Running Slackware 10.2 with kernel version 2.4.31
I run Rootkit Hunter and chkrookit about twice a day. I decided to make a simple bash script to make the process a little easier, here is the code:
Code:
#!/bin/bash
# this script is for executing chkrootkit and rootkit #hunter (update & scan) without all of the typing.
#Run as root
cd /usr/newapps/chkrootkit-0.47
./chkrootkit
rkhunter --update
rkhunter -c
exit 0
I decided to test the script (while in my home directory /home/michael/bin). chkrootkit said everything was fine, but when Rootkit Hunter ran I got this warning:
Code:
* OS dependant tests
Linux
Checking loaded kernel modules...[ Warning! (found difference in output) ]
Checking file attributes [ OK ]
Checking LKM module path [ OK ]
To see if the warning would come up again, I decided to run Rootkit Hunter normally by typing rkhunter -c in root. Here are the commands I typed:
Code:
root@toroidal:/home/michael/bin# rkhunter --update
root@toroidal:/home/michael/bin# rkhunter -c
The warning did not come up again. I tried running chkrootkit to see if it would show me something, but everything it said everything was O.K. I decided to run my bash script again, but the warning did not come up in Rootkit Hunter.
Running my bash script the first time I got the warning, but it did not show up the second time. chkrookit did not show any errors or warnings, and Rootkit Hunter did not show the warning again (regardless of using the script or not).
This is the first time this has happened. I did not update the kernel nor did I update kernel modules. I searched google and LQ but nothing came up. Nothing obvious is different with my system (like password changes, deleted files, etc.) I should note that it seems Rootkit Hunter 1.2.9 does not fully support my OS.
Code:
root@toroidal:/home/michael/bin# rkhunter --update;rkhunter -c
Running updater...
Mirrorfile /usr/local/rkhunter/lib/rkhunter/db/mirrors.dat rotated
Using mirror http://rkhunter.sourceforge.net
[DB] Mirror file : Up to date
[DB] MD5 hashes system binaries : Up to date
[DB] Operating System information : ERROR
Fatal error: no valid version tag in filename
Ready.
Rootkit Hunter 1.2.9 is running
Determining OS... Unknown
Warning: This operating system is not fully supported!
All MD5 checks will be skipped!
Has anybody come across anything like this before? Does anybody have a reasonable explanation for this?
Does anybody think that I've been compromised? Should I be worried about this warning?