LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 12-13-2004, 09:17 PM   #1
monroetech
Member
 
Registered: Nov 2004
Location: Toledo, OH
Distribution: SuSE 9.2 Pro
Posts: 53

Rep: Reputation: 15
rkhunter found the following


1) /usr/bin/file - BAD Note, I think this file was just updated in one of the recent YOU updates....

2)
Checking for differences in user accounts... Found differences
Info:
----------------------
> news:x:9:13:News system:/etc/news:/bin/bash
> uucp:x:10:14:Unix-to-Unix CoPy system:/etc/uucp:/bin/bash
> man:x:13:62:Manual pages viewer:/var/cache/man:/bin/bash
< man:x:13:62:Manual pages viewer:/var/cache/man:/bin/bash
< news:x:9:13:News system:/etc/news:/bin/bash
< uucp:x:10:14:Unix-to-Unix CoPy system:/etc/uucp:/bin/bash
----------------------
Info: Some items have been added (items marked with '<')
Info: Some items have been removed (items marked with '>')

Ok, they are the same, what's up here?



3)
* Filesystem checks
Checking /dev for suspicious files... [ Warning! (unusual files found) ]
---------------------------------------------
Unusual files:
/dev/sdaf9: block 3pecial (65/249)
---------------------------------------------
Scanning for hidden files... [ Warning! ]
---------------
/dev/.udev.tdb /etc/.java
/etc/.pwd.lock

I looked at the .pwd.lock file, it's blank


Anyone know what these are?


Thanks
 
Old 12-13-2004, 09:46 PM   #2
phatbastard
Member
 
Registered: Mar 2004
Location: Houston, Texas
Distribution: Kubuntu, zenwalk
Posts: 117

Rep: Reputation: 15
I ran into the same problem when i ran rkhunter, I'm using slackware and updated to 'current' and now i get some 'bin' files are bad check md5 checksums etc. Did some google research and found out from Pat that more than likely its from rkhunter not recognizing current files.
 
Old 12-14-2004, 07:47 PM   #3
furfurdemon666
Member
 
Registered: Mar 2004
Posts: 171

Rep: Reputation: 30
I'd fill out the contact form (on the rkhunter website) and report this issue to the author of rkhunter. I use it too and noticed the same thing following a recent YOU/YaST update(s) including a recent upgrade to KDE 3.3.2. I tried the ./rkhunter --update (Run update tool and check for database updates) but still saw the "file" listed as [BAD].

The more people who respond directly to the author, the quicker issues like this will be resolved.

Last edited by furfurdemon666; 12-14-2004 at 07:57 PM.
 
Old 12-20-2004, 08:51 PM   #4
furfurdemon666
Member
 
Registered: Mar 2004
Posts: 171

Rep: Reputation: 30
Thumbs up

This issue with rkhunter (latest version) and SUSE 9.1 with:

/usr/bin/file

showing as [BAD]

has been resolved. I updated rkhunter with

Code:
./rkhunter --update
And ran a new scan with

Code:
./rkhunter -c
and /usr/bin/file no longer shows as [BAD].
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
rkhunter atlaika Linux - Security 7 11-29-2005 10:47 AM
rkhunter cronjob simcox1 Linux - Security 11 11-21-2005 08:25 AM
rkhunter phatbastard Linux - Security 3 12-08-2004 09:44 PM
rkhunter found bad syslogd - what should I do next magicm Linux - Security 1 10-10-2004 06:05 AM
Getting Warning during rkhunter? BajaNick Linux - Security 8 09-12-2004 08:34 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 04:34 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration