59

So I just installed and ran rkhunter which shows me green OKs / Not founds for everything except for: /usr/bin/lwp-request, like so:

/usr/bin/lwp-request                                     [ Warning ]

In the log it says:

Warning: The command '/usr/bin/lwp-request' has been replaced by a 
   script: /usr/bin/lwp-request: Perl script text executable

I already ran rkhunter --propupd and sudo apt-get update && sudo apt-get upgrade which didn't help. I installed Debian 9.0 just a few days ago and am a newcomer to Linux.

Any suggestions on what to do?

Edit: Furthermore chkrootkit gives me this:

The following suspicious files and directories were found: 

/usr/lib/mono/xbuild-frameworks/.NETPortable 
/usr/lib/mono/xbuild-frameworks/.NETPortable/v5.0/SupportedFrameworks/.NET Framework 4.6.xml 
/usr/lib/mono/xbuild-frameworks/.NETFramework
/usr/lib/python2.7/dist-packages/PyQt5/uic/widget-plugins/.noinit 
/usr/lib/python2.7/dist-packages/PyQt4/uic/widget-plugins/.noinit
/usr/lib/mono/xbuild-frameworks/.NETPortable
/usr/lib/mono/xbuild-frameworks/.NETFramework

I guess that's a separate question? Or is this no issue at all? I don't know how to check if these files/directories are ok and needed.

Edit: Note I once also got warnings for "Checking for passwd file changes" and "Checking for group file changes" even though I didn't change any such afaik. An earlier and later scan showed no warnings - these just showed once. Any ideas?

slm
  • 369,824
mYnDstrEAm
  • 4,275
  • 14
  • 57
  • 118
  • 1
    lwp-request is supposed to be a Perl script, so that's an odd warning. – derobert Jun 27 '17 at 17:36
  • @derobert Do you get the same error then? Also the warning is imo about it having gotten replaced (to another perl script I guess) - not about it being a perl script. I copied its contents here: https://pastebin.com/bSLivGvz – mYnDstrEAm Jun 27 '17 at 17:47
  • 1
    I get the same warning on my Debian testing box. Your pastebin matches my copy of lwp-request too (though with line-ending changes, which I presume came from pastebin). So I suspect false alarm. – derobert Jun 27 '17 at 17:54

2 Answers2

61

rkhunter needs to know what package manager you are using.

Create or edit /etc/rkhunter.conf.local and add the following line:

PKGMGR=DPKG

If you are not on Debian or Ubuntu, then change DPKG for your actual package manager.

This way, rkhunter will know to expect those executables to be scripts, and not flag the false positive.

It will ensure that if the files are tampered with, then a new positive result will show.

MacroMan
  • 718
  • Great; but why can't I set it to "APT-GET"? (relevant question) And what's it using by default for checking the hashes if that's not DPKG for Debian? (No value, or a value of 'NONE', indicates that no package manager is to be used.) – mYnDstrEAm Mar 15 '18 at 16:36
  • @mYnDstrEAm rkhunter doesn't recognise apt as a package manager. dpkg is also a valid package manager on all systems that have apt (unless removed). I think the default value is RPM – MacroMan Mar 15 '18 at 16:42
  • 2
    @MacroMan The default value stated in the man page is NONE – Adam Spiers Jan 01 '19 at 13:33
  • The comments in rkhunter.conf state: "# NONE is the default for Debian as well, as running --propupd takes about 4 times longer when it's set to DPKG". See: https://github.com/crunchsec/rkhunter/blob/master/files/rkhunter.conf. It seems there is no need to set PKGMGR option – Nadir Latif Apr 15 '19 at 11:54
  • 1
    Dpkg is the package-manager, while apt(-get) is the frontend handling copying of packages from remote hosts, and automatic dependency downloads, and more. Same as Yum is a frontend to rpm. – PoC Apr 11 '20 at 10:40
  • rkhunter could have a simple installation script to detect the Linux distro and then set variables accordingly. It would save us a lot of time with false positives. – João Pimentel Ferreira Nov 15 '21 at 10:26
9

As mentioned on: https://metacpan.org/pod/lwp-request, the lwp-request is a script that allows making http requests to web servers. It is not malicious and so the error can be ignored.

To suppress the error you need to allow the /usr/bin/lwp-request command to be used as a script. This can be done by adding the line: 

SCRIPTWHITELIST=/usr/bin/lwp-request

To /etc/rkhunter.conf or /etc/rkhunter.conf.local file. See the SCRIPTWHITELIST option in the rkhunter.conf configuration file

This solution was mentioned on the Linux Mint forums

Nadir Latif
  • 237
  • 2
  • 4
  • 7
    And what if someone manages to replace lwp-request with a malicious script? Please be extra cautious using this suggestion. It leaves you vulnerable! – MacroMan Aug 23 '19 at 08:44
  • @MacroMan yeah but it's the only known way to get rkhunter to stop giving spurious warnings about these files ... So blame rkhunter. – spinkus Nov 11 '20 at 05:26
  • 1
    @spinkus No, it's not. Let rkhunter know your package manager as per my answer and the warning will go away. Whitelisting something you don't control is just opening a vulnerability. – MacroMan Nov 12 '20 at 09:11