Solved

help with chkrootkit

Posted on 2004-08-25
40
1,734 Views
Last Modified: 2013-11-18
i did what you expert told me to by running chkrootkit its a good tool.
i ran it in quite mode so it would only come up with infected messages i got this below could someone tell me what it means and what should i do about the text below also can i tell when this started

[root@linbox chkrootkit-0.43]# ./chkrootkit -q

/usr/lib/perl5/5.8.0/i386-linux-thread-multi/.packlist

./chkrootkit: line 725: [: /www/cgi-bin: binary operator expected
./chkrootkit: line 725: [: /www/cgi-bin: binary operator expected
./chkrootkit: line 725: [: /www/cgi-bin: binary operator expected
./chkrootkit: line 725: [: /www/cgi-bin: binary operator expected
./chkrootkit: line 725: [: /www/cgi-bin: binary operator expected
./chkrootkit: line 725: [: /www/cgi-bin: binary operator expected
./chkrootkit: line 725: [: /www/cgi-bin: binary operator expected
./chkrootkit: line 725: [: /www/cgi-bin: binary operator expected
./chkrootkit: line 725: [: /www/cgi-bin: binary operator expected
./chkrootkit: line 725: [: /www/cgi-bin: binary operator expected
./chkrootkit: line 725: [: /www/cgi-bin: binary operator expected
./chkrootkit: line 725: [: /www/cgi-bin: binary operator expected
./chkrootkit: line 725: [: /www/cgi-bin: binary operator expected
./chkrootkit: line 725: [: /www/cgi-bin: binary operator expected
./chkrootkit: line 725: [: /www/cgi-bin: binary operator expected
./chkrootkit: line 725: [: /www/cgi-bin: binary operator expected
./chkrootkit: line 725: [: /www/cgi-bin: binary operator expected
./chkrootkit: line 725: [: /www/cgi-bin: binary operator expected
./chkrootkit: line 725: [: /www/cgi-bin: binary operator expected
eth0: PF_PACKET(/usr/local/bin/snort)
0
Comment
Question by:jaxxman
  • 21
  • 13
  • 6
40 Comments
 
LVL 4

Expert Comment

by:bobgunzel
Comment Utility
/usr/lib/perl5/5.8.0/i386-linux-thread-multi/.packlist  -- Can be ignored.

./chkrootkit: line 725: [: /www/cgi-bin: binary operator expected  -- Error message generated by test. Check the /www/cgi-bin directory manually for the presence of files you didn't install yourself, such as the ones mentioned in line 720 of the chkrootkit script.

eth0: PF_PACKET(/usr/local/bin/snort) -- You're running the snort IDS.

Bob gunzel
0
 

Author Comment

by:jaxxman
Comment Utility
thank you for your reply but not sure how to check and fix Error message generated by test

here is the list of file in /www/cgi-bin   not sure why it says "total 8" as i can only see two file

[root@linbox cgi-bin]# cd /www/cgi-bin
[root@linbox cgi-bin]# ll
total 8
-rw-r--r--    1 1000     users         274 Mar 31  2000 printenv
-rw-r--r--    1 1000     users         757 Aug 24  1999 test-cgi

below is the contents of test-cgi file

[root@linbox cgi-bin]# pico test-cgi

#!/bin/sh

# disable filename globbing
set -f

echo Content-type: text/plain
echo

echo CGI/1.0 test script report:
echo

echo argc is $#. argv is "$*".
echo

echo SERVER_SOFTWARE = $SERVER_SOFTWARE
echo SERVER_NAME = $SERVER_NAME
echo GATEWAY_INTERFACE = $GATEWAY_INTERFACE
echo SERVER_PROTOCOL = $SERVER_PROTOCOL
echo SERVER_PORT = $SERVER_PORT
echo REQUEST_METHOD = $REQUEST_METHOD
echo HTTP_ACCEPT = "$HTTP_ACCEPT"
echo PATH_INFO = "$PATH_INFO"
echo PATH_TRANSLATED = "$PATH_TRANSLATED"
echo SCRIPT_NAME = "$SCRIPT_NAME"
echo QUERY_STRING = "$QUERY_STRING"
echo REMOTE_HOST = $REMOTE_HOST
echo REMOTE_ADDR = $REMOTE_ADDR
echo REMOTE_USER = $REMOTE_USER
echo AUTH_TYPE = $AUTH_TYPE
echo CONTENT_TYPE = $CONTENT_TYPE
echo CONTENT_LENGTH = $CONTENT_LENGTH

