Sorry guys, us 'peasants' are now forced to go to school an receive an education of sorts!!

Following this thread, I hope that this question is in the correct place - if not, please feel free to berate me!

I have just executed <rkhunter -c>. The log file quite clearly states that it can detect no rootkits installed on my (Slackware 12) system, however, there are some items that concern me.
-------------------------------------------------------------------------------------------
Warning: The command '/bin/groups' has been replaced by a script: /bin/groups: Bourne shell script text executable

Warning: The command '/usr/bin/ldd' has been replaced by a script: /usr/bin/ldd: Bourne shell script text executable

Warning: The command '/usr/bin/whatis' has been replaced by a script: /usr/bin/whatis: Bourne shell script text executable

Warning: The command '/usr/sbin/adduser' has been replaced by a script: /usr/sbin/adduser: Bourne-Again shell script text executable


Performing Suckit Rookit additional checks
[12:07:02] Checking /sbin/init link count [ OK ]
[12:07:02] Checking for hidden file extensions [ None found ]
[12:07:02] Running skdet command [ Skipped ]
[12:07:02] Info: Unable to find the 'skdet' command
[12:07:02] Suckit Rookit additional checks [ OK ]
--------------------------------------------------------------------------------------------

I have not posted the full log, as it is quite long, and everything else says <ok>.

Are the items above anything to worry about?

OK peasant: prepare to be berated - or otherwise quoted out of context

If this is serious, then reading the script should tell you how concerned to be.

less /usr/bin/groups
# groups -- print the groups a user is in
# Copyright (C) 1991, 1997, 2000, 2002, 2004 Free Software Foundation, Inc.
[snip]
... rms's fingerprints are all over it.

less /usr/bin/ldd
# Copyright (C) 1996-2004, 2005, 2006 Free Software Foundation, Inc.
# This file is part of the GNU C Library.
[snip]
... similar.

less /usr/sbin/whatis
"/usr/bin/whatis" may be a binary file. See it anyway?
... whoops. "whatis - display manual page descriptions" (from man page)

less /usr/bin/adduser
# adduser: a utility to add users to the system
# addgroup: a utility to add groups to the system
[snip]
... it's a perl script on my machine though.

/usr/bin and /usr/sbin are expected, but not limited, to contain binary executables. A typical rootkit would be a script that replaces a standard executable so that it activates when the executable would normally be called. It then calls the original script (now renamed) after performing a short task for it's maker... that way they are hard to spot.

However, they are hard to put in place too.

I doubt those are good targets for substitution (in the same way as, say, /usr/bin/passwd) anyway.

Thanks for the swift reply 'SB' I have looked at the scripts, and from what I can tell, they are simply updates, which is the reason they are reported as being replaced.

I generally only install software from trusted sources, I'm paranoid about 'hurting my baby!'
I don't run on 'root' unless I have to, and as far as 'phishing' goes, I never respond to requests for information over the 'net, unless it is something that I initiated.

Thanks, from 'A Peasant!'

Consider yourself officially berated. I've moved the posts about your inquiry to a new thread. I'm not sure why you chose to stick this in the middle of a thread about a phishing article anyways. That was essentially hijacking - don't make a habit of it.