What RKHunter warnings can be safely ignored on a Plesk server

Question

What RKHunter warnings reported in Watchdog extension can be safely ignored?

Answer

Note: Rootkit Hunter (RKHunter), that scans the server for vulnerabilities, has been removed from Watchdog extension for Plesk starting from version 3.1 and later.

The following list of warnings can be safely ignored:

• The file has changed - This warning appears in the log, when Watchdog configuration has been changed via Plesk:

  CONFIG_TEXT: [00:00:00] Warning: Package manager verification has failed:
  [00:00:00] File: /usr/local/psa/etc/modules/watchdog/rkhunter.conf
  [00:00:00] The file hash value has changed
  [00:00:00] The file size has changed
  [00:00:00] The file modification time has changed

• Suspicious shared memory segments - Shared memory segments below are owned by Apache, Plesk, Postgres and MagicSpam:

  CONFIG_TEXT: [00:00:00] Warning: The following suspicious shared memory segments have been found:
  [00:00:00] Process: /usr/sbin/httpd PID: 9522 Owner: root
  [00:00:00] Process: PID: 25000 Owner: psaadm
  [00:00:00] Process: /usr/bin/postgres PID: 9759 Owner: postgres
  [00:00:00] Process: PID: 4023 Owner: magicspam
  [00:00:00] Process: /usr/sbin/apache2 PID: 10275 Owner: root

• Found enabled xinetd service - The 'xinetd' service is a part of the Plesk functionality.

  CONFIG_TEXT: [00:00:00] Warning: Found enabled xinetd service: /etc/xinetd.d/ftp_psa
  [00:00:00] Warning: Found enabled xinetd service: /etc/xinetd.d/poppassd_psa

• No output found from the lsmod command on a OpenVZ containers - if the server is an OpenVZ container, it is expected that 'lsmod' command returns an empty output as modules are managed by a hypervisor:

  CONFIG_TEXT: [00:00:00] Checking loaded kernel modules [ Warning ]
  [00:00:00] Warning: No output found from the lsmod command or the /proc/modules file:
  [00:00:00] /proc/modules output:
  [00:00:00] lsmod output:
  [00:00:00] Info: Using modules pathname of '/lib/modules'

• Hidden file/directories found

  • The /usr/share/man/ directory is used for package manuals.
  • The /dev/.udev directory is created by the 'udevd' daemon and is used for system boot process.
  • *.hmac files are used for messages authentication.
  • The /etc/.java file is created by OpenJDK, and it's safe.
  • The /etc/.updated file is created by systemd-update-done.service (its purpose is to hold a timestamp of the time this directory was updated) and it is safe

  CONFIG_TEXT: [00:00:00] Warning: Hidden directory found: /dev/.udev
  [00:00:00] Warning: Hidden file found: /usr/share/man/man1/..1.gz: gzip compressed data, from Unix, max compression
  [00:00:00] Warning: Hidden file found: /usr/share/man/man5/.k5login.5.gz: gzip compressed data, from Unix, max compression
  [00:00:00] Warning: Hidden file found: /usr/share/man/man5/.k5identity.5.gz: gzip compressed data, from Unix, max compression
  [00:00:00] Warning: Hidden file found: /usr/bin/.fipscheck.hmac: ASCII text
  [00:00:00] Warning: Hidden file found: /usr/bin/.ssh.hmac: ASCII text
  [00:00:00] Warning: Hidden file found: /usr/sbin/.sshd.hmac: ASCII text
  [00:00:00] Warning: Hidden directory found: /etc/.java
  [00:00:00] Warning: Hidden file found: /etc/.updated: ASCII text

Additional information

For more information about Watchdog (System Monitoring) Component, see this Plesk documentation page.

For the purpose of scanning the server for malware, Watchdog uses the Rootkit Hunter utility. For more information about Rootkit Hunter, visit the Rootkit Hunter developer's Web site.