5個警告提出來了，我應該擔心嗎？

Question

我剛剛發現了rkhunter，並決定在我的CentOS專用服務器上運行掃描，沒有發現rootkit（謝天謝地），但有警告，我只是好奇，如果有人遇到這些，或者如果這是我應該擔心還是在進一步調查？

下面是我從rkhunter收到警告：

[22:01:58] /sbin/ifdown         [ Warning ] 
[22:01:58] Warning: The command '/sbin/ifdown' has been replaced by a script: /sbin/ifdown: Bourne-Again shell script text executable 

[22:01:58] /sbin/ifup          [ Warning ] 
[22:01:58] Warning: The command '/sbin/ifup' has been replaced by a script: /sbin/ifup: Bourne-Again shell script text executable 

[22:02:05] /usr/bin/GET         [ Warning ] 
[22:02:05] Warning: The command '/usr/bin/GET' has been replaced by a script: /usr/bin/GET: a /usr/bin/perl -w script text executable 

[22:02:05] /usr/bin/ldd         [ Warning ] 
[22:02:05] Warning: The command '/usr/bin/ldd' has been replaced by a script: /usr/bin/ldd: Bourne-Again shell script text executable 

[22:02:07] /usr/bin/whatis         [ Warning ] 
[22:02:07] Warning: The command '/usr/bin/whatis' has been replaced by a script: /usr/bin/whatis: POSIX shell script text executable 

[22:03:03] Info: SCAN_MODE_DEV set to 'THOROUGH' 
[22:03:05] Checking /dev for suspicious file types   [ Warning ] 
[22:03:05] Warning: Suspicious file types found in /dev: 
[22:03:05]   /dev/md/autorebuild.pid: ASCII text 
[22:03:05]   /dev/md/md-device-map: ASCII text 
[22:03:05]   /dev/.udev/queue.bin: Applesoft BASIC program data 
[22:03:05]   /dev/.udev/db/block:md0: ASCII text 
[22:03:05]   /dev/.udev/db/block:md1: ASCII text 
[22:03:05]   /dev/.udev/db/block:sda1: ASCII text 
[22:03:05]   /dev/.udev/db/net:eth1: ASCII text 
[22:03:05]   /dev/.udev/db/net:eth0: ASCII text 
[22:03:05]   /dev/.udev/db/block:sdb3: ASCII text 
[22:03:05]   /dev/.udev/db/block:sdb1: ASCII text 
[22:03:05]   /dev/.udev/db/block:sda3: ASCII text 
[22:03:05]   /dev/.udev/db/block:sda2: ASCII text 
[22:03:05]   /dev/.udev/db/block:sdb2: ASCII text 
[22:03:05]   /dev/.udev/db/input:event2: ASCII text 
[22:03:05]   /dev/.udev/db/input:event0: ASCII text 
[22:03:05]   /dev/.udev/db/block:sda: ASCII text 
[22:03:05]   /dev/.udev/db/block:sdb: ASCII text 
[22:03:05]   /dev/.udev/db/input:event4: ASCII text 
[22:03:05]   /dev/.udev/db/input:mouse1: ASCII text 
[22:03:05]   /dev/.udev/db/input:event3: ASCII text 
[22:03:05]   /dev/.udev/db/input:event1: ASCII text 
[22:03:05]   /dev/.udev/db/block:ram9: ASCII text 
[22:03:05]   /dev/.udev/db/block:ram8: ASCII text 
[22:03:05]   /dev/.udev/db/block:ram4: ASCII text 
[22:03:05]   /dev/.udev/db/block:ram5: ASCII text 
[22:03:05]   /dev/.udev/db/block:ram7: ASCII text 
[22:03:05]   /dev/.udev/db/block:ram6: ASCII text 
[22:03:05]   /dev/.udev/db/block:ram3: ASCII text 
[22:03:06]   /dev/.udev/db/block:ram2: ASCII text 
[22:03:06]   /dev/.udev/db/block:ram15: ASCII text 
[22:03:06]   /dev/.udev/db/block:ram14: ASCII text 
[22:03:06]   /dev/.udev/db/block:ram13: ASCII text 
[22:03:06]   /dev/.udev/db/block:ram12: ASCII text 
[22:03:06]   /dev/.udev/db/block:ram0: ASCII text 
[22:03:06]   /dev/.udev/db/block:ram1: ASCII text 
[22:03:06]   /dev/.udev/db/block:ram11: ASCII text 
[22:03:06]   /dev/.udev/db/block:ram10: ASCII text 
[22:03:06]   /dev/.udev/db/block:loop7: ASCII text 
[22:03:06]   /dev/.udev/db/block:loop3: ASCII text 
[22:03:06]   /dev/.udev/db/block:loop5: ASCII text 
[22:03:06]   /dev/.udev/db/block:loop4: ASCII text 
[22:03:06]   /dev/.udev/db/block:loop6: ASCII text 
[22:03:06]   /dev/.udev/db/block:loop1: ASCII text 
[22:03:06]   /dev/.udev/db/block:loop2: ASCII text 
[22:03:06]   /dev/.udev/db/block:loop0: ASCII text 
[22:03:06]   /dev/.udev/db/usb:2-1: ASCII text 
[22:03:06]   /dev/.udev/db/usb:1-1: ASCII text 
[22:03:06]   /dev/.udev/db/usb:3-7.1: ASCII text 
[22:03:06]   /dev/.udev/db/usb:3-7: ASCII text 
[22:03:06]   /dev/.udev/db/usb:usb1: ASCII text 
[22:03:06]   /dev/.udev/db/usb:usb3: ASCII text 
[22:03:06]   /dev/.udev/db/usb:usb4: ASCII text 
[22:03:06]   /dev/.udev/db/usb:usb2: ASCII text 
[22:03:06]   /dev/.udev/rules.d/99-root.rules: ASCII text 

