rkhunter: "/usr/bin/rpm warning"?!!!
 

Hi people, I installed rkhunter and chkrootkit a few days after I installed Ubuntu Gutsy (desktop edition). Had not executed rkhunter until now. Well, the point is this: I just ran rkhunter and got the following warning:

So I checked the rkhunter log file and I found this:

So, what does this mean? Am I possibly infected with some kind of unknown rootkit or cracked or something?

If this helps, I checked this /usr/bin/rpm file thinking that it might be a symbolic link to another application, but it isn't; this is what I got:

hmmm, I had used rkhunter before and had found some warnings (fake positives, I think), but nothing like this before :confused:

I checked, and I have the rpm package installed (I think it's a dependency of 'alien' which I use sometimes to convert packages), and it provides this file (/usr/bin/rpm), but what exactly do this rkhunter warning mean?

Thanks in advance for your answers.

Are you sure the binary wasn't installed after the last time you ran Rootkit Hunter? Please boot your Ubuntu CD, mount your root partition, and get/post the SHA1 and MD5 checksums of that rpm file. This will allow us to know whether or not the binary is official. The binary's permissions, size, and date/time are fine - but we need checksums to be sure.

If you install RKH you have to sync the rkhunter.dat cache file with your OS. If you install a new application you must resync the RKH cache file. The message simply says it's found on the system but not in the previously initialised cache file, which you can also find in the accompanying docs and the online RKH mailing list archives.

Hi, to address win32sux's question, I'm not sure whether or not I ran rkhunter before the binary was installed. I don't have an Ubuntu live-cd since I installed it with the alternate cd, so I booted from Knoppix and ran sha1 on the file (without chrooting my Ubuntu / partition; I forgot to chroot); this is the sha1:

Then, since Knopppix 5.1.1 doesn't have the md5sum command, I booted from Elive and ran md5sum on the suspicious file (this time couldn't chroot because Elive doesn't have chroot); this is what I got:

(Is it strictly necessary I chroot my Ubuntu install in order to get the md5sum and sha1 sum of the file?)

At unSpawn: How do I resync the rkhunter cache file? Also, something weird is I execute ls -l /usr/bin/rpm* in order to check for the file attributes of all the executables related to the rpm package, and this is what I got:

As you can see, both, /usr/bin/rpm and /usr/bin/rpm2cpio, have the same date and time of creation/modification, but I only get the warning with the /usr/bin/rpm file.

Any ideas?

Thanks a lot for your help.

Well, since I'm one of the project members I better should have ;-p


It's in the docs. Read 'em ('rkhunter --propupd').


That's because we don't look for all binaries but a select set. If you want to check all binaries you could install Aide, Samhain, the md5deep package or even tripwire. BTW note *we* don't need to see SHA1 or MD5 sums. *You* need them to check against a copy of a package from trusted repo (if your package manager doesn't have verification of package contents).

Well, I installed alien with all it's dependencies (rpm. etc) on the living room machine (another machine running Gutsy as well), ran rkhunter and got the same warning with /usr/bin/rpm. Then I checked its md5sum and sha1 sum (on the same machine), and they exactly match the ones I posted above (from my own machine; the first one I got this warning from), so I guess this is a fake positive? (taking a deep breath :D).

As for the rpm installation source, it came from the Ubuntu official repositories, so I guess it's fine (I haven't installed automatix or any other 3rd party software management software; I only have the official Ubuntu repos enabled).

Thanks for the 'rkhunter --propupd' tip; I ran it, then did a re-scan of my system and everything went ok.

Thank you a lot for your help, guys; I can rest in peace now :D

FWIW and speaking in general wrt errors, alerts, hunches, gut feelings or whatever else: you shouldn't think, assume or guess something is a false positive but make certain it is (check, pristine package, package manager).

Ok, quite well understood :)

For the record, the checksums you posted are good.