rkhunter, not updating hashes?

abefroman · 09-09-2009, 10:25 AM

rkhunter doesn't seem to be updating the hashes, I run propupd twice, and it says the hashes are missing both times:

Code:

root@server [~]# rkhunter --propupd
[ Rootkit Hunter version 1.3.4 ]
File updated: searched for 150 files, found 132, missing hashes 118
root@server [~]# rkhunter --propupd
[ Rootkit Hunter version 1.3.4 ]
File updated: searched for 150 files, found 132, missing hashes 118

Also, when running rkhunter -c, I see warnings on the binaries:

Code:

[10:22:23] Warning: No hash value found for file '/bin/kill'
[10:22:23]          Hash command output: /usr/sbin/prelink: /bin/kill: at least one of file's dependencies has changed since prelinking
[10:22:23]          Try running the command 'prelink /bin/kill' to resolve dependency errors.
[10:22:23] Warning: No hash value found for file '/bin/logger'
[10:22:23]          Hash command output: /usr/sbin/prelink: /bin/logger: at least one of file's dependencies has changed since prelinking
[10:22:23]          Try running the command 'prelink /bin/logger' to resolve dependency errors.
[10:22:23] Warning: No hash value found for file '/bin/login'
[10:22:23]          Hash command output: /usr/sbin/prelink: /bin/login: at least one of file's dependencies has changed since prelinking
[10:22:23]          Try running the command 'prelink /bin/login' to resolve dependency errors.
[10:22:24] Warning: No hash value found for file '/bin/ls'
[10:22:24]          Hash command output: /usr/sbin/prelink: /bin/ls: at least one of file's dependencies has changed since prelinking
[10:22:24]          Try running the command 'prelink /bin/ls' to resolve dependency errors.
[10:22:24] Warning: No hash value found for file '/bin/mail'
[10:22:24]          Hash command output: /usr/sbin/prelink: /bin/mail: at least one of file's dependencies has changed since prelinking
[10:22:24]          Try running the command 'prelink /bin/mail' to resolve dependency errors.
[10:22:24] Warning: No hash value found for file '/bin/mktemp'
[10:22:24]          Hash command output: /usr/sbin/prelink: /bin/mktemp: at least one of file's dependencies has changed since prelinking
[10:22:24]          Try running the command 'prelink /bin/mktemp' to resolve dependency errors.

Even though the hashes are in the dat file:

Code:

File:/usr/bin/cut::19705713:0777:0:0:13:1241822898::
File:/usr/bin/diff::19703868:0755:0:0:75444:1211653966::
File:/usr/bin/dirname::19706403:0755:0:0:18860:1232519311::
File:/usr/bin/du::19709216:0755:0:0:69124:1232519311::
File:/usr/bin/elinks::19709147:0755:0:0:967024:1191468313::
File:/usr/bin/env::19700022:0777:0:0:13:1241822898::
File:/usr/bin/file:2354e86abb655e19e5fa0a94f6701fe447771709:19709289:0755:0:0:10312:1241130029::
File:/usr/bin/find::19709234:0755:0:0:151244:1235691572::
File:/usr/bin/groups:caff65849b5547e5bc2bb665b97a7c5e12e16e9f:19705714:0755:0:0:1931:1232519300::
File:/usr/bin/head::19704029:0755:0:0:31692:1232519311::
File:/usr/bin/id::19706200:0755:0:0:22600:1232519311::
File:/usr/bin/kill::19699153:0777:0:0:14:1241822908::
File:/usr/bin/killall::19699799:0755:0:0:18128:1211639453::
File:/usr/bin/last::19705438:0755:0:0:18576:1232526133::
File:/usr/bin/lastlog::19701988:0755:0:0:8960:1236097843::
File:/usr/bin/ldd:0df141e6f1c9e175e67fba723bd4207feb852d9d:19706631:0755:0:0:5762:1250205122::
File:/usr/bin/less::19705107:0755:0:0:129984:1174514790::
File:/usr/bin/links::19710328:0777:0:0:6:1231965885::
File:/usr/bin/locate::19704373:02711:0:21:23856:1235690889::
File:/usr/bin/logger::19708111:0777:0:0:16:1241822908::
File:/usr/bin/lsattr::19701932:0755:0:0:8388:1232514627::
File:/usr/bin/lynx::19705476:0755:0:0:1272488:1225137300::
File:/usr/bin/md5sum::19705698:0755:0:0:27792:1232519311::
File:/usr/bin/newgrp::19700079:04755:0:0:24588:1236097842::
File:/usr/bin/passwd::19699663:04755:0:0:22984:1168099410::

Any ideas?

unSpawn · 09-09-2009, 11:09 AM

Quote:

Originally Posted by abefroman

rkhunter doesn't seem to be updating the hashes, I run propupd twice, and it says the hashes are missing both times

No, it says it can not find all hashes which is OK on a standard installation.

Quote:

Also, when running rkhunter -c, I see warnings on the binaries:

Code:

[10:22:23] Warning: No hash value found for file '/bin/kill'
[10:22:23]          Hash command output: /usr/sbin/prelink: /bin/kill: at least one of file's dependencies has changed since prelinking
[10:22:23]          Try running the command 'prelink /bin/kill' to resolve dependency errors.

What OS + release version? What does manually running 'prelink /bin/kill' return?

abefroman · 09-09-2009, 11:16 AM

I noticed that, it can't find most of them though.

Code:

root@server [~]# prelink /bin/kill
root@server [~]# ll /bin/kill
-rwxr-xr-x 1 root root 11168 Jan 21  2009 /bin/kill*
root@server [~]# which prelink
/usr/sbin/prelink
root@server [~]# cat /etc/redhat-release
CentOS release 5.3 (Final)

Any idea why prelink isn't returning anything?

TIA

unSpawn · 09-09-2009, 11:33 AM

Quote:

Originally Posted by abefroman

I noticed that, it can't find most of them though.

Maybe you're counting in gills or pigs, $[150-132] definately does not list as "most" in my book.

Quote:

Originally Posted by abefroman

Any idea why prelink isn't returning anything?

I don't know why but it's good. It should only barf out errors. Did you configure any ^HASH_.*= or ^PKGMGR= values in rkhunter.conf?

abefroman · 09-09-2009, 12:32 PM

Quote:

Originally Posted by unSpawn

I don't know why but it's good. It should only barf out errors. Did you configure any ^HASH_.*= or ^PKGMGR= values in rkhunter.conf?

Nope

unSpawn · 09-22-2009, 09:35 AM

OK. Could you please report this issue to the rkhunter-users mailing list on Sourceforge or add it to the Rootkit Hunter bug tracker on Sourceforge so we can have a closer look at it? (In both cases please attach rkhunter.log and rkhunter.conf.)

TIA.