-   Linux - Security (
-   -   rkhunter found the following (

monroetech 12-13-2004 10:17 PM

rkhunter found the following
1) /usr/bin/file - BAD Note, I think this file was just updated in one of the recent YOU updates....

Checking for differences in user accounts... Found differences
> news:x:9:13:News system:/etc/news:/bin/bash
> uucp:x:10:14:Unix-to-Unix CoPy system:/etc/uucp:/bin/bash
> man:x:13:62:Manual pages viewer:/var/cache/man:/bin/bash
< man:x:13:62:Manual pages viewer:/var/cache/man:/bin/bash
< news:x:9:13:News system:/etc/news:/bin/bash
< uucp:x:10:14:Unix-to-Unix CoPy system:/etc/uucp:/bin/bash
Info: Some items have been added (items marked with '<')
Info: Some items have been removed (items marked with '>')

Ok, they are the same, what's up here?

* Filesystem checks
Checking /dev for suspicious files... [ Warning! (unusual files found) ]
Unusual files:
/dev/sdaf9: block 3pecial (65/249)
Scanning for hidden files... [ Warning! ]
/dev/.udev.tdb /etc/.java

I looked at the .pwd.lock file, it's blank

Anyone know what these are?


phatbastard 12-13-2004 10:46 PM

I ran into the same problem when i ran rkhunter, I'm using slackware and updated to 'current' and now i get some 'bin' files are bad check md5 checksums etc. Did some google research and found out from Pat that more than likely its from rkhunter not recognizing current files.

furfurdemon666 12-14-2004 08:47 PM

I'd fill out the contact form (on the rkhunter website) and report this issue to the author of rkhunter. I use it too and noticed the same thing following a recent YOU/YaST update(s) including a recent upgrade to KDE 3.3.2. I tried the ./rkhunter --update (Run update tool and check for database updates) but still saw the "file" listed as [BAD].

The more people who respond directly to the author, the quicker issues like this will be resolved.

furfurdemon666 12-20-2004 09:51 PM

This issue with rkhunter (latest version) and SUSE 9.1 with:


showing as [BAD]

has been resolved. I updated rkhunter with


./rkhunter --update
And ran a new scan with


./rkhunter -c
and /usr/bin/file no longer shows as [BAD].

All times are GMT -5. The time now is 07:15 AM.