LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Software
User Name
Password
Linux - Software This forum is for Software issues.
Having a problem installing a new program? Want to know which application is best for the job? Post your question in this forum.

Notices


Reply
  Search this Thread
Old 09-09-2009, 10:25 AM   #1
abefroman
Senior Member
 
Registered: Feb 2004
Location: lost+found
Distribution: CentOS
Posts: 1,430

Rep: Reputation: 55
rkhunter, not updating hashes?


rkhunter doesn't seem to be updating the hashes, I run propupd twice, and it says the hashes are missing both times:
Code:
root@server [~]# rkhunter --propupd
[ Rootkit Hunter version 1.3.4 ]
File updated: searched for 150 files, found 132, missing hashes 118
root@server [~]# rkhunter --propupd
[ Rootkit Hunter version 1.3.4 ]
File updated: searched for 150 files, found 132, missing hashes 118
Also, when running rkhunter -c, I see warnings on the binaries:
Code:
[10:22:23] Warning: No hash value found for file '/bin/kill'
[10:22:23]          Hash command output: /usr/sbin/prelink: /bin/kill: at least one of file's dependencies has changed since prelinking
[10:22:23]          Try running the command 'prelink /bin/kill' to resolve dependency errors.
[10:22:23] Warning: No hash value found for file '/bin/logger'
[10:22:23]          Hash command output: /usr/sbin/prelink: /bin/logger: at least one of file's dependencies has changed since prelinking
[10:22:23]          Try running the command 'prelink /bin/logger' to resolve dependency errors.
[10:22:23] Warning: No hash value found for file '/bin/login'
[10:22:23]          Hash command output: /usr/sbin/prelink: /bin/login: at least one of file's dependencies has changed since prelinking
[10:22:23]          Try running the command 'prelink /bin/login' to resolve dependency errors.
[10:22:24] Warning: No hash value found for file '/bin/ls'
[10:22:24]          Hash command output: /usr/sbin/prelink: /bin/ls: at least one of file's dependencies has changed since prelinking
[10:22:24]          Try running the command 'prelink /bin/ls' to resolve dependency errors.
[10:22:24] Warning: No hash value found for file '/bin/mail'
[10:22:24]          Hash command output: /usr/sbin/prelink: /bin/mail: at least one of file's dependencies has changed since prelinking
[10:22:24]          Try running the command 'prelink /bin/mail' to resolve dependency errors.
[10:22:24] Warning: No hash value found for file '/bin/mktemp'
[10:22:24]          Hash command output: /usr/sbin/prelink: /bin/mktemp: at least one of file's dependencies has changed since prelinking
[10:22:24]          Try running the command 'prelink /bin/mktemp' to resolve dependency errors.
Even though the hashes are in the dat file:
Code:
File:/usr/bin/cut::19705713:0777:0:0:13:1241822898::
File:/usr/bin/diff::19703868:0755:0:0:75444:1211653966::
File:/usr/bin/dirname::19706403:0755:0:0:18860:1232519311::
File:/usr/bin/du::19709216:0755:0:0:69124:1232519311::
File:/usr/bin/elinks::19709147:0755:0:0:967024:1191468313::
File:/usr/bin/env::19700022:0777:0:0:13:1241822898::
File:/usr/bin/file:2354e86abb655e19e5fa0a94f6701fe447771709:19709289:0755:0:0:10312:1241130029::
File:/usr/bin/find::19709234:0755:0:0:151244:1235691572::
File:/usr/bin/groups:caff65849b5547e5bc2bb665b97a7c5e12e16e9f:19705714:0755:0:0:1931:1232519300::
File:/usr/bin/head::19704029:0755:0:0:31692:1232519311::
File:/usr/bin/id::19706200:0755:0:0:22600:1232519311::
File:/usr/bin/kill::19699153:0777:0:0:14:1241822908::
File:/usr/bin/killall::19699799:0755:0:0:18128:1211639453::
File:/usr/bin/last::19705438:0755:0:0:18576:1232526133::
File:/usr/bin/lastlog::19701988:0755:0:0:8960:1236097843::
File:/usr/bin/ldd:0df141e6f1c9e175e67fba723bd4207feb852d9d:19706631:0755:0:0:5762:1250205122::
File:/usr/bin/less::19705107:0755:0:0:129984:1174514790::
File:/usr/bin/links::19710328:0777:0:0:6:1231965885::
File:/usr/bin/locate::19704373:02711:0:21:23856:1235690889::
File:/usr/bin/logger::19708111:0777:0:0:16:1241822908::
File:/usr/bin/lsattr::19701932:0755:0:0:8388:1232514627::
File:/usr/bin/lynx::19705476:0755:0:0:1272488:1225137300::
File:/usr/bin/md5sum::19705698:0755:0:0:27792:1232519311::
File:/usr/bin/newgrp::19700079:04755:0:0:24588:1236097842::
File:/usr/bin/passwd::19699663:04755:0:0:22984:1168099410::
Any ideas?
 
