LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 11-04-2007, 10:04 PM   #1
odiseo77
Senior Member
 
Registered: Dec 2004
Location: Caracas, Venezuela
Distribution: Debian Sid, OpenSUSE 13.1
Posts: 1,018

Rep: Reputation: 315Reputation: 315Reputation: 315Reputation: 315
Exclamation rkhunter: "/usr/bin/rpm warning"?!!!


Hi people, I installed rkhunter and chkrootkit a few days after I installed Ubuntu Gutsy (desktop edition). Had not executed rkhunter until now. Well, the point is this: I just ran rkhunter and got the following warning:

Code:
Performing file properties checks
    Checking for prerequisites                               [ OK ]
(...)
/usr/bin/rpm                                             [ Warning ]
So I checked the rkhunter log file and I found this:

Code:
22:22:36]/usr/bin/rpm                                      [ Warning ]
[22:22:36] Warning: The file '/usr/bin/rpm' exists on the system, but it is not present in the rkhunter.dat file.
So, what does this mean? Am I possibly infected with some kind of unknown rootkit or cracked or something?

If this helps, I checked this /usr/bin/rpm file thinking that it might be a symbolic link to another application, but it isn't; this is what I got:

Code:
ls -l /usr/bin/rpm
-rwxr-xr-x 1 root root 80708 2007-09-12 12:00 /usr/bin/rpm
hmmm, I had used rkhunter before and had found some warnings (fake positives, I think), but nothing like this before

I checked, and I have the rpm package installed (I think it's a dependency of 'alien' which I use sometimes to convert packages), and it provides this file (/usr/bin/rpm), but what exactly do this rkhunter warning mean?

Thanks in advance for your answers.
 
Old 11-05-2007, 03:15 AM   #2
win32sux
Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
Are you sure the binary wasn't installed after the last time you ran Rootkit Hunter? Please boot your Ubuntu CD, mount your root partition, and get/post the SHA1 and MD5 checksums of that rpm file. This will allow us to know whether or not the binary is official. The binary's permissions, size, and date/time are fine - but we need checksums to be sure.

Last edited by win32sux; 11-05-2007 at 03:35 AM.
 
Old 11-05-2007, 07:11 AM   #3
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,666
Blog Entries: 54

Rep: Reputation: 2952Reputation: 2952Reputation: 2952Reputation: 2952Reputation: 2952Reputation: 2952Reputation: 2952Reputation: 2952Reputation: 2952Reputation: 2952Reputation: 2952
If you install RKH you have to sync the rkhunter.dat cache file with your OS. If you install a new application you must resync the RKH cache file. The message simply says it's found on the system but not in the previously initialised cache file, which you can also find in the accompanying docs and the online RKH mailing list archives.

Last edited by unSpawn; 11-05-2007 at 07:14 AM.
 
Old 11-05-2007, 09:42 AM   #4
odiseo77
Senior Member
 
Registered: Dec 2004
Location: Caracas, Venezuela
Distribution: Debian Sid, OpenSUSE 13.1
Posts: 1,018

Original Poster
Rep: Reputation: 315Reputation: 315Reputation: 315Reputation: 315
Arrow

Hi, to address win32sux's question, I'm not sure whether or not I ran rkhunter before the binary was installed. I don't have an Ubuntu live-cd since I installed it with the alternate cd, so I booted from Knoppix and ran sha1 on the file (without chrooting my Ubuntu / partition; I forgot to chroot); this is the sha1:

Code:
2fe6c421b1da2121261b52636279a33002d20f9e  /mnt/sda9/usr/bin/rpm
Then, since Knopppix 5.1.1 doesn't have the md5sum command, I booted from Elive and ran md5sum on the suspicious file (this time couldn't chroot because Elive doesn't have chroot); this is what I got:

Code:
e6b16bdb81c03349eda8eafee23be9ae  /mnt/sda9/usr/bin/rpm
(Is it strictly necessary I chroot my Ubuntu install in order to get the md5sum and sha1 sum of the file?)

At unSpawn: How do I resync the rkhunter cache file? Also, something weird is I execute ls -l /usr/bin/rpm* in order to check for the file attributes of all the executables related to the rpm package, and this is what I got:

Quote:
ls -l /usr/bin/rpm*
-rwxr-xr-x 1 root root 80708 2007-09-12 12:00 /usr/bin/rpm
-rwxr-xr-x 1 root root 28156 2007-09-12 12:00 /usr/bin/rpm2cpio

