Hi,

I have a FC9 box set up primarily as a file server for the windows machines on my network. I run RKHunter on it every week or so, and usually no problems are reported. Today, however, warnings were given for file properties checks on:
/bin/login
/bin/rpm
/bin/su
/usr/bin/elinks
/usr/bin/passwd
/usr/bin/wget

The rkhunter log shows:
.
.
[02:04:40] Warning: Package manager verification has failed:
[02:04:40] File: /usr/bin/wget
[02:04:40] Try running the command 'prelink /usr/bin/wget' to resolve dependency errors.
[02:04:41] The file hash value has changed
[02:04:41] The file size has changed
.
.
......and very similar log lines for each of the other files mentioned above.

The rest of the RKHunter check was normal.

I also have chkrootkit installed, and that doesn't find any problems.

After 3 hours searching for information about this I'm still confused as to whether I have a problem or not with the security of my machine.

It's behind an IPCop router and not visible from the internet (no port forwarding etc set up whatsoever). The firewall on the server itself is also switched on and only allowing SSH and Samba access through. SSH root access is disabled, and Samba access is limited (by the Samba config file) to only the few windows machines that need to have access. I'm not really sure how to make it more secure. 'yum update -y' is run every week or so. The main security weakness is my SSH connection to the server from my Vista PC, which I often leave logged in as root (after SUing). I don't *believe* my Vista box is compromised though. Kaspersky reckons it's clean anyway, and it's also behind the same IPcop router.

Do I have a problem? Any help appreciated.

Thanks.

those look normal .Did you update the system in the last week ?

Hi John,

Thanks for replying. I did indeed update in the past week - in fact I ran rkhunter immediately following an update with yum. I now wish I had run it before as well!

I need to lean much more about linux, so what makes you sure these are normal? Why has rkhunter all of a sudden come up with this?

Many thanks for your help.

rk keeps a hash of the files and checks them with the stored values . A update can change them .

Excellent question. Why? Because some things might be hard to spot (not saying that that's the case here). Use independent and authoritative sources to make certain these files correspond with files from the installed package contentslike using (a backup of) your package manager to verify package contents or a filesystem integrity checker (if installed, configured and run properly before). Yes, it may take you more time, and yes, the result may be the same as saying "looks normal", but the difference is in actually checking things to reach that conclusion. Something you always want in security.

Many thanks to John and unSpawn for your replies - very much appreciated.

I've learnt now that I should install an intrusion detection system!

For the time being, how would I go about verifying that those files listed above are the genuine article - i.e. how do I go about ensuring that the checksum for those files installed is the same as the checksum for the genuine files on the internet? I must confess that despite quite a lot of reading around over several years I've never really understood how linux updates and packages work - I still just issue the command 'yum update -y' and hope for the best!

I've read the RKHunter FAQ and tried following section 3.1, but it doesn't seem that I can be certain that these are not files that have been tampered with.

I maybe should have mentioned before that I have another server set up (offsite) as a backup. I basically maintain a mirror of my main server (the one with the problem) on the backup, using rsync across an SSH tunnel. The backup server is running the same software (they were installed about 3 days apart) and has updates run at the same time as the main server. This backup server reports no problems when running RKHunter though.

Sorry to be a nuisance, I just like to be certain that my machine is secure!

Cheers

*Update*

Very bizarrely I have just run RKHunter again, and it has picked up no errors at all now. I haven't done anything whatsoever to try and fix the problem, so how can it have fixed all by itself?!

Cheers

That kind of tool is best installed right after the OS and before exposing it to networks.


Find out which package they're part of: 'rpm -qf /path/to/file' then verify: 'rpm -qVv packagename'.


The essence it should convey is how hard it is to make certain (not "guess" or "think" or "looks OK") things are not changed, especially if one does not take prior requirements into account wrt auditing. Luckily your machine posesses one of the more mature package management systems available in terms of verification. If the local RPM database wouldn't do, or if you would like a second opinion then you could download the packages from a known good source and check with those. Since most of the time these warnings are a known false positive (see rkhunter.conf whitelisting options) that might not be necessary, but if you want to anyway practicing never was considered a bad thing.


Not a nuisance at all, it's what the Linux Security forum is for. Like John VV said updates might skew things. You could compare file AH1 hashes, the output of both the RPM databases and diff the rkhunter hash "database". Note that automagically running 'rkhunter --propupd' after updates will quiet warnings and is not a good practice to do.

Many thanks again unSpawn.

'rpm -qf /path/to/file' then verify: 'rpm -qVv packagename' showed no problems with those packages mentioned in my first post.

I also did 'rpm -qi' on all the packages and compared the file size with the file size shown on rpmfind.net. I assume this goes some way to reassuring me that the RPMs on my machine are the same as those posted on the internet.

Many thanks again to unSpawn and John VV for all your help.

Cheers.