Ask Your Question
0

warnings in rkhunter

asked 2012-11-19 13:59:07 -0500

Fang gravatar image

updated 2012-11-19 14:44:54 -0500

Good day, I premise that I am not by any mean an expert in OS.

After updating fedora 17, and restarted the pc, I got a bunch of warnings running rkhunter. Now I know that this should be considered normal, but the names of files which raised the warnings make me suspicious, since even "unhide", "unhide-tcp" and some other related to logins, file attribs, and net stuff have been modified.

The previous check with rkhunter, which was ok, had been done 9 hours before the new one. Aside the change in the files, no other warning happens.

Now my questions are:

1)is there a way (possibly automated, through a command) to check, via a checksum or something alike, that the files changed are indeed the ones supposed to be? I look for a tool like the update, but where, connecting to fedora repository, the checksums of the files in my system and the ones in the repository are compared.

2)looking at the following list, do they look like false positives?

These ones are the warnings:

- /usr/sbin/fsck                                           [ Warning ]
- /usr/sbin/ip                                             [ Warning ]
- /usr/sbin/lsof                                           [ Warning ]
- /usr/sbin/nologin                                        [ Warning ]
- /usr/sbin/unhide                                         [ Warning ]
- /usr/sbin/unhide-tcp                                     [ Warning ]
- /usr/bin/bash                                            [ Warning ]
- /usr/bin/chattr                                          [ Warning ]
- /usr/bin/curl                                            [ Warning ]
- /usr/bin/diff                                            [ Warning ]
- /usr/bin/dmesg                                           [ Warning ]
- /usr/bin/file                                            [ Warning ]
- /usr/bin/find                                            [ Warning ]
- /usr/bin/kill                                            [ Warning ]
- /usr/bin/killall                                         [ Warning ]
- /usr/bin/last                                            [ Warning ]
- /usr/bin/less                                            [ Warning ]
- /usr/bin/locate                                          [ Warning ]
- /usr/bin/logger                                          [ Warning ]
- /usr/bin/login                                           [ Warning ]
- /usr/bin/lsattr                                          [ Warning ]
- /usr/bin/more                                            [ Warning ]
- /usr/bin/perl                                            [ Warning ]
- /usr/bin/pgrep                                           [ Warning ]
- /usr/bin/pkill                                           [ Warning ]
- /usr/bin/pstree                                          [ Warning ]
- /usr/bin/size                                            [ Warning ]
- /usr/bin/strings                                         [ Warning ]
- /usr/bin/top                                             [ Warning ]
- /usr/bin/vmstat                                          [ Warning ]
- /usr/bin/w                                               [ Warning ]
- /usr/bin/watch                                           [ Warning ]
- /usr/bin/wget                                            [ Warning ]
- /usr/bin/whatis                                          [ Warning ]
- /usr/bin/whereis                                         [ Warning ]
- /usr/bin/which                                           [ Warning ]
- /usr/bin/kmod                                            [ Warning ]
- /usr/bin/systemctl                                       [ Warning ]
- /usr/bin/gawk                                            [ Warning ]
- /usr/lib/systemd/systemd                                 [ Warning ]

This is the typical warning in the log file

[19:42:04] Warning: Package manager verification has failed: [19:42:04] File: /usr/bin/chattr [19:42:04] Try running the command 'prelink /usr/bin/chattr' to resolve dependency errors. [19:42:04] The file hash value has changed [19:42:04] The file size has changed

Everything else is apparently ok.

For additional informations, I updated fedora around 21 November 2012, 7pm (london time).

I run usually the pc as a user in the wheel group (to use sudo), both the sudo passw and the root passw are over 6 character with letters and numbers mixed, I am the only one who has direct access to the terminal/pc.

Thanks.

Edit: Maybe I found the reply already on this http://www.directadmin.com/forum/showthread.php?t=23497&page=1

If you are on an RPM based system issue:

Code:

rpm -qas > verify.txt

Practically if rpm itself is ok as ... (more)

edit retag flag offensive close merge delete

2 Answers

Sort by ยป oldest newest most voted
1

answered 2013-08-25 17:24:55 -0500

A couple points:

1) rpm -V <packagename> or rpm -Va > verify-all-packages.list is the command you're looking for.

2) Fedora 17 is EOL. Please install a supported version.

3) Once you're on a supported release, apply updates more often. Nov 2012 to Aug 2013 is a long time to go without updates.

edit flag offensive delete link more
0

answered 2013-08-25 09:13:55 -0500

rheldaemon gravatar image

updated 2013-08-25 10:45:20 -0500

Could you check whether your rkhunter database is current??

to update enter following command in a terminal: rkhunter --propupd

as I think that's are false positives in case you have not updated rkhunters database.

edit flag offensive delete link more

Question Tools

Stats

Asked: 2012-11-19 13:59:07 -0500

Seen: 2,213 times

Last updated: Aug 25 '13