RKHUNTER: Bad MD5 Checksums

Scarpa · 06-17-2004, 07:28 PM

Hey guys,

I have a small querry for you all and would appreciate any advice/comments.

I have done a fresh install of Fedora Core 2 (minimal programs needed as per security). I then installed Firestarter for the firewall (and started it straight away). Installed RKHUNTER for rootkit check etc. Ran RKHUNTER for first check (everything fine). Then connected cable modem and went to RedHat Live Update (up2date) service and downloaded and installed required packages etc (including kernel - I think that was the wrong thing to do with regards to kenel but anyway).

Now, after up2date and install (including Kernel) I ran RKHUNTER again and recieved the following:

1) ifconfig [BAD]
2) netstat [BAD]
Your MD5 checksums do not match

Thats pretty much it. What does this all mean? What action is to be taken?

As a footnote the only services I have running when doing a netstat -tul is: *bootpc*. Is this a good start also?

Anyway look forward to your help. Thanks in advance guys.

iainr · 06-18-2004, 02:54 AM

When rkhunter is updated with new versions, md5 checksums/hashes of key binary files that are likely to be trojaned are added. The exact hash value will vary from version to version so, for example, there might be some small change between the ifconfig binary on SuSE 8.2 and on SuSE 9.0.

Rkhunter figures out what version of Linux you are running and, if it knows the "correct" hashes for that, it checks them. Keeping all those hashes up to date is a pretty thankless task and, of course, if you update something that rolls out a new version of one of those binaries, the hash is going to be wrong.

This is almost certainly a false positive, which you should be able to safely ignore.

You could also contact the maintainer (Michael) at www.rkhunter.org/contact/ and let him know the details. He puts out new versions of rkhunter ever few weeks so an update should get in pretty quickly.

Scarpa · 06-18-2004, 05:56 AM

Quote:

Originally posted by iainr
Rkhunter figures out what version of Linux you are running and, if it knows the "correct" hashes for that, it checks them. Keeping all those hashes up to date is a pretty thankless task and, of course, if you update something that rolls out a new version of one of those binaries, the hash is going to be wrong.

Hi Iain

Thanks very much for your reply.

I wasnt too sure what was happening and when I downloaded from up2date and saw this change (in rkhunter) the box was taken offline straight away...anyway will send the changes to (Michael) at www.rkhunter.org/contact/