Applicable to:
- Plesk for Linux
Question
What Watchdog warnings may be safely ignored?
Answer
The following list of warnings may be safely ignored:
1.
[16:34:46] Warning:  Package manager verification has failed:
[16:34:46] File: /usr/local/psa/etc/modules/watchdog/rkhunter.conf
[16:34:46] The file hash value has changed
[16:34:46] The file size has changed
[16:34:46] The file modification time has changed
Watchdog configuration was changed via Plesk.
2.
[16:35:32] Warning: The following suspicious shared memory segments have been found:
[16:35:32] Process: /usr/sbin/httpd PID: 9522 Owner: root
[16:35:32] Process: PID: 25000 Owner: psaadm
[16:35:32] Process: /usr/bin/postgres PID: 9759 Owner: postgres
These shared memory segments are owned by Apache, Plesk and Postgres.
3.
[01:01:55] Checking for suspicious shared memory segments [ Warning ] [01:01:55] Warning: The following suspicious shared memory segments have been found: [01:01:55] Process: PID: 4023 Owner: magicspam [01:01:55] Process: /usr/sbin/apache2 PID: 10275 Owner: root
These shared memory segments are owned by Apache and magicspam.
4.
[16:35:33] Warning: Found enabled xinetd service: /etc/xinetd.d/ftp_psa
[16:35:33] Warning: Found enabled xinetd service: /etc/xinetd.d/poppassd_psa
Services are enabled for Plesk functioning.
5.
[16:35:38] Warning: Hidden directory found: /dev/.udev
[16:35:38] Warning: Hidden file found: /usr/share/man/man1/..1.gz: gzip compressed data, from Unix, max compression
[16:35:39] Warning: Hidden file found: /usr/share/man/man5/.k5login.5.gz: gzip compressed data, from Unix, max compression
[16:35:39] Warning: Hidden file found: /usr/share/man/man5/.k5identity.5.gz: gzip compressed data, from Unix, max compression
[16:35:39] Warning: Hidden file found: /usr/bin/.fipscheck.hmac: ASCII text
[16:35:39] Warning: Hidden file found: /usr/bin/.ssh.hmac: ASCII text
[16:35:39] Warning: Hidden file found: /usr/sbin/.sshd.hmac: ASCII text
- *.hmac files are used for messages authentication, see SSH manual.
-
/usr/share/man/
folder is used for packages manuals.
- directory
/dev/.udev
is created by the udevd daemon and used for system boot process.
Additional information
For more information about watchdog, refer to the documentation article.
For the purpose of scanning the server for malware, Watchdog uses the Rootkit Hunter utility. For additional information regarding Rootkit Hunter, visit the Rootkit Hunter developer's Web site.
It is possible to whitelist many warnings encountered by the next information:
http://rkhunter.cvs.sourceforge.net/viewvc/rkhunter/rkhunter/files/README
http://rkhunter.cvs.sourceforge.net/viewvc/rkhunter/rkhunter/files/FAQ
Comments
4 comments
Forgot to mention that MagicSpam too will throw the following warning message. You should whitelist your processes by default.
@Marco Marsala
Thank you for noticing, Marco! I have updated the article.
Why doesn't plesk then whitelist this warnings by default?
@Christian Heutger
Hello!
These warnings are not whitelisted by default as they may be useful for troubleshooting.
Feel free to create functionality suggestions at Plesk User Voice.
Please sign in to leave a comment.