LinuxQuestions.org
Support LQ: Use code LQ3 and save $3 on Domain Registration
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 12-23-2010, 05:28 AM   #1
skoinga
Member
 
Registered: May 2010
Posts: 87

Rep: Reputation: 0
rkhunter warnings


Hi all.

Last night I received the classic rkhunter's email with several warnings inside:

Quote:
Warning: The file properties have changed:
File: /bin/awk
Current hash: Unavailable
Stored hash : b7099b4cc99ad98f476292f4d57cc65ea6baf8c3
Try running the command 'prelink /bin/awk' to resolve dependency errors.
Warning: The file properties have changed:
File: /bin/cp
Current hash: Unavailable
Stored hash : f5dfabb5f556ea09d1fd2cb5f632929db7d45827
Try running the command 'prelink /bin/cp' to resolve dependency errors.
Warning: The file properties have changed:
File: /bin/date
Current hash: Unavailable
Stored hash : a5376983f37283df3533032ee3a0435a78a9090c
Try running the command 'prelink /bin/date' to resolve dependency errors.
and so on..

Why rkhunter isn't able to calculate the hash of those files and compare it with the stored one?

Other strange thing: for the "good" file, the hash is often different!

For example, in the last rkhunter.log, /bin/awk is "good".
But:

Quote:
# sha1sum /bin/awk
e0b0457c6c7cc502eb038a663423b5700a25c058 /bin/awk
Quote:
# grep /bin/awk /var/lib/rkhunter/db/rkhunter.dat
File:/bin/awk:b7099b4cc99ad98f476292f4d57cc65ea6baf8c3:32539:0777:0:0:4:1260221563::
File:/usr/bin/awk:b7099b4cc99ad98f476292f4d57cc65ea6baf8c3:798583:0777:0:0:14:1260221584::
So, if the sha1sum is different, why rkhunter tell me that awk is secure?
Thankyou very much!
I
 
Old 12-23-2010, 11:49 AM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,564
Blog Entries: 54

Rep: Reputation: 2928Reputation: 2928Reputation: 2928Reputation: 2928Reputation: 2928Reputation: 2928Reputation: 2928Reputation: 2928Reputation: 2928Reputation: 2928Reputation: 2928
See RKH FAQ entry 3.8) When I used the '--propupd' option, Rootkit Hunter told me I had some missing hashes. What does this mean?
 
1 members found this post helpful.
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Three new Rkhunter warnings... Amdx2_x64 Linux - Security 2 10-27-2010 11:48 PM
Rkhunter 1.3.6 are these warnings okay on mac os x ver.10.6.4? mistertowjam Other *NIX 1 08-21-2010 11:26 AM
RKhunter question, Getting warnings for some directories. M$ISBS Linux - Security 8 03-05-2008 02:38 AM
rkhunter warnings adityavpratap Slackware 15 02-24-2007 08:11 AM
rkhunter warnings jantman Linux - Security 4 01-23-2007 03:39 PM


All times are GMT -5. The time now is 10:04 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration