rootkit hunter warning found differences in output kernel modules
 

Running Slackware 10.2 with kernel version 2.4.31

I run Rootkit Hunter and chkrookit about twice a day. I decided to make a simple bash script to make the process a little easier, here is the code:
I decided to test the script (while in my home directory /home/michael/bin). chkrootkit said everything was fine, but when Rootkit Hunter ran I got this warning:
To see if the warning would come up again, I decided to run Rootkit Hunter normally by typing rkhunter -c in root. Here are the commands I typed:
The warning did not come up again. I tried running chkrootkit to see if it would show me something, but everything it said everything was O.K. I decided to run my bash script again, but the warning did not come up in Rootkit Hunter.

Running my bash script the first time I got the warning, but it did not show up the second time. chkrookit did not show any errors or warnings, and Rootkit Hunter did not show the warning again (regardless of using the script or not).

This is the first time this has happened. I did not update the kernel nor did I update kernel modules. I searched google and LQ but nothing came up. Nothing obvious is different with my system (like password changes, deleted files, etc.) I should note that it seems Rootkit Hunter 1.2.9 does not fully support my OS.

Has anybody come across anything like this before? Does anybody have a reasonable explanation for this?
Does anybody think that I've been compromised? Should I be worried about this warning?

Checking loaded kernel modules...[ Warning! (found difference in output) ]
The first thing to check would be your rkhunter.log.


I should note that it seems Rootkit Hunter 1.2.9 does not fully support my OS.
If you read the accompanying(/online) FAQ and/or rkhunter-users mailing list archives you'd see running 'hashupd' fixes that. The upcoming version of RKH will have none of those issues anymore.


Has anybody come across anything like this before?
No.


Does anybody have a reasonable explanation for this?
No. In 1.2.9 the code is a diff between these two commands:
so it would be ultra easy to generate a script to test for yourself if this occurs more than sporadically.


Does anybody think that I've been compromised? Should I be worried about this warning?
I can not tell because you do not present "evidence" that points in either direction. Doubts should be addressed by running checks. If you need guidance use the Intruder Detection Checklist (CERT): http://www.cert.org/tech_tips/intrud...checklist.html (as RKH's FAQ would point you to).

I checked out CERT that you linked to, I did all of the checks and so far everything seems to be O.K. I am still going to investigate further. I might just reinstall just to make sure. Thanks for the help.

I checked out CERT that you linked to, I did all of the checks and so far everything seems to be O.K.
OK, good to hear.


I am still going to investigate further.
May I ask what and how? If everything checked out from the Intruder Detection Checklist the next thing I would do is boot a Live CD like Helix or KNOPPIX and check filesystem integrity.


I might just reinstall just to make sure.
Don't conclude that too easily. There's still chances of it being a false positive.

Follow up Post
 

After trying to check the file system with Knoppix, I just decided to upgrade to Slackware 11.0. I did not install all of my backup files fearing that any one of them could be infected (only installed the files that I absolutely trusted).

I know I did the cheesy solution to the problem but oh well. Slackware 11.0 runs great. Thanks for the help unSpawn, next time I'll be a more diligent user.

OK, NP. After all it's *your* well-informed choice and nobody can argue with that.
Do me a favour and check out the LQ FAQ: Security references. Just in case. OK?

O.K. I'll check out the link.