Hello!
I have just ran a rkhunter scan. Some results were not clear and might be indicative of a possible prior intrusion. I search the hash codes provided in the report; but, could not find anything apart from similar questions about their origin. Thank you.
Code:
[15:51:07] Warning: The file properties have changed:
[15:51:07] File: /usr/bin/killall
[15:51:07] Current hash: f1ca3ee43d914964d22b7e3b0dff404fa55c2c61
[15:51:07] Stored hash : 87828fcc6f7e270e6c9dd61746dd58bee60d9be8
[15:51:07] Current inode: 263451 Stored inode: 262529
[15:51:07] Current file modification time: 1342483144 (16-Jul-2012 16:59:04)
[15:51:07] Stored file modification time : 1333155793 (30-Mar-2012 18:03:13)
[15:51:07] /usr/bin/last [ Warning ]
[15:51:07] Warning: The file properties have changed:
[15:51:07] File: /usr/bin/last
[15:51:07] Current hash: 2625728968b194b87e9f77a58d990c9294b4017d
[15:51:07] Stored hash : 5d7607a22352108c4bf0568998c9bdd9e874d558
[15:51:07] Current inode: 262862 Stored inode: 262532
[15:51:07] Current file modification time: 1343327018 (26-Jul-2012 11:23:38)
[15:51:07] Stored file modification time : 1334395587 (14-Apr-2012 02:26:27)
..........................................
[15:51:09] Warning: The file properties have changed:
[15:51:09] File: /usr/bin/pstree
[15:51:09] Current hash: 513387a0aa8864bf0e7a45691966f2ae38ac0adf
[15:51:09] Stored hash : 0b6ad87752ff24d708c133dfaeb3abb57d7bb124
[15:51:09] Current inode: 263452 Stored inode: 262774
[15:51:09] Current file modification time: 1342483144 (16-Jul-2012 16:59:04)
[15:51:09] Stored file modification time : 1333155793 (30-Mar-2012 18:03:13)
...........................................
[15:51:17] Warning: The file properties have changed:
[15:51:17] File: /sbin/sulogin
[15:51:17] Current hash: d6b62b44207847e92418b10dd88ebe23fb597bd7
[15:51:17] Stored hash : 83a221fa0ac64fb86f7e01f388cc018f63c8c47e
[15:51:17] Current inode: 7471239 Stored inode: 7471266
[15:51:17] Current file modification time: 1343327018 (26-Jul-2012 11:23:38)
[15:51:17] Stored file modification time : 1334395587 (14-Apr-2012 02:26:27)
...........................................
[15:51:20] Warning: The file properties have changed:
[15:51:20] File: /bin/fuser
[15:51:20] Current hash: 6d321869dd7e5cfaf3867339708ae00599d2e911
[15:51:20] Stored hash : e506c975c2160bcfa7bdeb8fd60fc14482f43e9a
[15:51:20] Current inode: 7340082 Stored inode: 7340080
[15:51:20] Current file modification time: 1342483144 (16-Jul-2012 16:59:04)
[15:51:20] Stored file modification time : 1333155793 (30-Mar-2012 18:03:13)
...........................................
For some reason the date on which the files were changed is the same. Might mean something? Thanks
I'm also wondering if this last entry is any good:
Code:
[15:54:06] Warning: Hidden file found: /dev/.initramfs: symbolic link to `/run/initramfs'
Thanks.
