LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (http://www.linuxquestions.org/questions/linux-security-4/)
-   -   rkhunter found the following (http://www.linuxquestions.org/questions/linux-security-4/rkhunter-found-the-following-266119/)

monroetech 12-13-2004 09:17 PM

rkhunter found the following
 
1) /usr/bin/file - BAD Note, I think this file was just updated in one of the recent YOU updates....

2)
Checking for differences in user accounts... Found differences
Info:
----------------------
> news:x:9:13:News system:/etc/news:/bin/bash
> uucp:x:10:14:Unix-to-Unix CoPy system:/etc/uucp:/bin/bash
> man:x:13:62:Manual pages viewer:/var/cache/man:/bin/bash
< man:x:13:62:Manual pages viewer:/var/cache/man:/bin/bash
< news:x:9:13:News system:/etc/news:/bin/bash
< uucp:x:10:14:Unix-to-Unix CoPy system:/etc/uucp:/bin/bash
----------------------
Info: Some items have been added (items marked with '<')
Info: Some items have been removed (items marked with '>')

Ok, they are the same, what's up here?



3)
* Filesystem checks
Checking /dev for suspicious files... [ Warning! (unusual files found) ]
---------------------------------------------
Unusual files:
/dev/sdaf9: block 3pecial (65/249)
---------------------------------------------
Scanning for hidden files... [ Warning! ]
---------------
/dev/.udev.tdb /etc/.java
/etc/.pwd.lock

I looked at the .pwd.lock file, it's blank


Anyone know what these are?


Thanks

phatbastard 12-13-2004 09:46 PM

I ran into the same problem when i ran rkhunter, I'm using slackware and updated to 'current' and now i get some 'bin' files are bad check md5 checksums etc. Did some google research and found out from Pat that more than likely its from rkhunter not recognizing current files.

furfurdemon666 12-14-2004 07:47 PM

I'd fill out the contact form (on the rkhunter website) and report this issue to the author of rkhunter. I use it too and noticed the same thing following a recent YOU/YaST update(s) including a recent upgrade to KDE 3.3.2. I tried the ./rkhunter --update (Run update tool and check for database updates) but still saw the "file" listed as [BAD].

The more people who respond directly to the author, the quicker issues like this will be resolved.

furfurdemon666 12-20-2004 08:51 PM

This issue with rkhunter (latest version) and SUSE 9.1 with:

/usr/bin/file

showing as [BAD]

has been resolved. I updated rkhunter with

Code:

./rkhunter --update
And ran a new scan with

Code:

./rkhunter -c
and /usr/bin/file no longer shows as [BAD].


All times are GMT -5. The time now is 11:04 AM.