LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)
-   -   rkhunter warnings (https://www.linuxquestions.org/questions/linux-security-4/rkhunter-warnings-851976/)

skoinga 12-23-2010 04:28 AM

rkhunter warnings
 
Hi all.

Last night I received the classic rkhunter's email with several warnings inside:

Quote:

Warning: The file properties have changed:
File: /bin/awk
Current hash: Unavailable
Stored hash : b7099b4cc99ad98f476292f4d57cc65ea6baf8c3
Try running the command 'prelink /bin/awk' to resolve dependency errors.
Warning: The file properties have changed:
File: /bin/cp
Current hash: Unavailable
Stored hash : f5dfabb5f556ea09d1fd2cb5f632929db7d45827
Try running the command 'prelink /bin/cp' to resolve dependency errors.
Warning: The file properties have changed:
File: /bin/date
Current hash: Unavailable
Stored hash : a5376983f37283df3533032ee3a0435a78a9090c
Try running the command 'prelink /bin/date' to resolve dependency errors.
and so on..

Why rkhunter isn't able to calculate the hash of those files and compare it with the stored one?

Other strange thing: for the "good" file, the hash is often different!

For example, in the last rkhunter.log, /bin/awk is "good".
But:

Quote:

# sha1sum /bin/awk
e0b0457c6c7cc502eb038a663423b5700a25c058 /bin/awk
Quote:

# grep /bin/awk /var/lib/rkhunter/db/rkhunter.dat
File:/bin/awk:b7099b4cc99ad98f476292f4d57cc65ea6baf8c3:32539:0777:0:0:4:1260221563::
File:/usr/bin/awk:b7099b4cc99ad98f476292f4d57cc65ea6baf8c3:798583:0777:0:0:14:1260221584::
So, if the sha1sum is different, why rkhunter tell me that awk is secure?
Thankyou very much!
I

unSpawn 12-23-2010 10:49 AM

See RKH FAQ entry 3.8) When I used the '--propupd' option, Rootkit Hunter told me I had some missing hashes. What does this mean?


All times are GMT -5. The time now is 01:59 AM.