lrwxrwxrwx 1 root root 15 2007-10-21 11:38 /usr/bin/rpmbuild -> ../lib/rpm/rpmb
lrwxrwxrwx 1 root root 15 2007-10-21 11:38 /usr/bin/rpmdb -> ../lib/rpm/rpmd
lrwxrwxrwx 1 root root 15 2007-10-21 11:38 /usr/bin/rpme -> ../lib/rpm/rpme
-rwxr-xr-x 1 root root 10304 2007-09-12 12:00 /usr/bin/rpmgraph
lrwxrwxrwx 1 root root 15 2007-10-21 11:38 /usr/bin/rpmi -> ../lib/rpm/rpmi
lrwxrwxrwx 1 root root 15 2007-10-21 11:38 /usr/bin/rpmquery -> ../lib/rpm/rpmq
lrwxrwxrwx 1 root root 15 2007-10-21 11:38 /usr/bin/rpmsign -> ../lib/rpm/rpmk
lrwxrwxrwx 1 root root 15 2007-10-21 11:38 /usr/bin/rpmu -> ../lib/rpm/rpmu
lrwxrwxrwx 1 root root 15 2007-10-21 11:38 /usr/bin/rpmverify -> ../lib/rpm/rpmv
As you can see, both, /usr/bin/rpm and /usr/bin/rpm2cpio, have the same date and time of creation/modification, but I only get the warning with the /usr/bin/rpm file.

Any ideas?

Thanks a lot for your help.
 
Old 11-05-2007, 10:49 AM   #5
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,666
Blog Entries: 54

Rep: Reputation: 2952Reputation: 2952Reputation: 2952Reputation: 2952Reputation: 2952Reputation: 2952Reputation: 2952Reputation: 2952Reputation: 2952Reputation: 2952Reputation: 2952
Quote:
Originally Posted by odiseo77 View Post
Any ideas?
Well, since I'm one of the project members I better should have ;-p


Quote:
Originally Posted by odiseo77 View Post
How do I resync the rkhunter cache file?
It's in the docs. Read 'em ('rkhunter --propupd').


Quote:
Originally Posted by odiseo77 View Post
As you can see, both, /usr/bin/rpm and /usr/bin/rpm2cpio, have the same date and time of creation/modification, but I only get the warning with the /usr/bin/rpm file.
That's because we don't look for all binaries but a select set. If you want to check all binaries you could install Aide, Samhain, the md5deep package or even tripwire. BTW note *we* don't need to see SHA1 or MD5 sums. *You* need them to check against a copy of a package from trusted repo (if your package manager doesn't have verification of package contents).
 
Old 11-05-2007, 11:14 AM   #6
odiseo77
Senior Member
 
Registered: Dec 2004
Location: Caracas, Venezuela
Distribution: Debian Sid, OpenSUSE 13.1
Posts: 1,018

Original Poster
Rep: Reputation: 315Reputation: 315Reputation: 315Reputation: 315
Well, I installed alien with all it's dependencies (rpm. etc) on the living room machine (another machine running Gutsy as well), ran rkhunter and got the same warning with /usr/bin/rpm. Then I checked its md5sum and sha1 sum (on the same machine), and they exactly match the ones I posted above (from my own machine; the first one I got this warning from), so I guess this is a fake positive? (taking a deep breath ).

As for the rpm installation source, it came from the Ubuntu official repositories, so I guess it's fine (I haven't installed automatix or any other 3rd party software management software; I only have the official Ubuntu repos enabled).

Thanks for the 'rkhunter --propupd' tip; I ran it, then did a re-scan of my system and everything went ok.

Thank you a lot for your help, guys; I can rest in peace now
 
Old 11-05-2007, 11:29 AM   #7
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,666
Blog Entries: 54

Rep: Reputation: 2952Reputation: 2952Reputation: 2952Reputation: 2952Reputation: 2952Reputation: 2952Reputation: 2952Reputation: 2952Reputation: 2952Reputation: 2952Reputation: 2952
Quote:
Originally Posted by odiseo77 View Post
so I guess this is a fake positive? (...) As for the rpm installation source, it came from the Ubuntu official repositories, so I guess it's fine (I haven't installed automatix or any other 3rd party software management software; I only have the official Ubuntu repos enabled).
FWIW and speaking in general wrt errors, alerts, hunches, gut feelings or whatever else: you shouldn't think, assume or guess something is a false positive but make certain it is (check, pristine package, package manager).
 
Old 11-05-2007, 11:38 AM   #8
odiseo77
Senior Member
 
Registered: Dec 2004
Location: Caracas, Venezuela
Distribution: Debian Sid, OpenSUSE 13.1
Posts: 1,018

Original Poster
Rep: Reputation: 315Reputation: 315Reputation: 315Reputation: 315
Ok, quite well understood
 
Old 11-05-2007, 11:54 AM   #9
win32sux
Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
For the record, the checksums you posted are good.
 
  


Reply

Tags
rkhunter, rpm


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
"/usr/bin/ls: reading directory .: Input/output error" DiZi Slackware 15 07-13-2008 11:03 AM
problem "make"ing gtk+ "/usr/bin/env: perl -w" caid Linux - Newbie 8 07-29-2005 05:51 AM
"accidently deleted every program in /usr/bin that begins with the letter m*" behmjoe Linux From Scratch 1 04-15-2005 09:42 AM
invalid binary "/usr/bin/postgres" while running postgresql ukrainet Linux - Newbie 1 12-01-2004 09:36 AM
what is "S" instead of "X" in the file permission when i look at /usr/bin/chsh? Linux_interest Linux - Newbie 4 08-28-2004 10:22 AM


All times are GMT -5. The time now is 07:00 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration