LinuxQuestions.org
Go Job Hunting at the LQ Job Marketplace
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 08-15-2008, 07:45 PM   #1
bhert
Member
 
Registered: May 2006
Distribution: OpenSUSE 10.3 Kubuntu Hardy Heron
Posts: 268

Rep: Reputation: 30
rootkit hunter shows warning messages


I Installed Kubuntu alongside suse about a month ago. I installed rootkit for Kubuntu in the beginning and had cron run it daily.

I checked the log today and found something strange. Just about every file in /bin, /usr/bin, /sbin, /usr/sbin showed the warning messages but won't tell me why it is shown.

Rkhunter file was not one of them.

I checked the owner, permissions, and the times for the files and didn't see any changes. rkhunter did not find any rootkits also.

Has this happened to anybody. Should I be worried? Thanks

-bhert
 
Old 08-15-2008, 07:53 PM   #2
{BBI}Nexus{BBI}
Senior Member
 
Registered: Jan 2005
Location: Nottingham, UK
Distribution: Mageia 4
Posts: 4,305

Rep: Reputation: 205Reputation: 205Reputation: 205
The reason for the warnings is shown in the /var/log/rkhunter.log file. e.g.
Code:
14:45:00] /usr/bin/whatis                                   [ Warning ]
[14:45:01] Warning: The command '/usr/bin/whatis' has been replaced by a script: /usr/bin/whatis: Bourne shell script text executable
 
Old 08-17-2008, 05:44 PM   #3
bhert
Member
 
Registered: May 2006
Distribution: OpenSUSE 10.3 Kubuntu Hardy Heron
Posts: 268

Original Poster
Rep: Reputation: 30
Thanks for replying Nexus, Aren't these files executables and scripts? How was it replaced? Updates maybe?

-bhert
 
Old 08-20-2008, 06:54 PM   #4
bhert
Member
 
Registered: May 2006
Distribution: OpenSUSE 10.3 Kubuntu Hardy Heron
Posts: 268

Original Poster
Rep: Reputation: 30
The log also says that the inode properties of the files have been changed. I am not sure what that means.

-bhert
 
Old 08-21-2008, 12:34 PM   #5
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,454
Blog Entries: 54

Rep: Reputation: 2896Reputation: 2896Reputation: 2896Reputation: 2896Reputation: 2896Reputation: 2896Reputation: 2896Reputation: 2896Reputation: 2896Reputation: 2896Reputation: 2896
If you use tools it would be good to know what they can and can't do. So I'd suggest you read the docs that came with RKH. Those, and the comments in the rkhunter.conf, should give you an idea bout most things. Then it would be easier to ask more specific questions that aren't answered already in the RKH mailing list archives and LQ fora.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
rootkit hunter fakie_flip Linux - Software 1 10-20-2007 02:41 PM
rootkit hunter warning found differences in output kernel modules opto Linux - Security 6 02-06-2007 07:30 PM
Rootkit Hunter: looking for C/C++ developers unSpawn Programming 0 07-26-2006 08:03 AM
DISCUSSION: The Rootkit Hunter jeremy LinuxAnswers Discussion 0 10-10-2005 07:36 PM
Rootkit hunter question NNP Linux - Security 1 07-03-2005 06:48 AM


All times are GMT -5. The time now is 10:41 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration