Articles in this section

See more

What Watchdog warnings may be safely ignored

Avatar
Natalia Astashenko
Updated
Follow

Applicable to:

  • Plesk for Linux

Question

What Watchdog warnings may be safely ignored?

Answer

The following list of warnings may be safely ignored:

1.

[16:34:46] Warning:&nbsp Package manager verification has failed:
[16:34:46] File: /usr/local/psa/etc/modules/watchdog/rkhunter.conf
[16:34:46] The file hash value has changed
[16:34:46] The file size has changed
[16:34:46] The file modification time has changed

Watchdog configuration was changed via Plesk.

2.

[16:35:32] Warning: The following suspicious shared memory segments have been found:
[16:35:32] Process: /usr/sbin/httpd PID: 9522 Owner: root
[16:35:32] Process: PID: 25000 Owner: psaadm
[16:35:32] Process: /usr/bin/postgres PID: 9759 Owner: postgres

These shared memory segments are owned by Apache, Plesk and Postgres.

3.

[01:01:55] Checking for suspicious shared memory segments  [ Warning ]
[01:01:55] Warning: The following suspicious shared memory segments have been found:
[01:01:55] Process:     PID: 4023    Owner: magicspam
[01:01:55] Process: /usr/sbin/apache2    PID: 10275    Owner: root

These shared memory segments are owned by Apache and magicspam.

4.

[16:35:33] Warning: Found enabled xinetd service: /etc/xinetd.d/ftp_psa
[16:35:33] Warning: Found enabled xinetd service: /etc/xinetd.d/poppassd_psa

Services are enabled for Plesk functioning.

5.

[16:35:38] Warning: Hidden directory found: /dev/.udev
[16:35:38] Warning: Hidden file found: /usr/share/man/man1/..1.gz: gzip compressed data, from Unix, max compression
[16:35:39] Warning: Hidden file found: /usr/share/man/man5/.k5login.5.gz: gzip compressed data, from Unix, max compression
[16:35:39] Warning: Hidden file found: /usr/share/man/man5/.k5identity.5.gz: gzip compressed data, from Unix, max compression
[16:35:39] Warning: Hidden file found: /usr/bin/.fipscheck.hmac: ASCII text
[16:35:39] Warning: Hidden file found: /usr/bin/.ssh.hmac: ASCII text
[16:35:39] Warning: Hidden file found: /usr/sbin/.sshd.hmac: ASCII text

- *.hmac files are used for messages authentication, see SSH manual.

- /usr/share/man/ folder is used for packages manuals.

- directory /dev/.udev is created by the udevd daemon and used for system boot process.

 

Additional information

For more information about watchdog, refer to the documentation article.

For the purpose of scanning the server for malware, Watchdog uses the Rootkit Hunter utility. For additional information regarding Rootkit Hunter, visit the Rootkit Hunter developer's Web site.

It is possible to whitelist many warnings encountered by the next information:

http://rkhunter.cvs.sourceforge.net/viewvc/rkhunter/rkhunter/files/README

http://rkhunter.cvs.sourceforge.net/viewvc/rkhunter/rkhunter/files/FAQ

Comments

4 comments

Sort by Date Votes
  • Avatar
    Marco Marsala (Edited )

    Forgot to mention that MagicSpam too will throw the following warning message. You should whitelist your processes by default.

    [01:01:55] Info: Starting test name 'ipc_shared_mem'
[01:01:55]   Checking for suspicious shared memory segments  [ Warning ]
[01:01:55] Warning: The following suspicious shared memory segments have been found:
[01:01:55]          Process:     PID: 4023    Owner: magicspam
[01:01:55]          Process: /usr/sbin/apache2    PID: 10275    Owner: root

    0
    Permalink
  • Avatar
    Artyom Baranov

    @Marco Marsala

    Thank you for noticing, Marco! I have updated the article.

    0
    Permalink
  • Avatar
    Christian Heutger

    Why doesn't plesk then whitelist this warnings by default?

    0
    Permalink
  • Avatar
    Ivan Postnikov

    @Christian Heutger

    Hello!
    These warnings are not whitelisted by default as they may be useful for troubleshooting.

    Feel free to create functionality suggestions at Plesk User Voice.

    0
    Permalink

Please sign in to leave a comment.

Have more questions? Submit a request

Related articles