Guide to Chkrootkit - checking for intruders Published: Oct 31, 2003
  • Rating

    5/5

The Official Cpanel Newbie Guide dedicated to providing web hosting companies and beginners everything you need to start using your Cpanel web server. HOWTO: Cpanel and WHM Newbie Guide - what you need to get started!

Cpanel Newbie Guide

This guide assumes you already have Cpanel installed and we'll walk you some of the very basics of using your new Cpanel server. We expect you have some knowledge of what cpanel actually is and know a bit about server administration. Always consider hiring a professional to go over your system if you just purchased a new system. This guide has been created by Steven Leggett and cannot be reproduced without my expicit permission. Please link to this page for the latest updates to this guide.

Last Update: Feb 23, 2006

Before we get started I'll go over some of the settings of the server and use these icons as a guide if something should be turned on or off in WHM.


Check = Check it No = Do not enable it


Login to WHM Login to Cpanel
You need to login to your box right well here are a few things to help you. SSL logins are highly recommended for security - please see our Force SSL logins in the Cpanel Tutorials for more details.

  • WHM
    - Secure SSL https://sitename.com:2087
    Notice: Root user should only ever login using the secure HTTPS login!
    - Regular http://sitename.com:2086 and http://yourdomain.com/whm
  • Cpanel
    - Secure SSL https://sitename.com:2083
    - Regular http://sitename.com:2082 and http://yourdomain.com/cpanel
  • Webmail
    - Secure SSL https://domain.com:2096
    - Regular http://domain.com:2095 and http://yourdomain.com/webmail

Edit Setup
Now login to your WHM as the root user.
This is the main section to your web server where you can set the options once and will probably never need to change them.


WHM Setup Guide

Click on Basic cPanel/WHM Setup

Most of these sections are self explanatory with examples of what they do. Just read them to get familiar. I'll mention the important ones.

Main Shared Virtual Host IP:
This is your servers main IP address to be used be default with all shared hosting accounts.  This should be setup by default and you probably won't need to change this unless you want to use a different IP.

Server Contact E-Mail Address:
You will get email alerts sent to this address and make sure you have a decent size inbox for them, something over 2 megs because you will often receive updates, log files and all kinds of other goodies. Preferrably an email account hosted on a different system like gmail, hotmail or yahoo. You don't want to have it mail your local accounts in the event of a problem.

Server Contact Pager Address:
Another contact method for receiving special alerts if your server goes down. We recommend leaving this empty and using a third party monitoring service like SiteUptime.com or Alertra.com because if your server is already down, how will it contact you :)

Default cPanel Theme:
The theme you want to be used be default with all new hosting accounts. There are a few to choose from and if you install a custom theme you can enter the name of it here. To see what themes you have installed on the server, scroll down to the left hand size and look for the title: Themes, click on List Installed cPanel Themes. Recommended theme: x

Default Home Directory:
We recommend setting this to: /home It should already be setup.

Home Directory Prefix:
Leave this set to home

Minimum Uid:
Leave blank

Alternate Main Ethernet Device:
Don't touch this unless you've setup a custom ethernet configuration. Read on..

Hostname:
Many people get confused about what this is. Basically you make up the prefix in it and apply the main domain used to host your sites to it.
Example: If the main site for the server was test123.com  I could set the hostname to server1.test123.com or mars.test123.com The prefix helps you identify which server this is.  Make sure to set your hostname properly by using the Change Hostname link at the top left, this should match what you set there.
NOTICE: In order for your system to be able to email and receive email other servers you need to use a VALID and WORKING domain name for this. Make sure the domain you choose is hosted on the server! Otherwise email will be rejected from your system in most instances.

Missing Hostname A record Warnings: Once you modify your Hostname you need to Add A DNZ Zone for it. This is to ensure when a mail server or systems checks to see if your server is online, it will respond. You can add an A record to your hostname in: Network Setup >> Hostname.


Primary Nameserver:
There are two options for these depending on what you're doing.
Option 1) Shared Nameservers
This is where you would use your datacentre's default name servers such as ns1.ev1servers.net and ns2.ev1servers.net
No other configurations are required making this a snap. You would when set all your domain names nameservers, that you want to put on the server , to the same name servers that you entered here. Keep in mind if you want to add things like a subdomain you have to go to your hosting providers domain system to add the DNS Zone changes. This is NOT recommended.

Option 2 Private Nameservers - A little harder but HIGHLY recommended
This can get very ugly if you don't know what you're doing. I strongly recommend you use your own private nameservers for your dedicated server. This is because you then have control of the DNS Zone associated with your site, so when you add things like subdomains you don't need to add them somewhere else because your server will handle everything.  Cpanel Nameserver Guide here.

Primary Nameserver
ns1.yourserverdomain.com 

Secondary Nameserver
ns2.yourserverdomain.com

Enter the correct names, click assign IP address. Then assign A entry for this nameserver. It's important you do not miss these steps and that your server has 2 free(available) IP addresses to use. Contact the datacenter if you're not sure. You can check what IP's are available in WHM >> IP Functions >> Show or Delete Current IP Addresses

Apache Access Log Style:
Set this to: combined



First off is updates with Cpanel: Update Config
How your software gets updated.
Login to WHM (Web Host Manager) and go to, Update Config:

WHM Setup Guide

Edge Release:
Right from a programmers hands, this is the first layer of Cpanel that is used for testing, patching etc. It has the latest fixes but isn't as well tested as other releases.

Current:
This is upgraded from the edge release so it has been tested a bit more.

Release:
Again another layer of testing, it is older code and has been run on more systems but it takes longer for updates to get to it. Recommended Selection

Stable:
Very old but the most stable version around, it has been tested the longest.

We recommend you set to manual updates, Release option. I prefer manual over automatic because I like to keep a better eye on what has been changed.
If you select manual and you want to perform the update simply scroll down WHM and go to Cpanel  > Upgrade To Latest Version.

This will update Exim, scripts, themes, Perl and Cpanel if updates are available - it will only update to the Cpanel release type you selected previously.

To see if new updates are available go to http://layer2.cpanel.net
You can also click on the Change Log at the top of WHM to see their latest updates and releases.



Tweak Settings:
This is one of the most important sections of the configuration for your server. It's where you set settings that apply to all users on the server, like enabling certain stats programs.

WHM Setup Guide

Domains: Adding domains to the system.
No Allow Creation of Parked/Addon Domains that are not registered  

Check Allow Creation of Parked/Addon Domains that resolve to other servers (ie domain transfers) [This can be a major security problem. If you must have it enabled, be sure to not allow users to park common internet domains.]  

No  Allow users to Park/Addon Domains on top of domains owned by other users. (probably a bad idea) 

Check Prevent users from parking/adding on common internet domains. (ie hotmail.com, aol.com)

Mail: Email and related settings
No Add the mail. prefix for mailman urls (ie http://mail.domain.com/mailman)  

CheckAttempt to prevent pop3 connection floods  

CheckBoxTrapper Spam Trap

Check Default catch-all/default address behavior for new accounts. fail will generally save the most CPU time.
Set to FAIL. This means that when someone sends to nonexisting@company.com it will bounce

CheckEmail users when they have reached 80% of their bandwidth . Highly recommended

CheckHorde Webmail - a webmail interface that has custom skins, notes, filters and more.

No Include a list of Pop before SMTP senders in the X-PopBeforeSMTP header when relaying mail. (exim 4.34-30+ required)

Check Mailman Mailing list software, clients can use it through their own Cpanel. 

No  Neomail Webmail - Pretty crap webmail client with no features and not any longer supported

Number of minutes between mail server queue runs (default is 60). I'd leave it at 60

No Prevent the user 'nobody' from sending out mail to remote addresses (php and cgi scripts generally run as nobody if you are not using phpsuexec and suexec respectively.) Do NOT turn this on if you're not using PHPSuexec, since you're reading this guide then leave this option UNCHECKED or all contact form mail will BREAK!

CheckSilently Discard all FormMail-clone requests with a bcc: header in the subject line - Helps cut down on mail queue build up.

CheckSpamAssassin - Awesome spam filtering tool, highly recommended.

Check SpamAssassin Spam Box delivery for messages marked as spam (user configurable) - allows users to configure it through their control panel, very nice.

NoSquirrelMail Webmail -Another webmail client, I don't like it personally.

 The maximum each domain can send out per hour (0 is unlimited): If you have clients on your server I suggest entering a high value such as 500. This limits the sending amount of mail for the entire domain, not per email address. If they start reporting they can't send messages out you can increase it. 

 The number of times users are allowed to check their mail using pop3 per hour:  60 is recommended. That's 1 check per minute which is high enough. 

No Track the origin of messages sent though the mail server by adding the X-Source headers (exim 4.34+ required)

MySQL: Database stuff
CheckUse old style (4.0) passwords with mySQL 4.1 (required if you have problems with php apps authenticating) - NOTE: Only use this if you have MySQL 4.1 installed.

Notifications:
No Disable Suspending accounts that exceed their bandwidth limit (will clear all suspensions is disabled) - Bad idea to turn this on. You WANT the account to get suspended so they're forced to upgrade and don't go crazy with bandwidth. 
 
CheckDisk Space Usage Warnings - Email users with their account starts running out of disk space.

CheckEmail Box Usage Warnings - Email users with their mailbox starts running out of disk space.

Software: - Extra server wide software available
NoFormMail-clone cgi

Interchange Version to use (if you disable interchange, you must turn off the service in the service manager). I suggest disabling it, old and useless.

Loader to use for internal cPanel PHP (Use oldsourceguardian for version 1.x and 2.x). I suggest sourceguardian.

Stats Programs: - How you can view website traffic 
NoAnalog Stats  
NoAwstats Reverse Dns Resolution  
CheckAwstats Stats  - I like this, easy to use
CheckWebalizer Stats - Has better file tracking, history features than Awstats

Stats and Logs: How the server handles log files
CheckAllow users to update Awstats from cPanel - Lets them update stats manually, adds to server load.
CheckDelete each domain's access logs after stats run 
NoDo not include password in the raw log download link in cPanel (via ftp).  
NoDo not reset /usr/local/apache/domlogs/ftpxferlog after it has been seperated into each domain name's ftp log 
CheckExim Stats Daemon (required for smtp bandwidth logging; must also be modified in the service manager as well) 
NoKeep Stats Log (/usr/local/cpanel/logs/stats_log) between cpanel restarts (default is off)  
NoKeep log files at the end of the month (default is off as you can run out of disk space quickly)
 Number of days between processing log files and bandwidth usage (default 1, decimal values are ok):  1
  Stats Log Level (default is 1, larger numbers indicate more debug information in /usr/local/cpanel/logs/stats_log) [0...10]:  1
  The load average above the number of cpus at which logs file processing should be suspended (default 0):  10 I suggest this value
CheckWhen viewing bandwidth usage in WHM, always display in Megabytes first.

Stats and Logs: When you click on Server Status in WHM or Cpanel
The load average that will cause the server status to appear red (leave blank for default): 5 to 10 is recommended

System:
CheckAllow Sharing Nameserver Ips  - Allows you to give resellers private nameservers without dedicated IPs
NoAllow cPanel users to install SSL Hosts if they have a dedicated ip. - Users usually screw this up, I suggest turning this feature off and installing it for them for a fee.   
NoAllow cPanel users to reset their password via email  - Security issue, keep this off
NoAllow cpanel and admin binaries to be run from other applications besides the cpanel server (cpsrvd).  
No Allow perl updates from rpm based linux vendors  
NoAlways redirect users to the ssl/tls ports when visiting /cpanel, /webmail, etc.  
No Disable Disk Quota display caching (whm will cache disk usage which may result in the display of disk quotas being up to 15 minutes behind the actual disk usage. Disabling this may result in a large performace degradation.)  

