LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (http://www.linuxquestions.org/questions/linux-security-4/)
-   -   rkhunter warnings (http://www.linuxquestions.org/questions/linux-security-4/rkhunter-warnings-877552/)

qwertyjjj 04-28-2011 03:52 AM

rkhunter warnings
 
For no apparent reason, I have started to receive a load of rkhunter warnings about files in/usr/bin. They are mostly going on about a Bourne_Again script text.
Is this a false positive or is there something else that could be amiss? There do not seem to be any rootkits present in the system.

However, nothing shows up in the log although a lot of the files have this instead:
[08:41:59] Warning: Package manager verification has failed:
[08:41:59] File: /usr/bin/sha512sum
[08:41:59] Try running the command 'prelink /usr/bin/sha512sum' to resolve dependency errors.
[08:41:59] The file hash value has changed
[08:41:59] The file size has changed

Is this a bug?

Code:

[08:40:52]  Checking for prerequisites                      [ OK ]
[08:41:01]  /sbin/chkconfig                                [ Warning ]
[08:41:01] Warning: Package manager verification has failed:
[08:41:01]          File: /sbin/chkconfig
[08:41:01]          Try running the command 'prelink /sbin/chkconfig' to resolve dependency errors.
[08:41:01]          The file hash value has changed
[08:41:01]          The file size has changed
[08:41:01]  /sbin/depmod                                    [ Warning ]
[08:41:01] Warning: Package manager verification has failed:
[08:41:01]          File: /sbin/depmod
[08:41:01]          Try running the command 'prelink /sbin/depmod' to resolve dependency errors.
[08:41:01]          The file hash value has changed
[08:41:01]          The file size has changed
[08:41:02]  /sbin/fsck                                      [ Warning ]
[08:41:02] Warning: Package manager verification has failed:
[08:41:02]          File: /sbin/fsck
[08:41:02]          Try running the command 'prelink /sbin/fsck' to resolve dependency errors.
[08:41:02]          The file hash value has changed
[08:41:02]          The file size has changed
[08:41:02]  /sbin/fuser                                    [ Warning ]
[08:41:02] Warning: Package manager verification has failed:
[08:41:02]          File: /sbin/fuser
[08:41:02]          Try running the command 'prelink /sbin/fuser' to resolve dependency errors.
[08:41:02]          The file hash value has changed
[08:41:02]          The file size has changed
[08:41:03]  /sbin/ifconfig                                  [ Warning ]


Noway2 04-28-2011 05:05 AM

Quote:

For no apparent reason, I have started to receive a load of rkhunter warnings about files in/usr/bin. ... The file hash value has changed ... The file size has changed
Did you recently perform an update your system? This would be the most likely cause. If so, the database stored in rkhunter is probably out of date.

From the rkhunter manpages:
Quote:

WARNING: It is the users responsibility to ensure that the files on the system are genuine and from a reliable source. rkhunter can only report if a file has changed, but not on what has caused the change. Hence, if a file has changed, and the --propupd command option is used, then rkhunter will assume that the file is genuine.
From your post profile, it looks like you are running CentOS. In this case you should be able to verify your installed files against the repository easily. I believe the command is RPM -vV. See this link from rpm.org.


All times are GMT -5. The time now is 04:00 AM.