rkhunter giving false positives?
both my cPanel RHE servers are giving false positives for some binaries at the start of the rkhunter output.
E.g.
/bin/cat [ OK ]
/bin/chmod [ OK ]
/bin/chown [ OK ]
/bin/dmesg [ BAD ]
/bin/egrep [ BAD ]
/bin/env [ OK ]
/bin/fgrep [ BAD ]
/bin/grep [ BAD ]
/bin/kill [ BAD ]
/bin/login [ BAD ]
/bin/ls [ OK ]
/bin/mount [ BAD ]
/bin/netstat [ BAD ]
/bin/ps [ BAD ]
/bin/su [ OK ]
/sbin/chkconfig [ BAD ]
/sbin/depmod [ OK ]
/sbin/ifconfig [ BAD ]
/sbin/init [ OK ]
/sbin/insmod [ OK ]
/sbin/modinfo [ OK ]
/sbin/runlevel [ OK ]
/sbin/sysctl [ BAD ]
/sbin/syslogd [ BAD ]
/usr/bin/file [ OK ]
/usr/bin/find [ OK ]
/usr/bin/groups [ OK ]
/usr/bin/kill [ OK ]
/usr/bin/killall [ BAD ]
/usr/bin/lsattr [ OK ]
/usr/bin/pstree [ BAD ]
/usr/bin/sha1sum [ OK ]
/usr/bin/stat [ OK ]
/usr/bin/users [ OK ]
/usr/bin/w [ BAD ]
/usr/bin/watch [ BAD ]
/usr/bin/who [ OK ]
/usr/bin/whoami [ OK ]
I checked many of these "BAD" files using "rpm -Vf <filename>" and most of them were fine and only some had a "M" response - meaning a mode change (permissions). But no md5 errors. So this must be an rkhunter md5 lagging problem right? There were no other errors in rkhunter output except for:
Networking
* Check: frequently used backdoors
warning, got duplicate tcp line.
Port 2001: Scalper Rootkit [ OK ]
Port 2006: CB Rootkit [ OK ]
warning, got duplicate tcp line.
Port 2128: MRK [ OK ]
Port 14856: Optic Kit (Tux) [ OK ]
Port 47107: T0rn Rootkit [ OK ]
warning, got duplicate tcp line.
warning, got duplicate tcp line.
Port 60922: zaRwT.KiT [ OK ]
* Interfaces
Scanning for promiscuous interfaces [ OK ]
Where it says "warning, got duplicate tcp line". Is this something to worry about? Apart from this everything else is normal. What do you think? I tried running chkrootkit also and nothing abnormal from it. Also its only on my RHE servers, not my RH 9 server, I recently updated them all "/scripts/upcp" command. Also I tried "./rkhunter --update" but it still gives the "BAD" output as above.
