This is a harmless error. If you want to follow the progress made by the developers on removing the bug, see this bug report.
I've sat and accepted that this is a harmless inconsistency in configuration until yesterday when I noticed unusual activity on my ADSL router. With no other machine running in the system but my SME 7.4 server, there is a constant level of activity at the ADSL router which was not evident a few days ago. When I look at Top I see processor usage only for Top itself and every few seconds from SSHD - except when a mail event occurs. This activity is constant and at times fairly rapid.
I took a look at the rkhunter log and found this...
[04:02:34] Warning: The SSH and rkhunter configuration options should be the same:
[04:02:34] SSH configuration option 'PermitRootLogin': yes
[04:02:34] Rkhunter configuration option 'ALLOW_SSH_ROOT_USER': no
[04:02:34] Checking if SSH protocol v1 is allowed [ Not allowed ]
[04:02:34] Checking for running syslog daemon [ Found ]
[04:02:34] Checking for syslog configuration file [ Found ]
[04:02:34] Info: Found syslog configuration file: /etc/syslog.conf
[04:02:34] Checking if syslog remote logging is allowed [ Not allowed ]
[04:02:34]
[04:02:34] Performing filesystem checks
[04:02:34] Info: Starting test name 'filesystem'
[04:02:34] Info: SCAN_MODE_DEV set to 'THOROUGH'
[04:02:34] Checking /dev for suspicious file types [ None found ]
[04:02:34] Info: Found hidden file '/usr/share/man/man1/..1.gz': it is whitelisted.
[04:02:34] Checking for hidden files and directories [ None found ]
[04:02:34]
[04:02:34] Info: Test 'apps' disabled at users request.
Which doesn't tell me much, *BUT* there is a suspicious circumstance in my system which seems too much of a coincidence to ignore. I spent 10 hours or so the day before yesterday with a client's PC hooked to my system with a savage malware trojan infection that was a nightmare to remove because it began by corrupting userinit.exe and the corresponding system call that runs this executable at logon - the machine would simply return to the logon screen a few seconds after each attempt to logon, so I had to find a way to get into the machine in the first place. Once I got in I found the root cause of the problem in a tiny file called jill.exe - Jill is one of the usernames registered on the PC. It could be swept with an AV scanner and not be flagged, but as soon as the system attempted to run it, the AV system flagged up a virus, so it had somehow scattered it's parts around the system and called them all together as a virus when it ran. Since the fundamental purpose of this trojan entity was to hold the door of the firewall open to invite the bad guys in, and it was very successful - I found over 10,000 infected objects - I'm concerned to find that something is poking the internet from my server now, with no obvious hostile activity on the server itself.
I've run a ClamAV scan with no hostiles reported, and as shown above, the Rootkit hunter doesn't seem to show anything either.
Anyone able to suggest what I should do next? I assume I'll get the usual - 'report a bug' - but I have no idea what to report, and I'm greatly inclined to just reload my server from scratch, so the only working test environment isn't going to exist much longer.
Ed Form
12 Replies
2841 Views