======================================================================
this is the other file

#!/usr/local/bin/perl
##
##  printenv -- demo CGI program which just prints its environment
##

print "Content-type: text/plain\n\n";
foreach $var (sort(keys(%ENV))) {
    $val = $ENV{$var};
    $val =~ s|\n|\\n|g;
    $val =~ s|"|\\"|g;
    print "${var}=\"${val}\"\n";



could you help me on a couple of questions below please.
i can't find the file which contain the lines 720  and 725?
when i run chkrootkit how can i write it to a log file?
and final my network card seems to be in promisc mode how can i turn this off is it enabled because of snort  is it dangerous for networkcard to have promisc mode enabled

0
 
LVL 4

Expert Comment

by:bobgunzel
Comment Utility
The cgi scripts are the standard ones installed with apache.  Why you get a total of 8 files when there are only 2, I don't know. It is certainly strange. As you don't need the scripts, delete them: rm * and run ls again.
The file is chrootkit itself and line 720 lists a number of backdoor scripts.
The promicuous mode is activated by snort in order to capture packets that are not directed to the ip-address of eth0.
However I get the idea you didn't install snort yourself. If it didn't come with the distribution it may have been installed by an intruder in which case it is probably running in sniffer mode. Then any password you use over the net may be compromised.

Bob Gunzel
0
 

Author Comment

by:jaxxman
Comment Utility
are the files hidden is thats why i get 8 how do i show all files
so i delete all files like so
[root@linbox cgi-bin]# ll
total 8
-rw-r--r--    1 1000     users         274 Mar 31  2000 printenv
-rw-r--r--    1 1000     users         757 Aug 24  1999 test-cgi
[root@linbox cgi-bin]# rm *
rm: remove regular file `printenv'? y
rm: remove regular file `test-cgi'? y
[root@linbox cgi-bin]# ll
total 0
[root@linbox cgi-bin]#

now when i run ./chkrootkit -q      i still get

/usr/lib/perl5/5.8.0/i386-linux-thread-multi/.packlist

./chkrootkit: line 725: [: /www/cgi-bin: binary operator expected
./chkrootkit: line 725: [: /www/cgi-bin: binary operator expected
./chkrootkit: line 725: [: /www/cgi-bin: binary operator expected
./chkrootkit: line 725: [: /www/cgi-bin: binary operator expected
./chkrootkit: line 725: [: /www/cgi-bin: binary operator expected
./chkrootkit: line 725: [: /www/cgi-bin: binary operator expected
./chkrootkit: line 725: [: /www/cgi-bin: binary operator expected
./chkrootkit: line 725: [: /www/cgi-bin: binary operator expected
./chkrootkit: line 725: [: /www/cgi-bin: binary operator expected
./chkrootkit: line 725: [: /www/cgi-bin: binary operator expected
./chkrootkit: line 725: [: /www/cgi-bin: binary operator expected
./chkrootkit: line 725: [: /www/cgi-bin: binary operator expected
./chkrootkit: line 725: [: /www/cgi-bin: binary operator expected
./chkrootkit: line 725: [: /www/cgi-bin: binary operator expected
./chkrootkit: line 725: [: /www/cgi-bin: binary operator expected
./chkrootkit: line 725: [: /www/cgi-bin: binary operator expected
./chkrootkit: line 725: [: /www/cgi-bin: binary operator expected
./chkrootkit: line 725: [: /www/cgi-bin: binary operator expected
./chkrootkit: line 725: [: /www/cgi-bin: binary operator expected
eth0: PF_PACKET(/usr/local/bin/snort)
[root@linbox chkrootkit-0.43]#
 and line 725 of chkrootkit file say

  this is line 725      [ -f ${CGIDIR}/$i ] && files="${files} ${CGIDIR}/$i"
   done
   if [ "${files}" = ""  ]; then
     if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi
   else
                          [ line 725 of 2517 (28%), character 23951 of 67736 (35%) ]

what does this mean line 725

yes i did install snort myself but the instruction only told me how to install snort not how to use it. are you any goood with snort?
0
 
LVL 4

Expert Comment

by:bobgunzel
Comment Utility
Line 725 does a search for various backdoor cgi scripts. The error message is probably because  ${CGIDIR}/$i is an empty string. Try put it in between quotes: "${CGIDIR}/$i" and see if that helps.
.packlist is marked as a suspicious file. Chkrootkit does that with all files starting with a dot. In this case the file is a regular part of the perl installation.
The standard way to use snort is: snort -A full -D. It will log all suspect activity, usually in /var/log/snort. Be prepared for a lot of false positives. You may want to comment out various lines in the rules set, especially alerts for instrusion attempts of programs you don't run anyway such as MS-SQL attempts.

Bob Gunzel
0
 

Author Comment

by:jaxxman
Comment Utility
ok i this is line 725 before i chaned it:-
[ -f ${CGIDIR}/$i ] && files="${files} ${CGIDIR}/$i"
and this is the line after:-
[ -f "${CGIDIR}/$i" ] && files="${files} ${CGIDIR}/$i"

i then run ./chkrootkit and got
/usr/lib/perl5/5.8.0/i386-linux-thread-multi/.packlist

eth0: PF_PACKET(/usr/local/bin/snort)

so thanks for that bob you deserve all my points


When i type snort -A full -D i get all the snort filter option coming up like so:-

[root@linbox chkrootkit-0.43]# snort -A full -D

-*> Snort! <*-
Version 2.0.2 (Build 92)
By Martin Roesch (roesch@sourcefire.com, www.snort.org)
USAGE: snort [-options] <filter options>
Options:
        -A         Set alert mode: fast, full, console, or none  (alert file alerts on
ly)
                   "unsock" enables UNIX socket logging (experimental).
        -b         Log packets in tcpdump format (much faster!)
        -c <rules> Use Rules File <rules>
        -C         Print out payloads with character data only (no hex)
        -d         Dump the Application Layer
        -D         Run Snort in background (daemon) mode
        -e         Display the second layer header info
        -f         Turn off fflush() calls after binary log writes

and the list goes so on
When i start up my Linux PC snort starts at the begining therefore is it not already running as a Daemon in the background so is there still a need for -D

and when i use -A how do i check to see what mode it was in before or what mode its in now

I had a look in the snort log and there is a lot of stuff in there what makes no sence to me how can i set SNORT up so it will email me the instant i get an attack or a warning is wrtten to the command line or a seperate simple log
Can you help on this.

0
 
LVL 4

Accepted Solution

by:
bobgunzel earned 250 total points
Comment Utility
You don't want to get a mail for every alert. Even with many alerts turned off, snort generates 15 alerts per day on our system. When code red hit the net that turned into 10 or more per hour. If  you insist, you must write a script that checks the log directory every hour and mails all new entries to you. Imagine what your inbox will look like after a holiday. Aside from generating separate entries for each alert, snort also writes to a combined log called alert. It's a lot easier to scroll through the combined alert log. It is a good idea to rotate the log every month. Otherwise you'll get stuck with an enormous file.
You can also put it on the web as I do and view it with a browser (http://ns1.bmcadvies.com).
0
 

Author Comment

by:jaxxman
Comment Utility
The inbox is not a problem as i have a email account which only receives alerts could you help me write a script and if i don't use the script i know that the script would be useful for something.

As i am new to snort i am finding it difficult to understand the benifits of snort as snort is a IDS which just detects i think i would be more suited with as IPS which prevents intrusions and i would sleep better. I did read somewhere that 1 prevension is better than 10 detections would you agree

Can you recommend one
0
 
LVL 4

Expert Comment

by:bobgunzel
Comment Utility
You can compile snort with the flex-response option. With that snort can kill active connections.
In addition to snort you can run a file integrity checker such as tripwire.
As to a script, the easiest way would be to make a new directory to store the alerts after mailing them, say /var/log/alerts.The script would be something like this:

for i in `ls /var/log/snort|fgrep -v alert` # list all files except the combined alert file
do
mail -s "snort alert" -a /var/log/snort/$i  you@yourdomain  #mail them
mv /var/log/snort/$i /var/log/alerts  #move them so they won't be mailed again
done
 
Put the script in crontab and run it f.i. every hour.
0
 

Author Comment

by:jaxxman
Comment Utility
ok thanks you have been i great help, but what about the question on IPS
0
 
LVL 4

Expert Comment

by:bobgunzel
Comment Utility
As far as i know there is no waterproof IPS around. Intrusion prevention is more a practice than a piece of software and includes:
not running any services that you don't need
getting the latest updates for the services you do need
restrict access to services to certain IP-addresses and/or time periods if they are not meant for everyone
0
 

Author Comment

by:jaxxman
Comment Utility
Then that its !!!
Lets to make an IPS,
Something that when turn on it monitors all ports and anything sent to these ports which is not reconized or is illegal it traces automatically and tells you straight away by pop-up or what ever means you like the warning will also you options to block or respond back..

ignore me if it does not make sense as there is alot of details i missed out.

JAXXMAN
0
 

Expert Comment

by:Xenmaster
Comment Utility
Allow me to suggest another tool as well:

rootkithunter

http://rootkit.nl/

It is constantly updated, simple to install and run and can e-mail results/problems to any e-mail address you specify.
0
 

Author Comment

by:jaxxman
Comment Utility
could not get your link to work

i will try it when i download it thanks for the comment?

do you use it?
and does it have documention on how to get the best from it.
0
 

Expert Comment

by:Xenmaster
Comment Utility
Try the link to Freshmeat instead:

http://freshmeat.net/projects/rkhunter/

Here's a single line you can use to install and run rkhunter for the first time.

Make sure you are logged in as root (it's best not to SU to root) before you run this:

cd ~; rm -Rf rkh*; wget http://downloads.rootkit.nl/rkhunter-1.1.8.tar.gz; tar zxf rkhunter-*.tar.gz; cd rkhunter; ./installer.sh; rkhunter --update; rkhunter -c --cronjob; crontab -e; cd ..; rm -Rf rkhunter*

That fetches the latest version, installs it, updates the databases it uses, runs it for the first time (which will also create some comparision files it uses for future scans) and then brings up your crontab so you can add it there (so it gets run as often as you want it to). Afterwards, it cleans up the installer files.

When the crontab is up, you can add something like the following two lines:

44 5 * * * /usr/local/bin/rkhunter --update > /dev/null 2>&1
45 5 * * * /usr/local/bin/rkhunter -c --cronjob

The first line runs the rootkit database update routine which checks with a mirror to make sure rkhunter's databases are up-to-date at 5:44 am each morning.

The second line, actually runs rootkithunter. The --cronjob option tells rootkithunter to not wait for user input and to forego the pretty colors it usually uses (ideal for running via cronjobs).

Feel free to edit these examples as you see fit. Your average rootkithunter report can take anywhere from 20 - 90 seconds to run, depending on your server's current load. When running, rkhunter doesn't use a lot of load itself, so it's safe to run almost anytime.

By default, the output from rkhunter's cronjob run will be e-mailed to root (or wherever you specify).

It should be noted that if you really have an aversion to seeing the entire report, you can add --report-mode to any rootkithunter run and it will only e-mail the issues that it discovers.

I can't say I recommend --report-mode because as of right now, the reports it generates aren't as useful as they could be. For example if a binary fails a hash test You will see the output [BAD] in the resulting --report-mode report WITHOUT telling you WHAT is [BAD]. This has been reported to the author and I don't doubt he will fix it soon. In any case, you shouldn't use --report-mode unless you are very comfortable with the standard output.

You can also edit the rootkithunter configuration file to have it e-mail you if there are problems (separately from the cronjob output e-mail).

The config file can typically be found here:

/usr/local/etc/rkhunter.conf

Edit this part near the beginning of the file:

# Send a warning message to the admin when one or more warnings
# are available (rootkit and MD5 check). Note: uses default `mail`
# commmand to send the warning message.
MAIL-ON-WARNING=youremailaddress@goes-here.com

You can also create an in-depth logfile that will explicitly tell you what files are scanned and exactly what problems are discovered (if any). To use it, add:

--createlogfile

to the rkhunter run and a logfile will automatically created and you will be informed of the location (usually /var/log/....)

If you want to run rkhunter immediately, just type:

rkhunter -c

if you SU to root, you'll probably have to specify the whole path to rkhunter on your system.

When you run it like this, you will see color and be asked to press ENTER between test sections.

Make sure you are always using the latest binary version by running:

rkhunter --versioncheck

If there is a new version, just download and install rkhunter again (edit the version # if you use the commands above). Keep in mind that rkhunter --update DOES NOT update the binaries if there is a new version, it only downloads and installs the latest rkhunter databases.

