[:.][0-9][0-9]*$' | sed -e 's/^.*[:.]\([0-9]*\)$/\1/' | sort | uniq

sockstat | [B]grep ":"[/B] | awk '{ print $6 }' |grep '[:.][0-9][0-9]*$' | sed -e 's/^.*[:.]\([0-9]*\)$/\1/' | sort | uniq

Here you go , buut didn`t quite like it myself so please if anyone can make it simple it will be superb.

 

[ragnar]

patch

Hi there, i had the same issue and already written an email to maintainer about how to fix it, meanwhile i explain it here also in case somebody is interested.

I just installed rkhunter-1.3.8 in a Freebsd 8.2 i386 and i got a warning about sockstat and netstat ports differences. The problem seems to be the version of the sockstat command because now shows the protocol versions (ipv4 and/or ipv6), what makes the output not having the same number of columns and then, the awk parser doesn't recognize those services.

Example:

root     httpd      1448  3  tcp4 6 *:80                  *:*

Solution: add a replacer to make columns fit

| sed -e "s/tcp4 6/tcp4/g"

So the final sockstat command would look like:

${SOCKSTAT_CMD} ${RKHTMPVAR} | sed -e "s/tcp4 6/tcp4/g" | awk '{ print $6 }' | grep '[:.][0-9][0-9]*$' | sed -e 's/^.*[:.]\([0-9]*\)$/\1/' | sort | uniq

Best regards

 

[ragnar]

Under some circumstances the lines above couldn't fix the issue so I found another parse command:

SOCKSTAT_OUTPUT=`echo "${SOCKSTAT_OUTPUT}" | sockstat | grep "[t|u][c|d]p" | cut -c 37- | awk '{print $1}' | sed -e 's/^.*[:.]\([0-9]*\)$/\1/' | sort | uniq`

Regards

 

[jtocci]

Just had this issue after an update to 14.2-RELEASE

sockstat showing two high ports, 41301 55951
123 12301 137 138 139 143 21 22 2222 25 30944 40068 443 445 465 49752 5000 514 53 54370 587 58893 631 63344 6535 65388 69 80 8989 993
123 12301 137 138 139 143 21 22 2222 25 30944 40068 443 445 465 49752 5000 514 53 54370 587 58893 631 63344 6535 65388 69 80 8989 993
netstat showing three high ports. 13311 38931 59659

All other ports the same. Weird. Will post more if it happens again.