rootkit hunter shows warning messages

bhert · 08-15-2008, 07:45 PM

I Installed Kubuntu alongside suse about a month ago. I installed rootkit for Kubuntu in the beginning and had cron run it daily.

I checked the log today and found something strange. Just about every file in /bin, /usr/bin, /sbin, /usr/sbin showed the warning messages but won't tell me why it is shown.

Rkhunter file was not one of them.

I checked the owner, permissions, and the times for the files and didn't see any changes. rkhunter did not find any rootkits also.

Has this happened to anybody. Should I be worried? Thanks

-bhert

{BBI}Nexus{BBI} · 08-15-2008, 07:53 PM

The reason for the warnings is shown in the /var/log/rkhunter.log file. e.g.

Code:

14:45:00] /usr/bin/whatis                                   [ Warning ]
[14:45:01] Warning: The command '/usr/bin/whatis' has been replaced by a script: /usr/bin/whatis: Bourne shell script text executable

bhert · 08-17-2008, 05:44 PM

Thanks for replying Nexus, Aren't these files executables and scripts? How was it replaced? Updates maybe?

-bhert

bhert · 08-20-2008, 06:54 PM

The log also says that the inode properties of the files have been changed. I am not sure what that means.

-bhert

unSpawn · 08-21-2008, 12:34 PM

If you use tools it would be good to know what they can and can't do. So I'd suggest you read the docs that came with RKH. Those, and the comments in the rkhunter.conf, should give you an idea bout most things. Then it would be easier to ask more specific questions that aren't answered already in the RKH mailing list archives and LQ fora.