LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
LinkBack Search this Thread
Old 12-23-2010, 04:28 AM   #1
skoinga
Member
 
Registered: May 2010
Posts: 87

Rep: Reputation: 0
rkhunter warnings


Hi all.

Last night I received the classic rkhunter's email with several warnings inside:

Quote:
Warning: The file properties have changed:
File: /bin/awk
Current hash: Unavailable
Stored hash : b7099b4cc99ad98f476292f4d57cc65ea6baf8c3
Try running the command 'prelink /bin/awk' to resolve dependency errors.
Warning: The file properties have changed:
File: /bin/cp
Current hash: Unavailable
Stored hash : f5dfabb5f556ea09d1fd2cb5f632929db7d45827
Try running the command 'prelink /bin/cp' to resolve dependency errors.
Warning: The file properties have changed:
File: /bin/date
Current hash: Unavailable
Stored hash : a5376983f37283df3533032ee3a0435a78a9090c
Try running the command 'prelink /bin/date' to resolve dependency errors.
and so on..

Why rkhunter isn't able to calculate the hash of those files and compare it with the stored one?

Other strange thing: for the "good" file, the hash is often different!

For example, in the last rkhunter.log, /bin/awk is "good".
But:

Quote:
# sha1sum /bin/awk
e0b0457c6c7cc502eb038a663423b5700a25c058 /bin/awk
Quote:
# grep /bin/awk /var/lib/rkhunter/db/rkhunter.dat
File:/bin/awk:b7099b4cc99ad98f476292f4d57cc65ea6baf8c3:32539:0777:0:0:4:1260221563::
File:/usr/bin/awk:b7099b4cc99ad98f476292f4d57cc65ea6baf8c3:798583:0777:0:0:14:1260221584::
So, if the sha1sum is different, why rkhunter tell me that awk is secure?
Thankyou very much!
I
 
Old 12-23-2010, 10:49 AM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 26,543
Blog Entries: 51

Rep: Reputation: 2608Reputation: 2608Reputation: 2608Reputation: 2608Reputation: 2608Reputation: 2608Reputation: 2608Reputation: 2608Reputation: 2608Reputation: 2608Reputation: 2608
See RKH FAQ entry 3.8) When I used the '--propupd' option, Rootkit Hunter told me I had some missing hashes. What does this mean?
 
1 members found this post helpful.
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off
Trackbacks are Off
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Three new Rkhunter warnings... Amdx2_x64 Linux - Security 2 10-27-2010 10:48 PM
Rkhunter 1.3.6 are these warnings okay on mac os x ver.10.6.4? mistertowjam Other *NIX 1 08-21-2010 10:26 AM
RKhunter question, Getting warnings for some directories. M$ISBS Linux - Security 8 03-05-2008 01:38 AM
rkhunter warnings adityavpratap Slackware 15 02-24-2007 07:11 AM
rkhunter warnings jantman Linux - Security 4 01-23-2007 02:39 PM


All times are GMT -5. The time now is 03:54 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration