Changes:

See https://sourceforge.net/p/rkhunter/news/2017/06/rootkit-hunter-release-144/

For those that have had our Service Package work done, you can upgrade using:

cd /usr/src
rm -Rfv rkhunter*
wget http://prdownloads.sourceforge.net/rkhunter/rkhunter-1.4.4.tar.gz
tar -xzf rkhunter*
cd rkhunter-*
./installer.sh --layout default --install
cd ..
/bin/rm -Rfv rkhunter*

If you are using the GREENSNOW blocklist in /etc/csf/csf.blocklists then please note that one of the paypal notify IP addresses is currently being listed. This will affect PayPal IPN notification to stores.

The IPN they (greensnow) are blocking is: 173.0.81.1

We have reported this to them, but in the meantime you might want to either disable the GREENSNOW blocklist (then restart csf and then lfd) or whitelist the blocked IP address in /etc/csf/csf.allow using:

tcp|in|d=80|s=173.0.81.1 # Paypal Notify
tcp|in|d=443|s=173.0.81.1 # Paypal Notify

Then restart csf and then lfd.

To avoid such instances in the future you may wish to whitelist the IP addresses involved with PayPal IPN by adding the following to csf.allow:

tcp|in|d=80|s=64.4.248.8 # Paypal IPN do not delete
tcp|in|d=80|s=64.4.249.8 # Paypal IPN do not delete
tcp|in|d=80|s=66.211.169.17 # Paypal IPN do not delete
tcp|in|d=80|s=173.0.84.40 # Paypal IPN do not delete
tcp|in|d=80|s=173.0.84.8 # Paypal IPN do not delete
tcp|in|d=80|s=173.0.88.40 # Paypal IPN do not delete
tcp|in|d=80|s=173.0.88.8 # Paypal IPN do not delete
tcp|in|d=80|s=173.0.92.8 # Paypal IPN do not delete
tcp|in|d=80|s=173.0.93.8 # Paypal IPN do not delete
tcp|in|d=80|s=66.211.170.66 # Paypal Notify
tcp|in|d=80|s=173.0.81.1 # Paypal Notify
tcp|in|d=80|s=173.0.81.0/24 # Paypal Notify
tcp|in|d=80|s=173.0.81.33 # Paypal Notify

tcp|in|d=443|s=64.4.248.8 # Paypal IPN do not delete
tcp|in|d=443|s=64.4.249.8 # Paypal IPN do not delete
tcp|in|d=443|s=66.211.169.17 # Paypal IPN do not delete
tcp|in|d=443|s=173.0.84.40 # Paypal IPN do not delete
tcp|in|d=443|s=173.0.84.8 # Paypal IPN do not delete
tcp|in|d=443|s=173.0.88.40 # Paypal IPN do not delete
tcp|in|d=443|s=173.0.88.8 # Paypal IPN do not delete
tcp|in|d=443|s=173.0.92.8 # Paypal IPN do not delete
tcp|in|d=443|s=173.0.93.8 # Paypal IPN do not delete
tcp|in|d=443|s=66.211.170.66 # Paypal Notify do not delete
tcp|in|d=443|s=173.0.81.1 # Paypal Notify do not delete
tcp|in|d=443|s=173.0.81.0/24 # Paypal Notify do not delete
tcp|in|d=443|s=173.0.81.33 # Paypal Notify do not delete

And the following to csf.ignore:

64.4.248.8 # Paypal IPN
64.4.249.8 # Paypal IPN
66.211.169.17 # Paypal IPN
173.0.84.40 # Paypal IPN
173.0.84.8 # Paypal IPN
173.0.88.40 # Paypal IPN
173.0.88.8 # Paypal IPN
173.0.92.8 # Paypal IPN
173.0.93.8 # Paypal IPN

66.211.170.66 # Paypal Notify
173.0.81.1 # Paypal Notify
173.0.81.0/24 # Paypal Notify
173.0.81.33 # Paypal Notify

Remember to restart csf and then lfd after making any changes.

For up to date IP lists, see this link.

…and yes, we fell afoul of this.