Old 09-09-2009, 11:09 AM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594
Quote:
Originally Posted by abefroman View Post
rkhunter doesn't seem to be updating the hashes, I run propupd twice, and it says the hashes are missing both times
No, it says it can not find all hashes which is OK on a standard installation.


Quote:
Also, when running rkhunter -c, I see warnings on the binaries:
Code:
[10:22:23] Warning: No hash value found for file '/bin/kill'
[10:22:23]          Hash command output: /usr/sbin/prelink: /bin/kill: at least one of file's dependencies has changed since prelinking
[10:22:23]          Try running the command 'prelink /bin/kill' to resolve dependency errors.
What OS + release version? What does manually running 'prelink /bin/kill' return?

Last edited by unSpawn; 09-09-2009 at 11:27 AM. Reason: //tag closing
 
Old 09-09-2009, 11:16 AM   #3
abefroman
Senior Member
 
Registered: Feb 2004
Location: lost+found
Distribution: CentOS
Posts: 1,430

Original Poster
Rep: Reputation: 55
I noticed that, it can't find most of them though.

Code:
root@server [~]# prelink /bin/kill
root@server [~]# ll /bin/kill
-rwxr-xr-x 1 root root 11168 Jan 21  2009 /bin/kill*
root@server [~]# which prelink
/usr/sbin/prelink
root@server [~]# cat /etc/redhat-release
CentOS release 5.3 (Final)
Any idea why prelink isn't returning anything?

TIA
 
Old 09-09-2009, 11:33 AM   #4
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594
Quote:
Originally Posted by abefroman View Post
I noticed that, it can't find most of them though.
Maybe you're counting in gills or pigs, $[150-132] definately does not list as "most" in my book.


Quote:
Originally Posted by abefroman View Post
Any idea why prelink isn't returning anything?
I don't know why but it's good. It should only barf out errors. Did you configure any ^HASH_.*= or ^PKGMGR= values in rkhunter.conf?
 
Old 09-09-2009, 12:32 PM   #5
abefroman
Senior Member
 
Registered: Feb 2004
Location: lost+found
Distribution: CentOS
Posts: 1,430

Original Poster
Rep: Reputation: 55
Quote:
Originally Posted by unSpawn View Post
I don't know why but it's good. It should only barf out errors. Did you configure any ^HASH_.*= or ^PKGMGR= values in rkhunter.conf?
Nope
 
Old 09-22-2009, 09:35 AM   #6
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594
OK. Could you please report this issue to the rkhunter-users mailing list on Sourceforge or add it to the Rootkit Hunter bug tracker on Sourceforge so we can have a closer look at it? (In both cases please attach rkhunter.log and rkhunter.conf.)

TIA.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
rkhunter bad hashes Fcm Linux - Security 1 02-20-2007 04:33 AM
Perl hashes ShaqDiesel Programming 6 08-09-2006 02:54 AM
Possible compromise - rkhunter finds 2 (?) questionable hashes The MCP Linux - Security 3 04-02-2005 06:15 PM
md5 hashes banderson Linux - General 1 10-17-2003 12:06 PM
MD5 hashes ruffneck Linux - General 1 07-08-2002 05:52 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Software

All times are GMT -5. The time now is 04:01 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration