# rkhunter issues after update



## click (Dec 3, 2010)

Hi all,

I`ve updated rkhunter yesterday the new port deleted my old configuration and now I`m getting some strange reports:


```
FreeBSD wolfdale 8.1-RELEASE-p1 FreeBSD 8.1-RELEASE-p1 #0: Sun Oct 10 15:57:09 EEST 2010
Rootkit Hunter 1.3.8
```



```
Warning: Differences found between sockstat and netstat output:
         Sockstat output (ports in use): 139 2094 2095 21 22 25 3306 445 47763 80
         Netstat output (ports in use): 139 2094 2095 21 22 25 3306 445 80
```

I looked into this "new" port 47763 and found it was not even a port


```
[root@wolfdale ~/scripts]# netstat -an | grep 47763
ffffff005e78db40 stream      0      0 ffffff000b6e9000        0        0        0 /tmp/ssh-kbxohRioPN/agent.47763
[root@wolfdale ~/scripts]# sockstat -p 47763 
USER     COMMAND    PID   FD PROTO  LOCAL ADDRESS         FOREIGN ADDRESS      
click    sshd       47763 4  stream -> ??
click    sshd       47763 9  stream /tmp/ssh-kbxohRioPN/agent.47763
root     sshd       47761 5  stream -> ??
root     cron       15312 4  dgram  -> /var/run/logpriv
root     syslogd    15167 4  dgram  /var/run/log
root     syslogd    15167 5  dgram  /var/run/logpriv
88       mysqld     15088 14 stream /tmp/mysql.sock
root     cron       14818 4  dgram  -> /var/run/logpriv
root     syslogd    14621 4  dgram  /var/run/log
root     syslogd    14621 5  dgram  /var/run/logpriv
root     cron       14475 4  dgram  -> /var/run/logpriv
root     syslogd    14338 4  dgram  /var/run/log
root     syslogd    14338 5  dgram  /var/run/logpriv
root     cron       14189 4  dgram  -> /var/run/logpriv
root     syslogd    14044 4  dgram  /var/run/log
root     syslogd    14044 5  dgram  /var/run/logpriv
root     cron       13896 4  dgram  -> /var/run/logpriv
root     syslogd    13756 4  dgram  /var/run/log
root     syslogd    13756 5  dgram  /var/run/logpriv
root     cron       3173  5  dgram  -> /var/run/logpriv
smmsp    sendmail   3166  3  dgram  -> /var/run/log
root     sendmail   3162  3  dgram  -> /var/run/logpriv
root     monit      1184  3  dgram  -> /var/run/logpriv
root     syslogd    1042  4  dgram  /var/run/log
root     syslogd    1042  5  dgram  /var/run/logpriv
root     devd       859   6  stream /var/run/devd.pipe
_pflogd  pflogd     557   5  stream -> ??
root     pflogd     554   4  stream -> ??
root     pflogd     554   5  dgram  -> /var/run/logpriv
```

Is that issue observed only by me, maybe I missconfigured something? Is it normal portupgrade to delete the old configuration file?


----------



## SirDice (Dec 3, 2010)

click said:
			
		

> Is it normal portupgrade to delete the old configuration file?


No, it's not customary and it's not portupgrade that does it. It's the installer.sh script from rkhunter that does this.


----------



## click (Dec 3, 2010)

Hm that is "nice" ok thanks for that info. Any idea which module perform the test for netstat/sockstat so I can disable it? I tryed the man page found 



> TESTS
> [This section to be written]



Which is very informative . If my logic is correct the module should be hidden_ports, but is already disabled by default?


```
[root@wolfdale ~/scripts]# grep "hidden_ports" /usr/local/etc/rkhunter.conf 
DISABLE_TESTS="suspscan hidden_ports hidden_procs deleted_files packet_cap_apps"
```


----------



## SirDice (Dec 3, 2010)

It does look that way. But I have to admit that I don't use rkhunter.


----------



## DutchDaemon (Dec 3, 2010)

[cmd=]cd /usr/ports/security/rkhunter && make maintainer[/cmd] should be able to address these issues.


----------



## uxp (Jan 16, 2011)

This is a month old, but I seem to have the same issue. I did notice that with sockstat, grep was able to pick up the additional "ports" not found in netstat, but they are not actual ports. They are PIDs for a process with open ports, but not the port the process is listening on. Such as, right now I have a server with rkhunter complaining that 1368 is open in sockstat but not netstat.  Upon grepping the output of sockstat (sockstat | grep 1368), I can find this line:


```
nobody   dovecot-au 1368  9  stream -> /var/run/dovecot/auth-worker.1368
```

with dovecot-auth actually listening on it's correct SSL ports for my configuration, 993 and 995.

I haven't opened up rkhunter to see how it identifies the open ports, and I don't have any Linux or other *nix boxes to test if they suffer from the same mis-identification, though I'll probably put together a VM this weekend and see if I can fix it, or get a proper bug report together.

Hope this helps.


----------



## click (Jan 16, 2011)

No it is BSD only issue since sockstat is not avaliable in Linux - tested it this check is bypassed.

Here is the code itself 



```
SOCKSTAT_OUTPUT=`${SOCKSTAT_CMD} ${RKHTMPVAR} | awk '{ print $6 }' |grep '[:.][0-9][0-9]*$' | sed -e 's/^.*[:.]\([0-9]*\)$/\1/' | sort | uniq`
NETSTAT_OUTPUT=`${NETSTAT_CMD} -an |  awk '{ print $4 }' |grep '[:.][0-9][0-9]*$' | sed -e 's/^.*[:.]\([0-9]*\)$/\1/' | sort | uniq`
```


in function bsd_specific_checks(). 

So the rkhunter sees



```
[root@wolfdale ~]# sockstat | awk '{ print $6 }' |grep '[:.][0-9][0-9]*$' | sed -e 's/^.*[:.]\([0-9]*\)$/\1/' | sort | uniq 
139
2094
2095
21
22
25
3306
445
80
[root@wolfdale ~]# netstat -an |  awk '{ print $4 }' |grep '[:.][0-9][0-9]*$' | sed -e 's/^.*[:.]\([0-9]*\)$/\1/' | sort | uniq
139
2094
2095
21
22
25
3306
41380
43660
445
44580
55421
63315
80
```

And sometimes adds the output of sockstat if the filename ends in .NUMBER

Since this test was useless anyway in mine situation I just wiped it out. But why not fix it now  


```
netstat -an | [B]grep "LISTEN"[/B]|  awk '{ print $4 }' |grep '[:.][0-9][0-9]*$' | sed -e 's/^.*[:.]\([0-9]*\)$/\1/' | sort | uniq
```


```
sockstat | [B]grep ":"[/B] | awk '{ print $6 }' |grep '[:.][0-9][0-9]*$' | sed -e 's/^.*[:.]\([0-9]*\)$/\1/' | sort | uniq
```

Here you go , buut didn`t quite like it myself so please if anyone can make it simple it will be superb.


----------



## ragnar (Nov 4, 2011)

*patch*

Hi there, i had the same issue and already written an email to maintainer about how to fix it, meanwhile i explain it here also in case somebody is interested.

I just installed rkhunter-1.3.8 in a Freebsd 8.2 i386 and i got a warning about sockstat and netstat ports differences. The problem seems to be the version of the sockstat command because now shows the protocol versions (ipv4 and/or ipv6), what makes the output not having the same number of columns and then, the awk parser doesn't recognize those services.

Example:

```
root     httpd      1448  3  tcp4 6 *:80                  *:*
```

Solution: add a replacer to make columns fit

```
| sed -e "s/tcp4 6/tcp4/g"
```

So the final sockstat command would look like:

```
${SOCKSTAT_CMD} ${RKHTMPVAR} | sed -e "s/tcp4 6/tcp4/g" | awk '{ print $6 }' | grep '[:.][0-9][0-9]*$' | sed -e 's/^.*[:.]\([0-9]*\)$/\1/' | sort | uniq
```

Best regards


----------



## ragnar (Aug 5, 2015)

Under some circumstances the lines above couldn't fix the issue so I found another parse command:


```
SOCKSTAT_OUTPUT=`echo "${SOCKSTAT_OUTPUT}" | sockstat | grep "[t|u][c|d]p" | cut -c 37- | awk '{print $1}' | sed -e 's/^.*[:.]\([0-9]*\)$/\1/' | sort | uniq`
```

Regards


----------

