file utility md5sum

slackamp · 06-04-2007, 02:50 PM

Can someone please provide me their /usr/bin/file md5sum.

rkhunter is detecting that this file is BAD.

Here is mine.
# md5sum /usr/bin/file
604cc461f8b8ef332ff2b8b693cd4595 /usr/bin/file

.

slackamp · 06-04-2007, 02:53 PM

i downloaded the file package from one of the slackware mirrors (tds) and verified that the md5sum matches.

dive · 06-04-2007, 03:05 PM

a4f5bae7ed7940c6a829cb6eb9767b08 /usr/bin/file

from -current

Road_map · 06-04-2007, 03:40 PM

604cc461f8b8ef332ff2b8b693cd4595 /usr/bin/file

from Slackware-stable

"unknown hashes", because I installed rkhunter before file-4.20-i486-1_slack11.0.tgz. This package was not in initial install, was added in /patches (0a9109c5f0a8d44e018b70b140c77a46 file-4.20-i486-1_slack11.0.tgz is the correct md5sum for downloaded package).

pwc101 · 06-04-2007, 03:54 PM

604cc461f8b8ef332ff2b8b693cd4595 /usr/bin/file

I also installed the new file from /patches.

H_TeXMeX_H · 06-04-2007, 03:59 PM

Do 'rkhunter --update', that should fix it.

dive · 06-04-2007, 04:02 PM

file --version
file-4.20

Road_map · 06-04-2007, 04:24 PM

Code:

# rkhunter --update
Running updater...

Mirrorfile /usr/local/rkhunter/lib/rkhunter/db/mirrors.dat rotated
Using mirror http://rkhunter.sourceforge.net
[DB] Mirror file                      : Up to date
[DB] MD5 hashes system binaries       : Up to date
[DB] Operating System information     : Update available
  Action: Database updated (current version: 2006111400, new version 2007060301)
[DB] MD5 blacklisted tools/binaries   : Up to date
[DB] Known good program versions      : Update available
  Action: Database updated (current version: 2007040501, new version 2007051701)
[DB] Known bad program versions       : Up to date

Then again:

Quote:

/usr/bin/file [ BAD ]

pwc101 · 06-04-2007, 04:39 PM

Perhaps unSpawn (or the rkhunter devel team) haven't got the new md5sum for this version of file in their database. I emailed one the other day, and they promptly added it, so it might be worth an email to check...

H_TeXMeX_H · 06-04-2007, 04:52 PM

Either way, 'file' is just fine ... I mean if the md5sum matches the mirror, then it should be fine. The rkhunter devs must update their md5sums.

slackamp · 06-04-2007, 08:00 PM

thanks for all the replies. yah i thought it was ok i just wanted to verify. i did do an rkhunter --update before running the check. i also have file installed from /patches. again thanks for the replies, i was just a little paranoid.

gilead · 06-04-2007, 08:36 PM

You can download hashupd.sh from the rkhunter site and use it to update the hash from the new version of file. I went through the same thing here...