rkhunter: "/usr/bin/rpm warning"?!!!
Hi people, I installed rkhunter and chkrootkit a few days after I installed Ubuntu Gutsy (desktop edition). Had not executed rkhunter until now. Well, the point is this: I just ran rkhunter and got the following warning:
Code:
Performing file properties checks Code:
22:22:36]/usr/bin/rpm [ Warning ] If this helps, I checked this /usr/bin/rpm file thinking that it might be a symbolic link to another application, but it isn't; this is what I got: Code:
ls -l /usr/bin/rpm I checked, and I have the rpm package installed (I think it's a dependency of 'alien' which I use sometimes to convert packages), and it provides this file (/usr/bin/rpm), but what exactly do this rkhunter warning mean? Thanks in advance for your answers. |
Are you sure the binary wasn't installed after the last time you ran Rootkit Hunter? Please boot your Ubuntu CD, mount your root partition, and get/post the SHA1 and MD5 checksums of that rpm file. This will allow us to know whether or not the binary is official. The binary's permissions, size, and date/time are fine - but we need checksums to be sure.
|
If you install RKH you have to sync the rkhunter.dat cache file with your OS. If you install a new application you must resync the RKH cache file. The message simply says it's found on the system but not in the previously initialised cache file, which you can also find in the accompanying docs and the online RKH mailing list archives.
|
Hi, to address win32sux's question, I'm not sure whether or not I ran rkhunter before the binary was installed. I don't have an Ubuntu live-cd since I installed it with the alternate cd, so I booted from Knoppix and ran sha1 on the file (without chrooting my Ubuntu / partition; I forgot to chroot); this is the sha1:
Code:
2fe6c421b1da2121261b52636279a33002d20f9e /mnt/sda9/usr/bin/rpm Code:
e6b16bdb81c03349eda8eafee23be9ae /mnt/sda9/usr/bin/rpm At unSpawn: How do I resync the rkhunter cache file? Also, something weird is I execute ls -l /usr/bin/rpm* in order to check for the file attributes of all the executables related to the rpm package, and this is what I got: Quote:
Any ideas? Thanks a lot for your help. |
Quote:
Quote:
Quote:
|
Well, I installed alien with all it's dependencies (rpm. etc) on the living room machine (another machine running Gutsy as well), ran rkhunter and got the same warning with /usr/bin/rpm. Then I checked its md5sum and sha1 sum (on the same machine), and they exactly match the ones I posted above (from my own machine; the first one I got this warning from), so I guess this is a fake positive? (taking a deep breath :D).
As for the rpm installation source, it came from the Ubuntu official repositories, so I guess it's fine (I haven't installed automatix or any other 3rd party software management software; I only have the official Ubuntu repos enabled). Thanks for the 'rkhunter --propupd' tip; I ran it, then did a re-scan of my system and everything went ok. Thank you a lot for your help, guys; I can rest in peace now :D |
Quote:
|
Ok, quite well understood :)
|
For the record, the checksums you posted are good.
|
All times are GMT -5. The time now is 09:22 AM. |