If you want to learn more about running rkhunter, visit here:

http://www.rootkit.nl/articles/rootkit_hunter_usage.html

Also if you subscribe to the project at freshmeat, you will be notified via e-mail when a new version is released.

Hope this helps.
0
 

Author Comment

by:jaxxman
Comment Utility
yes thats a great help. thanks.

when you say new version would running up2date -u
not update it to the latestest version
0
 

Expert Comment

by:Xenmaster
Comment Utility
No it doesn't. RedHat doesn't maintain RPMs for it.

If you wanted it to be more automated, you could probably set up a shell script of some sort to check the output of --versioncheck and download and install the latest version returned, but that's not my area of expertise.
0
 

Author Comment

by:jaxxman
Comment Utility
what does this bit mean please

/dev/null 2>&1
0
 

Expert Comment

by:Xenmaster
Comment Utility
That ignores (trashes) the results of the command instead of mailing them to you as it normally would.
0
 

Author Comment

by:jaxxman
Comment Utility
ok thanks, i ran your instruction
 wget http://downloads.rootkit.nl/rkhunter-1.1.8.tar.gz; tar zxf rkhunter-*.tar.gz; cd rkhunter; ./installer.sh; rkhunter --update; rkhunter -c --cronjob; crontab -e; cd ..; rm -Rf rkhunter*


when the crontab came up i tryed to paste this
44 5 * * * /usr/local/bin/rkhunter --update > /dev/null 2>&1

and this is what i got please can you help

~
~
~
Pattern not found: usr


i have left my PC at this stage and await your help please

0
IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 

Author Comment

by:jaxxman
Comment Utility
i tryed typing a : is front of the line

:44 5 * * * /usr/local/bin/rkhunter --update > /dev/null 2>&1

and got this below

~
~
~
E16: Invalid range
0
 

Expert Comment

by:Xenmaster
Comment Utility
Perhaps the rkhunter binary has been installed in a different location on your server:

locate rkhunter

should find it. Edit crontab as needed.
0
 

Author Comment

by:jaxxman
Comment Utility
not much experience with vi or cron
so i quit out of vi and it said crontab not modifed
i ran some tests and got some vunrabilities so i am just editting the conf file so i can have the file auto mailed to me

can i add root instead of a full email address and do i use ; in between adding another email address

need step by step instructions on how to edit crontab
0
 

Expert Comment

by:Xenmaster
Comment Utility
To change your default editor on most versions of Linux, you just change the EDITOR variable.

First, locate pico:

locate pico

It will probably be at /usr/bin/pico or something like that.

Assuming you are logged in as root and are using BASH as your shell, edit the .bash_profile file:

(from root directory)

pico -w .bash_profile

Scroll down a bit and you'll probably see something that looks more or less like this:

# User specific environment and startup programs

PATH=$PATH:$HOME/bin
BASH_ENV=$HOME/.bashrc
USERNAME="root"

export USERNAME BASH_ENV PATH

Your bash profile may be different, so don't get hung up if it doesn't match.

The important thing is to look for where environmental variables are set, scroll to the end of the list. In the example above, you would scroll down to the line after USERNAME="root"

Add:

EDITOR=/usr/bin/pico

Change the path to match where pico is on your system.

If you already see a line that sets the EDITOR=something in this file, don't add another, edit the existing one to point to pico

Then add EDITOR to the export command. In my example, it would be "export USERNAME BASH_ENV PATH EDITOR"

Depending on your bash profile, each item might have its own export line. If so, just add:

export EDITOR

to the file.

CTRL-X, Y, ENTER to save the file.

To make this change active for the current session, type the following:

EDITOR=/usr/bin/pico
export EDITOR

(change the path to pico to reflect its location on your server)

Now type crontab -e

Does this look familiar? If you did everything right, you should be in pico rather than vi.

The crontab is just a list of cronjobs to be run. If you want to learn how to format cronjobs, try the cronjob generator at http://htmlbasix.com/

Just make changes you need to and press CTRL-X, Y, ENTER to save the changes. If you haven't made any changes or if you don't save the changes, then you will be told no changes were made to the crontab.

Aric

Please note, you may need to add the full path to pico to get this to work...

If so,
0
 

Author Comment

by:jaxxman
Comment Utility
yes it opened a file called crontab.1439
but it was blank so i added

15 17 * * * /usr/local/bin/rkhunter --update > /dev/null 2>&1
20 17* * * /usr/local/bin/rkhunter -c --cronjob

crontab: installing new crontab
[root@linbox root]#

when i run crontab -e again the file number changes why?
0
 

Author Comment

by:jaxxman
Comment Utility
i have just been emailed from the cron daemon what does this mean:-

FROM: Cron Daemon root@localhost.localdomain
SUBJECT: Cron <root@linbox> -c --cronjob

content of email

/bin/sh: - : invalid option
Usage:      /bin/sh [GNU long option] [option] ...
      /bin/sh [GNU long option] [option] script-file ...
GNU long options:
      --debug
      --dump-po-strings
      --dump-strings
      --help
      --init-file
      --login
      --noediting
      --noprofile
      --norc
      --posix
      --rcfile
      --rpm-requires
      --restricted
      --verbose
      --version
      --wordexp
Shell options:
      -irsD or -c command or -O shopt_option            (invocation only)
      -abefhkmnptuvxBCHP or -o option
0
 

Expert Comment

by:Xenmaster
Comment Utility
20 17* * * /usr/local/bin/rkhunter -c --cronjob

You forgot a space, it should be:

20 17 * * * /usr/local/bin/rkhunter -c --cronjob

See if that helps.
0
 

Author Comment

by:jaxxman
Comment Utility
thanks
when i run crontab -e again the file number changes why?
i don't seem to be getting the log emailed to me, all i get is a email with the conents below

FROM: root [root@localhost.localdomain]
SUBJECT:[rkhunter] Warnings found for linbox
Please inspect this machine, because it can be infected

I am also seeing 4 application vunrabilities but when i run up2date -u
it say all packages are up to date, i did read somewhere that this is because redhat don't updated the binaryies
how can i resolve this.

when updating rkhunter do i just install it like the first one so it overwrites the old files and will it keep my currrent config

you have been a great help to me
Tariq
0
 

Expert Comment

by:Xenmaster
Comment Utility
Because the file you are editing is a temporary file. The changes you make get merged in with the real cron files after you save the changes and exit and the temp file is deleted.

I don't know what version of Red Hat Linux you are using, nor what files are being reported as being vulnerable, but RH does sometimes backport security fixes to older (what they consider more stable) versions, in other cases it may be a real vulnerabilty. There's no way for rkhunter to tell which might be the case, but it always errs on the side of caution.

If you are uncertain whether a reported version really is vulnerable in your case, I recommend contacting your NOC where your server is located and ask them about it. Depending on your service level, they may even handle upgrading if needed.

0
 

Author Comment

by:jaxxman
Comment Utility
since correcting the error in the crob i have been emailed to log
i am using redhat 9.0
- GnuPG 1.2.1   [ Vulnerable ]
   - Apache 2.0.40   [ Vulnerable ]
   - Bind DNS [unknown]   [ OK ]
   - OpenSSL 0.9.7a   [ Vulnerable ]
   - Procmail MTA 3.22   [ OK ]
   - OpenSSH 3.5p1   [ Vulnerable ]

these all look like the up to date version can you help
I would like to give you more points should i start a new question
0
 

Expert Comment

by:Xenmaster
Comment Utility
RedHat 9 has been end-of-lifed by Red Hat, they want you to upgrade your OS to the free Fedora Core or the expensive RH Enterprise Linux 3.x if you want continued support.

I don't have any servers that use that version of RH Linux, so I can't tell you for certain if any of those have backported for that OS or not, but I can tell you that I'm pretty sure not ALL of them have been backported to the latest versions.

Apache 2 is up to v2.0.51 - http://httpd.apache.org/
OpenSSL is up to v0.9.7d - http://www.openssl.org/
OpenSSH is up to v3.9p1 - http://www.openssh.com/portable.html

If you are looking to upgrade your server to a better supported version of Linux, I recommend the excellent CentOS 3.x.

http://www.centos.org/index.php?option=displaypage&Itemid=62&op=page&SubMenu=

CentOS 3.x is a 100% compatible, totally free (open source) version of Red Hat's premium server OS, Red Hat Enterprise Linux 3.x. CentOS is designed to be completely compatible with RHEL and is well supported.

If your NOC isn't willing to do the upgrade to CentOS for you, there are a few places, like http://rack911.com/ that offer a relatively inexpensive RH 9 --> CentOS 3.x upgrade service. My mentioning rack911 should not be considered to be an endorsement of their work. I've never used them for anything. I have seen some good reports in various places about them, though.

