LinuxQuestions.org
Latest LQ Deal: Latest LQ Deals
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Slackware
User Name
Password
Slackware This Forum is for the discussion of Slackware Linux.

Notices


Reply
  Search this Thread
Old 04-02-2020, 03:48 PM   #1
Gerard Lally
Senior Member
 
Registered: Sep 2009
Location: Brú na Bóinne, IE
Distribution: Slackware, NetBSD
Posts: 1,758

Rep: Reputation: 1266Reputation: 1266Reputation: 1266Reputation: 1266Reputation: 1266Reputation: 1266Reputation: 1266Reputation: 1266Reputation: 1266
Suspicious file in 14.2?


I've been using dar from SBo to backup /data (sdc1 - xfs) to /backup (sdd1 - xfs).

The following warning appears after a backup (differential):

Code:
SECURITY WARNING! SUSPICIOUS FILE /path/to/Slackware-14.2/patches/source/NetworkManager/NetworkManager.SlackBuild: ctime changed since archive of reference was done, while no other inode information changed.
The archive of reference is a full dar backup. The error comes up when doing a differential or incremental dar backup with that full backup as its reference point.

This was the command I used for today's differential backup:

Code:
dar -c /backup/$(date +%Y-%m-%d)-diff -R /data -A /backup/2020-04-01-full
This created a differential backup of /data in /backup. The differential backup is called 2020-04-02-diff.1.dar, and it used yesterday's full backup, /backup/2020-04-01-full.1.dar, as its reference.

Google doesn't tell me much; the only reference I've found to a similar error related to Ubuntu, and it had to do with a dar upgrade from one version to another. Which doesn't apply here.

I'm running 14.2 amd64 ; the suspicious file is there because I rsync (from slackware.uk) some of the Slackware tree, including i586, just to have it available if needed.

Should we be concerned?

Last edited by Gerard Lally; 04-02-2020 at 04:22 PM.
 
Old 04-02-2020, 07:41 PM   #2
frankbell
LQ Guru
 
Registered: Jan 2006
Location: Virginia, USA
Distribution: Slackware, Ubuntu MATE, Mageia, and whatever VMs I happen to be playing with
Posts: 16,421
Blog Entries: 27

Rep: Reputation: 4959Reputation: 4959Reputation: 4959Reputation: 4959Reputation: 4959Reputation: 4959Reputation: 4959Reputation: 4959Reputation: 4959Reputation: 4959Reputation: 4959
Suspicious does not mean guilty.

My take is that, if you have knowledge of the history of the file from its creation and are confident that it has not been altered or tampered with, it's probably okay to disregard the warning.

Just my two cents.
 
Old 04-03-2020, 07:46 AM   #3
Gerard Lally
Senior Member
 
Registered: Sep 2009
Location: Brú na Bóinne, IE
Distribution: Slackware, NetBSD
Posts: 1,758

Original Poster
Rep: Reputation: 1266Reputation: 1266Reputation: 1266Reputation: 1266Reputation: 1266Reputation: 1266Reputation: 1266Reputation: 1266Reputation: 1266
Thanks Frank. I don't really suspect the slackbuild, but I'm curious to know what the error means. It's probably a Dar bug. Just thought I'd put it to a wider audience to see if someone had come across something similar.
 
Old 04-03-2020, 07:54 AM   #4
enorbet
Senior Member
 
Registered: Jun 2003
Location: Virginia
Distribution: Slackware = Main OpSys
Posts: 2,939

Rep: Reputation: 3001Reputation: 3001Reputation: 3001Reputation: 3001Reputation: 3001Reputation: 3001Reputation: 3001Reputation: 3001Reputation: 3001Reputation: 3001Reputation: 3001
Just to add to frankbell's proper post, I run root kit checkers every so often and if I set it to show all warnings, every time I will get warnings that it is suspicious how adduser and a few other binaries have been replaced by a script. This, however, is how Slackware rolls. It is designed that way and perfectly normal. It is only necessary to check if you trust the suspicious file and know it's origin and maybe it's reason for being. Beyond that a command like "stat" can tell you a lot about the file, when it was last accessed and modified for example. If the file is running "lsof" (with various switches) can tell you who has been using it, how, and when. There is no need to stay suspicious and worried.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Cannot get rid of suspicious dev file warnings with rkhunter OtagoHarbour Linux - Security 1 11-04-2014 01:49 AM
suspicious a.out file in home directory dederon Slackware 14 02-03-2014 08:32 AM
[SOLVED] tkhunter Warning: Suspicious file types found in /dev: OtagoHarbour Linux - Security 7 09-24-2013 09:07 PM
F-prot identified a suspicious file azebuski Linux - Security 1 03-05-2004 12:30 AM
Stopping suspicious ICMP activity tarballedtux Linux - Security 1 02-03-2002 07:11 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Slackware

All times are GMT -5. The time now is 08:23 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration