DATA FOLLOWS BELOW:
Can someone please reply with md5sums for /sbin/sulogin and /usr/bin/last for Ubuntu 10.10, kernel 2.6.35-31-generic ?
Last several times I've run rkhunter I've gotten Warnings about sulogin and /usr/bin/last. These are likely targets for an intruder.
So I reinstalled the package containing those binaries and quickly did rkhunter -c. Same problem.
Earlier I had foolishly done the UPDATE to update the cashes. That caused a temporary fix. But now they are changed again!?!
So I did md5sums of both binaries before and after the reload. No joy. Md5sums are identical.
So I see three possibilities:
(1) The installation process for those binaries produces false positives, or
(2) I'm infected and those binaries get reinfected VERY FAST, or
(3) The linux repository for Ubuntu 10.10 is infected.
I've seen this error multiple times in Google searches. I've seen people foolishly recommend updating the rkhunter cache, which is a clever way to simply shut off an important alarm.
Either way, I suspect someone close to this code MUST provide a definitive and informed answer considering the possibility that the Ubuntu cache is itself infected.
Thank you oh so very much for any attention.
DATA FOLLOWS:

[22:50:17] /sbin/sulogin [ Warning ]
[22:50:17] Warning: The file properties have changed:
[22:50:17] File: /sbin/sulogin
[22:50:17] Current inode: 23855259 Stored inode: 23855277
[22:50:17] Current file modification time: 1303197096 (19-Apr-2011 03:11:36)
[22:50:17] Stored file modification time : 1301521984 (30-Mar-2011 17:53:04)
md5sum immediately after reload via Synaptic Package manager:
88d2ad573bd0e589db4ea77e86fdfe34 /sbin/sulogin


[22:50:14] /usr/bin/last [ Warning ]
[22:50:14] Warning: The file properties have changed:
[22:50:14] File: /usr/bin/last
[22:50:14] Current inode: 29100159 Stored inode: 29109154
[22:50:14] Current file modification time: 1303197096 (19-Apr-2011 03:11:36)
[22:50:14] Stored file modification time : 1301521984 (30-Mar-2011 17:53:04)
md5sum immediately after reload via Synaptic Package manager:
ca0943947e977283e9c4e618a7557d10 /usr/bin/last


[ 0.000000] Linux version 2.6.35-31-generic (buildd@allspice) (gcc version 4.4.5 (Ubuntu/Linaro 4.4.4-14ubuntu5) ) #62-Ubuntu SMP Tue Nov 8 14:20:11 UTC 2011 (Ubuntu 2.6.35-31.62-generic 2.6.35.13)

hi

1) since you are security conscious....is that the latest kernel you can get from Ubuntu repositories?

If you must use Ubuntu types you may like to consider installing a vanilla and watching for kernel vulnerabilties?

2) Also have you actually done a clean install.....with a tarball of rkh?

3) Have you configured your /etc/rkhunter.conf to use a package manager for software updates?

4) Your dates seem a little old....how long as this been appearing in your logs?


5) why not download and extract another repository and check the md5sums yourself?

eg

in debian sid....last + sulogin belong to sysvinit-utils
http://mirror.internode.on.net/pub/u...in/s/sysvinit/

This is the latest kernel coming via apt update so I assume its latest.
If I get no useful responses, this and your tarball suggestion below will be next step(s).
(see above) I'll probably do this on a vmware manchine. However, I do have a job with immediate demands. I'm overrun with immediate demands these days.
"apt get" in the auto updates, yes
If you mean the "Nov 8", that was because I just grabbed the first "version" line contained in the dmesg log. Is that what you mean? The kernel itself was update installed just a couple days ago. The rkhunter run immediately before that had no complaints. (!!)

I'm not sure which supplier "apt get" got them from. I'll read up on the apt mans to see how to determine (and set) that.

I was hoping someone running an up-to-date ubuntu 10.10 could just type:
md5sum /sbin/sulogin
and
md5sum /usr/bin/last
and reply with the sequence. It would save some time. I also hope to diff the strings outputs.
also
Rebuilding the machine is not necessarily any guarantee of safety given the problems that exist with recent kernels. See the sticky item above on this topic. Is this one variation of that same problems? I don't think an intruder would have stopped or been satisfied with a compromised kernel.
Maybe I should mention this thread in that sticky? I don't know yet.
Thank you for any help.

Hi linuxStudent11
Haven't used 10.10 for a little while but I booted into it from curiosity.
You asked for an up-to-date 10.10, (perhaps a contradiction in terms) so I updated and upgraded.
The md5sums were identical before and after the upgrade.

I also ran rkhunter -c, and got warnings (also the same before and after upgrading) for the following files:
/bin/
dmesg, login, more, mount, su.
/usr/bin/
dpkg, dpkg-query, last, lastlog, ldd, logger, newgrp, passwd, perl, sudo, whereis.
/sbin/
ifdown, ifup, init, runlevel, sulogin
/usr/sbin/
groupadd, groupdel, groupmod, grpck, nologin, pwck, useradd, userdel, usermod, vipw.

If you have a problem, mine's bigger than yours!

Being an optimist, I think the explanation is probably that I have mounted the partition that Maverick is on in another distribution. I've probably chrooted into it, and at one stage I dd'ed it into the partition it's in now.

However, I'm no security guru, so maybe some dark forces are preparing a sinister plot against me at this very moment. Think I'll go to bed and get some sleep: I'll need all my strength to counter their evil plans.

-- LMAO --
m'kay, maybe this tinfoil's a little tight

OTOH, maybe I'm not ready to take off my hat just yet.

I guess I'm feeling a disturbance in the force.

hi

1) kernel.org suggests today's most recent stable kernel is 3.1.3

I run a debian kernel and I have their package 3.1.0-1-686-pae for 32 bit machine

compared to your number 2.6.35-31-generic

I suggest stop using Ubuntu if they can't use a more recent kernel or stop using their kernel and install a vanilla.

2) ok everyone has time issues. But if you want to improve your security can I suggest you read the wiki on RKH it mentions you install RKH with no network

http://sourceforge.net/apps/trac/rkhunter/wiki/MPFC

3) I am not sure about apt get

use root powers to edit your /etc/rkhunter.conf to use this line please

PKGMGR=DPKG

Then save that file to an usb stick etc for when you do a clean install.

good luck