Do you need to do this right away? No. But there will come a point when you will either have to pay a third party service for updates to RH 9, or switch to a supported OS if you want any updates at all.
As for starting a new question, this particular question should probably have split off a while ago, but I don't know if the EE admins do that sort of thing.
0
 

Author Comment

by:jaxxman
Comment Utility
well all this is a bit of a shock i did not know that about redhat i thought people like google and microsoft used redhat  for websrever because of the up2date function but not sure what version of linux they use.

can i upgrade easy from redhat to centOS

and what is the most secure flavour of Linux.
0
 

Expert Comment

by:Xenmaster
Comment Utility
There's nothing to stop you from using the older RedHat releases, some people still use RH 7.3, but Red Hat has said they will stop supporting older versions of the OS. So you need to upgrade to Fedora or RHEL if you want continued support. It is similar to Microsoft no longer supporting Windows 95, you could use it, but as time goes on after updates stop, the less secure your computer is going to be.

What Linux version is most secure? That depends on who you talk to. Most people are going to have differing opinions. Some people swear by slackware, for example. I haven't tried slackware in a server environment, so I can't confirm or deny that opinion.

Most of my servers use RHEL 3.x ES and its a very good server OS, but it's not cheap. CentOS is designed to be 100% compatible, and my experience is that it is just as secure as RHEL 3.x. Updates to packages typically follow the RHEL release by only 24 hours.
0
 

Author Comment

by:jaxxman
Comment Utility
ok i will try centOS

do you know if it has an auto upgrade option from Redhat and when you say 100% compat does that mean all commands are the same like up2date -u
0
 

Expert Comment

by:Xenmaster
Comment Utility
CentOS uses YUM (as does Fedora Core, etc.), but it works basically the same as up2date (and you have less to type, also ;-) ).
0
 

Author Comment

by:jaxxman
Comment Utility
ok i may need help so i will start a new titled something like redhat 9 upgrade to centos
0
 

Author Comment

by:jaxxman
Comment Utility
i found this http://www.webhostingtalk.com/showthread.php?threadid=276534

check it out i my try it what do you think, i started a new question but Jlivie is answering it. the subject is
upgrading Redhat to  CentOS 3.3
0
 

Expert Comment

by:Xenmaster
Comment Utility
Looks OK, as far as the directions go, but do be careful, backup everything before trying it and remember to grab the latest copy of CentOS instead of 3.1.
0
 

Author Comment

by:jaxxman
Comment Utility
yes 3.3
 i plan on backing up these directories then over wrote the new installtion with them.

these are the things i will backup and then copy them over the new centos 3.3 install
can i backup to the same hard drive which is going to be upgraded
/etc
/var
/usr/local
/home
/root

i can't belive this is so easy to do, and it keeps my currect config as well with out disturbing anyone on the network that what i call progress in upgrading the OS. this is much better than windows.
0
 

Expert Comment

by:Xenmaster
Comment Utility
Naturally, if you have a backup drive or if your NOC offers tape backup or the like it will be best if you backup to that, but any backup, even on the same drive (so long as you have the space to do so) is better than none.

The upgrade is fairly straight-forward most of the time (especially if it is an unmodifed copy of RH9) because RHEL 3.x and thus CentOS are based off of RH9 technology (but extended). If you had another type of Linux installed it would not be quite so easy.

That isn't to say that you can't run into problems, but hopefully things will go smoothly for you.
0

Featured Post

Highfive + Dolby Voice = No More Audio Complaints!

Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

Join & Write a Comment

​Being a Managed Services Provider (MSP) has presented you  with challenges in the past— and by meeting those challenges you’ve reaped the rewards of success.  In 2014, challenges and rewards remain; but as the Internet and business environment evol…
What is Node.js? Node.js is a server side scripting language much like PHP or ASP but is used to implement the complete package of HTTP webserver and application framework. The difference is that Node.js’s execution engine is asynchronous and event…
The viewer will learn how to create and use a small PHP class to apply a watermark to an image. This video shows the viewer the setup for the PHP watermark as well as important coding language. Continue to Part 2 to learn the core code used in creat…
The viewer will learn the basics of jQuery, including how to invoke it on a web page. Reference your jQuery libraries: (CODE) Include your new external js/jQuery file: (CODE) Write your first lines of code to setup your site for jQuery.: (CODE)

728 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now