LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Slackware (http://www.linuxquestions.org/questions/slackware-14/)
-   -   Rkhhunter warnings (http://www.linuxquestions.org/questions/slackware-14/rkhhunter-warnings-4175440445/)

g4ry 12-07-2012 10:40 AM

Rkhhunter warnings
 
Hi all, I've been getting these warnings from rkhunter and wondered if anyone else gets these on Slackware 14. I never had these on 13.37 and I didn't bother to try rkhunter out on a fresh install only till now, a week later.



Thanks.

http://pastebin.com/T5Qep1WF

Habitual 12-07-2012 10:54 AM

I've seen "Warning: The command '/path/to/some/file/here' has been replaced by a script" messages on Fresh systems before running rkhunter.

Those systems weren't Slackware14 or my current Slack14_64, but I have seen similar, if not exact messages of that nature.

Scarier is the 15 hours it took to run.
Summary seems ok.
Code:

[09:25:15] System checks summary
[09:25:15] =====================
[09:25:15]
[09:25:15] File properties checks...
[09:25:16] Required commands check failed
[09:25:16] Files checked: 183
[09:25:16] Suspect files: 3
[09:25:16]
[09:25:16] Rootkit checks...
[09:25:16] Rootkits checked : 317
[09:25:17] Possible rootkits: 0
[09:25:17]
[09:25:17] Applications checks...
[09:25:17] Applications checked: 8
[09:25:17] Suspect applications: 0
[09:25:18]
[09:25:18] The system checks took: 908 minutes and 47 seconds


g4ry 12-07-2012 11:04 AM

Thanks Habitual, I started it the previous night and forgot to use --skip-keypress, so I had to continue it in the morning that's why it took so long.

Habitual 12-07-2012 01:24 PM

Quote:

Originally Posted by g4ry (Post 4844615)
Thanks Habitual, I started it the previous night and forgot to use --skip-keypress, so I had to continue it in the morning that's why it took so long.

No worries. I fall asleep in Terminal almost every day. ;)

TommyC7 12-07-2012 02:53 PM

That's because rkhunter checks against a database to see if files have been changed or not, and in Slackware's situation those 3 files, are different than on other operating systems. Generally adduser (one of the suspect files) is a program, but in Slackware it is just a script that calls useradd.

You can whitelist those 3 suspect files if you want. More details can be found in /var/log/rkhunter.log to get more detailed information. Also, unSpawn (a moderator on the forums) is one of the developers of rkhunter.

Might be able to uncomment OS_VERSION_FILE="" and set the appropriate line, but I haven't tested it (nor do I know which line is necessary, might be /etc/slackware-version but like I said, I don't know so don't quote me on that).


All times are GMT -5. The time now is 11:37 AM.