[22:03:06] Checking for hidden files and directories  [ Warning ] 
[22:03:06] Warning: Hidden directory found: /dev/.mdadm 
[22:03:06] Warning: Hidden directory found: /dev/.udev 
[22:03:06] Warning: Hidden file found: /usr/share/man/man5/.k5login.5.gz: gzip compressed data, from Unix, max compression 
[22:03:06] Warning: Hidden file found: /usr/share/man/man5/.k5identity.5.gz: gzip compressed data, from Unix, max compression 
[22:03:06] Warning: Hidden file found: /usr/share/man/man1/..1.gz: gzip compressed data, from Unix, max compression 
[22:03:06] Warning: Hidden file found: /usr/bin/.fipscheck.hmac: ASCII text 
[22:03:06] Warning: Hidden file found: /usr/bin/.ssh.hmac: ASCII text 
[22:03:06] Warning: Hidden file found: /usr/sbin/.sshd.hmac: ASCII text 

Answer 1

ifdown你和LDD等，它們可以通過外殼直接執行的bash shell腳本。

file /sbin/ifdown 

你可以得到詳細信息。

當然，有一些隱藏文件（其名稱的開頭）和dev文件導致警告，它是noamal。

Answer 2

運行CentOS的1611年7月3日在這裏與最近發現rkhunter警告的一些命令太：

Warning: The command '/usr/sbin/ifdown' has been replaced by a script: /usr/sbin/ifdown: Bourne-Again shell script, ASCII text executable 
Warning: The command '/usr/sbin/ifup' has been replaced by a script: /usr/sbin/ifup: Bourne-Again shell script, ASCII text executable 
Warning: The command '/usr/bin/egrep' has been replaced by a script: /usr/bin/egrep: POSIX shell script, ASCII text executable 
Warning: The command '/usr/bin/fgrep' has been replaced by a script: /usr/bin/fgrep: POSIX shell script, ASCII text executable 

首先，我發現這裏的命令屬於：

# rpm -qf /usr/sbin/ifdown /usr/sbin/ifup /usr/bin/egrep /usr/bin/fgrep 
initscripts-9.49.37-1.el7_3.1.x86_64 
initscripts-9.49.37-1.el7_3.1.x86_64 
grep-2.20-2.el7.x86_64 
grep-2.20-2.el7.x86_64 

然後，我驗證了那些包：

# rpm -V initscripts grep && echo OK 
OK 

最後，我將這些行添加到/etc/rkhunter.conf.local以解除disabl Ë這些警告：

SCRIPTWHITELIST=/usr/sbin/ifdown 
SCRIPTWHITELIST=/usr/sbin/ifup 
SCRIPTWHITELIST=/usr/bin/fgrep 
SCRIPTWHITELIST=/usr/bin/egrep 

並再次檢查：

# rkhunter --check --rwo && echo OK 
OK 

希望這有助於！