Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Is there any posibilitie that snort changes the grep, egrep and fgreps binaries??
Yesterday i have installed snort with default conf and today, when I ran rkhunter, the three appears as modified.
Those are the only binaries that appears to be modified.
In the other hands, the only suspicious in the logs are the automated ssh login attempts.
I will copy those files from another machine, but first i will like to hear your opinions.
No. I actually just tested this just to be sure (I was putting Snort on a test system). It shouldn't change the MD5sums on any of them. Did RKHunter tell you what failed (maybe something other than md5sum)? If you're using an rpm-based system try using the following to verify package integrity:
rpm -V grep
If not, try comparing it's md5sum to a known good version.
That's what it displays. libc and ld-linux are there, i don't know if libpcre must be there. But I assume it must be there, since is the perl compatible regex library.
when I ran rkhunter, the three appears as modified.
Those are the only binaries that appears to be modified.
Rkhunter ships with static md5sum lists and should not be used as the most important or even single point of authority when it comes to verifying sums. Running a filesystem checker like Aide or Samhain is a better option. if you save their databases on readonly media, just after you installed your OS, it's even better than verifying against your OSes package manager databases.
In the other hands, the only suspicious in the logs are the automated ssh login attempts.
Good thing you verified your logs. Should be one of the first things on one's mind on a networked box.
/usr/sbin/prelink: /bin/egrep: at least one of file's dependencies has changed since prelinking
/bin/egrep [ BAD ]
It's in the Rkhunter FAQ under "Errors from external software": E1: run /etc/cron.daily/prelink.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.