NoDisable Http Authentication for cPanel/WebMail/WHM Logins (forces cookie authentication)  
NoDisable login with root or reseller password into the users' cPanel interface. Also disable switch account dropdown in themes with switch account feature.  

CheckDisable whois lookups for the nameserver ip manager.  
NoDisplay Errors in cPanel instead of logging them to /usr/local/cpanel/logs/error_log  
NoDo not warn about features that will be depreciated in later releases (Warning: If you check this box, you will not be able to learn about features that will be disappearing in future releases. This could lead to a non-functional server when the feature is finally removed.)  

NoDo not warn users about the system backup being disabled in cPanel.



Backups
Configure Backup under WHM:

  • Backup Status: Enabled
  • Backup Interval (Note: Selecting Daily Backup with give you monthly and weekly as well, Selecting Weekly backup will give you monthly as well.) Daily or weekly - up to you
  • Days to run backup (explanitory)
  • Remount/Unmount backup drive (requires a seperate drive/coda/nfs mount) - Disabled
  • Bail out if the backup drive cannot be mounted (recommended if you have selected the above option) - Enabled
  • Incremental backup (only backup what has changed. (**No Compression**) - Disabled
  • Backup Accounts - Enabled
  • Backup Config Files (not needed to restore specific accounts) - Enabled
  • Sql Databases (at least per accounts is needed to use the restore feature) - Per account
  • Backup Raw Access Logs - Enabled
  • Backup Destination (this should be a dir/nfs/coda mount with at least twice the space of all your /home* partitions. Setting this to /home is a VERY BAD IDEA.): - /backup
    (Note: you need a second hard drive and should have it set to /backup in your fstab file)

Service Status
System Health and running services - eg Apache, Exim etc.
Green = Good | Yellow = Warning | Red = Trouble
Clients can see the service status through their own Cpanel as well.

Things to pay attention to:
- Server Load 0.12 (1 cpu) - the lower the better! You should be worried if its at 7 or higher
- Memory Used - Should be worried if its at 75% +

Firewall
How to install APF (Advanced Policy Firewall)

Logs
Apache Logs Explained
No one tells you where they are but it's very important to know
*Important!
All users have their own seperate log files - every domain has their own logs - eg: sitename.com

  • Exim: - /var/log/exim_mainlog -/var/log/maillog -/var/log/exim_paniclog
  • Apache: -Error Log: /usr/local/apache/logs/error_log (404 not found errors, etc)
    - Access Log: /usr/local/apache/logs/access_log
    - Site Logs: /usr/local/apache/domlogs/sitename.com
  • Logins: /var/log/secure /var/log/logins_log
  • Messages: /var/log/messages
  • Cpanel: /usr/local/cpanel/logs/access_log


Other things to know:
Restart Cpanel in SSH (Shell is like a DOS prompt)#:
/etc/init.d/cpanel restart

Cpanel Manual Backup & Update - if backup doesn't work through WHM - SSH  command #:
/scripts/upcp

Apache Config Test in SSH: -test httpd.conf file for errors!
/usr/local/apache/bin/apachectl configtest

The configuration file is located in /usr/local/apache/conf/httpd.conf so you may need to edit it in Pico or your favourite editor and make changes.

Manual Stop - Start of services in SSH: (start | stop | restart) #
service httpd
service exim
service proftpd
service named
service mysql


That's all I can think of for now! Overall Cpanel is easy to use and has some nice automated features but a control panel can only do so much, you need to get your hands dirty sometimes!

Just a note there are MANY other settings to go over to way to many to cover in this guide. It's recommended you hire a server administrator to go over your server and configure it properly. Just checking off values in WHM doesn't properly secure your server, you need a skilled system administrator to review your system on this. You can always contact me directly to have me go over your server for a nominal fee. Always glad to help out.

Best of luck

Steven Leggett

  • Rating

    5/5

Related Articles

Comments (27)

  • Gravatar - Damian
    Damian 01:55, November 15, 2003
    I have follow your "how to" to install the chkrootkit however I cannot get the cron email work..

    No such file or directory...

    I follow exactly the steps you mentions and what is the right path for this?

    cd /yourinstallpath/chkrootkit-0.42b/
  • Gravatar - Edward
    Edward 22:16, November 25, 2003
    Love it :)
  • Gravatar - Coffeymate
    Coffeymate 16:08, December 8, 2003
    Thanks for such concise instructions here at webhostgear.

    Do you have a link for what to do if you find an infected port?

    I'm getting bindshell infected port 465 on my new server acquired in the past couple days after installing chkroot. I removed the .gz file but still get the same notice of 465 infected port.

    What do you suggest? Can you at least point me in the direction of a "how to" in the event of problems like this?

    Again, thanks for such an informative site!
  • Gravatar - alphonse
    alphonse 17:44, December 18, 2003
    What I'd like is a script that parses the chkrootkit output in order to email me ONLY if there is something strange happening.
    As I have no rootkit installed, I don't know the outputs to look for...
  • Gravatar - tom
    tom 18:33, December 26, 2003
    Great work
  • Gravatar - mike
    mike 01:50, January 18, 2004
    latest version does not work using the above tutorial on cpanel RHE3 servers, runs ok manually but not from cron
  • Gravatar - Jeff Huckaby
    Jeff Huckaby 06:11, April 2, 2004
    Some notes:


    MD5SUMs
    You should always check md5sum's on software like chkrootkit. What would be worse than to check a problem and find out you installed a trojan chkrootkit.


    A bit of a rant ....

    Running chkrootkit from cron.daily is not very useful. By the time you know anything has been changed, it is too late. Chkrootkit is not intended to be a file integrity system. Chkrootkit is great for a quick check when you suspect a problem but it is not a file-integrity system like tripwire, aide or one of a number of host based IDS programs.
  • Gravatar - Mikey
    Mikey 08:20, June 9, 2004
    If anyone is interested this also works on a BSD box. I did have to go in and install bash but other than that...woks like a charm.

  • Gravatar - Daniel
    Daniel 18:58, July 1, 2004
    This is a great guide but I noticed a small error in your typing, might want to add an 'r' in the untar part of this guide. you are missing it for the file name.
  • Gravatar - Sun Joo
    Sun Joo 02:20, September 4, 2004
    This is a great one. Thanks a lot.
  • Gravatar - subrat
    subrat 14:20, December 6, 2004
    This is the redifining technique for scanning vulnerabilities of servers.
  • Gravatar - burke
    burke 21:30, May 25, 2005
    This simple script runs chkrootkit but mails only if INFECTED:<br />
    <br />
    #!/bin/bash<br />
    #<br />
    # Cron Script - run from /etc/crontab or place in cron.daily<br />
    #<br />
    # Runs chkrootkit and reports if infected files are found<br />
    <br />
    cd /usr/local/src/chkrootkit<br />
    ./chkrootkit 2>&1 | grep "INFECTED\|Vulnerable" | \<br />
    fgrep -v "Checking \`bindshell'... INFECTED (PORTS: 365)"<br />
  • Gravatar - Norvin
    Norvin 14:44, August 21, 2005
    Hi, <br />
    <br />
    Good pice of kit however i am getting <br />
    Checking `bindshell'... INFECTED (PORTS: 31337)<br />
    <br />
    Would that be an error?<br />
    It is installed on a Raq4<br />
    Cheers
  • Gravatar - Pete
    Pete 14:03, October 14, 2005
    Very concise instructions, thank you for spelling it out. I'm sure most of us could have fudged through the install, but it's so much nicer to have it spelled out.<br />
    <br />
    Thnks for you time<br />
    <br />
    Cheers
  • Gravatar - elian
    elian 13:46, October 24, 2005
    I have the same problem: <br />
    ----------------------------------------<br />
    <br />
    Checking `bindshell'... INFECTED (PORTS: 465)<br />
    <br />
    <br />
    ------------------------------------<br />
    what can i do?
  • Gravatar - dan
    dan 13:35, November 3, 2005
    <br />
    regarding the concern with the "INFECTED (PORTS: 31337)"<br />
    I believe this is a result of using PortSentry...<br />
    <br />
    there's a reference to this at: http://www.howtoforge.com/howto_chkrootkit_portsentry
  • Gravatar - Livio
    Livio 18:37, November 28, 2005
    Burke when I run your Script I get the following error:<br />
    ./chkrootkitliv.sh: line 8: unexpected EOF while looking for matching ``'<br />
    ./chkrootkitliv.sh: line 10: syntax error: unexpected end of file<br />
    ---------------------------------------<br />
    What is wrong on the Line ?<br />
    <br />
    cd /usr/local/src/chkrootkit<br />
    ./chkrootkit 2>&1 | grep "INFECTED|Vulnerable" | <br />
    fgrep -v "Checking `bindshell'... INFECTED (PORTS: 465)"<br />
    ----------------------------------------<br />
    What I'd like is a script that parses the chkrootkit output in order to email me ONLY if there is something strange happening and discharge the port 465 error. I know 465 is my Secure SMTP on Exim.
  • Gravatar - Livio
    Livio 00:22, December 2, 2005
    Here is my procmail Script to filter the e-mails received from Crontab. With this filter I will only receive important e-mails from chkrootkit and rkhunter eliminating the daily false positive reports. Only emails with Important information will be allow to pass.<br />
    <br />
    My 0.2 cents.<br />
    Livio.<br />
    <br />
    <br />
    # To Delete false positive Infected Port 465 from my Exim SSL SMTP<br />
    * ^From:.*root@myserver.com<br />
    * ^Subject: chkrootkit output<br />
    | sed -e '/INFECTED (PORTS: 465)/d'<br />
    <br />
    # To delete emails with not Important Information (Same every Day)<br />
    :0<br />
    * ^From:.*root@myserver.com<br />
    * ^Subject: chkrootkit output<br />
    {<br />
    # Note the :0BD: means Case Sensitive search the body of the e-mail<br />
    :0BD:<br />
    *! (INFECTED|Vulnerable)<br />
    /dev/null<br />
    }<br />
    <br />
    :0<br />
    * ^From:.*root@myserver.com<br />
    * ^Subject: rkhunter Daily Run<br />
    {<br />
    :0B<br />
    *! (INFECTED|Vulnerable)<br />
    /dev/null<br />
    }<br />
    <br />
    <br />
    :0<br />
    * ^To: .*myemail@@myserver.com<br />
    /home/mydomain/mail/myemail<br />
    <br />
  • Gravatar - livio
    livio 03:36, December 2, 2005
    ooops. Here is the Script Fix (was missing :0 fBw at the beginning)<br />
    <br />
    # To Delete false positive Infected Port 465 from my Exim SSL SMTP<br />
    :0 fBw <br />
    * ^From:.*root@myserver.com<br />
    * ^Subject: chkrootkit output<br />
    | sed -e '/INFECTED (PORTS: 465)/d'<br />
    <br />
    # To delete emails with not Important Information (Same every Day)<br />
    :0<br />
    * ^From:.*root@myserver.com<br />
    * ^Subject: chkrootkit output<br />
    {<br />
    # Note the :0BD: means Case Sensitive search the body of the e-mail<br />
    :0BD:<br />
    *! (INFECTED|Vulnerable)<br />
    /dev/null<br />
    }<br />
    <br />
    :0<br />
    * ^From:.*root@myserver.com<br />
    * ^Subject: rkhunter Daily Run<br />
    {<br />
    :0B<br />
    *! (INFECTED|Vulnerable)<br />
    /dev/null<br />
    }<br />
    <br />
    <br />
    :0<br />
    * ^To: .*myemail@@myserver.com<br />
    /home/mydomain/mail/myemail
  • Gravatar - Rahul
    Rahul 22:56, August 15, 2006
    Am also getting same error is that ok <br />
    <br />
    Checking `asp'... not infected<br />
    Checking `bindshell'... INFECTED (PORTS: 465)<br />
    Checking `lkm'... You have 1 process hidden for readdir command<br />
    You have 1 process hidden for ps command<br />
    Warning: Possible LKM Trojan installed
  • Gravatar - Rahul
    Rahul 00:20, August 16, 2006
    Am also getting same error is that ok <br />
    <br />
    Checking `asp'... not infected<br />
    Checking `bindshell'... INFECTED (PORTS: 465)<br />
    Checking `lkm'... You have 1 process hidden for readdir command<br />
    You have 1 process hidden for ps command<br />
    Warning: Possible LKM Trojan installed
  • Gravatar - Rob Barclay
    Rob Barclay 11:55, August 16, 2006
    Spot on article, helped me loads (just need to add my version was chkrootkit-0.46a) so took me a little while to work out why the daily cron wasnt working) <br />
    <br />
    But excellently written guide thank you
  • Gravatar - irlamp
    irlamp 09:49, December 23, 2006
    Hello<br />
    <br />
    I have did and this is the result! what shoudl I do?<br />
    <br />
    [/etc/cron.daily]# ./chkrootkit.sh<br />
    ./chkrootkit.sh: line 2: cd: /chkrootkit-0.42b/: No such file or directory<br />
    ./chkrootkit.sh: line 3: ./chkrootkit<br />
    <br />
    Thanks
  • Gravatar - Paul Johnson
    Paul Johnson 04:06, October 31, 2007
    irlamp: change the path to match the actual location. Here's my script example. The thing is installed in /usr/bin<br />
    <br />
    #!/bin/bash<br />
    cd /usr/bin<br />
    ./chkrootkit | mail -s "Daily chkrootkit from laptop" pauljohn32@freefaculty.org<br />
    <br />
    last bit is all on one line.<br />
    <br />
    Livio:<br />
    <br />
    I got that error too. It happens because a single quote mark gets "turned" into an accent when you copy out of the email. Here's my program that does work, as far as I can tell. There is no error, anyway. All I did was change the ` to '. That is, the single quotes should be vertical, not slanted.<br />
    <br />
    #!/bin/bash<br />
    cd /usr/bin<br />
    ./chkrootkit 2>&1 | grep "INFECTED|Vulnerable" | fgrep -v "Checking 'bindshell'... INFECTED (PORTS: 365)" | mail -s "Daily chkrootkit from laptop" pauljohn32@freefaculty.org<br />
    <br />
    Last line is all one piece. <br />
  • Gravatar - Sushant
    Sushant 00:42, December 19, 2008
    I am getting same error..<br />
    <br />
    root@sushant [~]# cat chkrootkit.log<br />
    INFECTED (PORTS: 465)<br />
    <br />
    I have gone through this link..and it says same thing 'false positive' <br />
    <br />
    http://forums.theplanet.com/lofiversion/index.php/t29181.html<br />
    <br />
    What does it mean exactly by false positive ?<br />
  • Gravatar - Iamthatyouwant
    Iamthatyouwant 12:40, November 9, 2009
    Very usefull ;D thanks for all
  • Gravatar - Angelo
    Angelo 18:06, June 10, 2010
    I received the report email daily. But there is no message on the email.

    After I manually ran the test report (./chkrootkit.sh),

    I received a message on the CLI:

    ./chkrootkit.sh: line 2: cd: /chkrootkit-0.42b/: No such file or directory
    ./chkrootkit.sh: line 3: ./chkrootkit: No such file or directory
    Null message body; hope that's ok

Add Your Thoughts

WebHostGear.com is a hosting directory, not a web host.

Copyright © 1998-2014 WebHostGear.com