rkhunter and perl

radiodee1 · 12-02-2007, 03:15 PM

I wasn't sure which forum to post this in... I'm using rkhunter for the first time. I use debian lenny. My daily report from rkhunter says that /usr/bin/perl has changed on a daily basis for about a week. Every day the hash, the inode, and the file size change. Why should this be? I thought perl was a programming language. I don't think I consciously use perl. Why is it changing? Do I have some sort of problem? Thanks in advance.

XavierP · 12-02-2007, 04:44 PM

Moved: This thread is more suitable in Linux-Security and has been moved accordingly to help your thread/question get the exposure it deserves.

unSpawn · 12-02-2007, 05:08 PM

Quote:

Originally Posted by radiodee1

My daily report from rkhunter says that /usr/bin/perl has changed on a daily basis for about a week. Every day the hash, the inode, and the file size change. (..) Why is it changing? Do I have some sort of problem?

Check if you use prelinking (/etc/cron.daily/prelink ?) then read the (local or on-line) FAQ: "4.4) I use prelinking, but after performing some updates, all, or some, binaries are 'BAD' when running the MD5 hash check." If that's not a case of prelinking, upgrade Rootkit Hunter to "current" aka version 1.3.0 since it improved a lot. If after reading the 1.3.0 docs and adjusting your new rkhunter.conf *that* doesn't fix things, register with the Rootkit Hunter users mailing list at Sourceforge and post there, preferably with a log attached.