rkhunter warnings, maybe yum issues? [CLOSED]

William mattison.computer at yahoo.com
Fri Feb 7 01:33:08 UTC 2014 

 > Good evening,
 >
 > I don't know if these are properly rkhunter questions, yum questions, 
or F-20 questions,
 > so I'm posting to both lists.
 >
 > Last Monday, I updated my 64-bit system from Fedora-19 to Fedora-20.  
Several minutes ago,
 > I updated Fedora-20 by doing "yum update".  I then did "rkhunter 
--update", and then
 > "rkhunter --check".  I'm getting a lot of issues.
 >
 > 1. I get these messages in the rkhunter log:
 >
 > [18:55:34] Info: The command 'rpm -qf --queryformat... 
/usr/sbin/chkconfig' gave error code 1.
 > [18:55:39] Info: The command 'rpm -qf --queryformat... 
/usr/sbin/fuser' gave error code 1.
 > [18:55:40] Info: The command 'rpm -qf --queryformat... 
/usr/sbin/ifconfig' gave error code 1.
 > [18:55:44] Info: The command 'rpm -qf --queryformat... 
/usr/sbin/route' gave error code 1.
 > [18:55:44] Info: The command 'rpm -qf --queryformat... 
/usr/sbin/rsyslogd' gave error code 1.
 > [18:55:50] Info: The command 'rpm -qf --queryformat... /usr/bin/ed' 
gave error code 1.
 > [18:55:50] Info: The command 'rpm -qf --queryformat... 
/usr/bin/egrep' gave error code 1.
 > [18:55:50] Info: The command 'rpm -qf --queryformat... 
/usr/bin/fgrep' gave error code 1.
 > [18:55:52] Info: The command 'rpm -qf --queryformat... /usr/bin/grep' 
gave error code 1.
 > [18:55:55] Info: The command 'rpm -qf --queryformat... /usr/bin/mail' 
gave error code 1.
 > [18:55:55] Info: The command 'rpm -qf --queryformat... 
/usr/bin/netstat' gave error code 1.
 > [18:56:01] Info: The command 'rpm -qf --queryformat... /usr/bin/rpm' 
gave error code 1.
 > [18:56:01] Info: The command 'rpm -qf --queryformat... /usr/bin/sed' 
gave error code 1.
 > [18:56:07] Info: The command 'rpm -qf --queryformat... 
/usr/bin/mailx' gave error code 1.
 >
 > I get these warnings a lot (both under F-19, and since updating to 
F-20).  What's causing
 > these warnings?  Is there something yum should be doing, but isn't?  
Is there something I
 > should be doing, but I don't know it?

I wrongly believed these all to be packages.  So these messages do not 
really signify a problem, either with my system or with yum.

 > 2. I get this warning in the rkhunter log:
 >
 > [18:55:49]   /usr/bin/curl                                   [ Warning ]
 > [18:55:49] Warning: Package manager verification has failed:
 > [18:55:49]          File: /usr/bin/curl
 > [18:55:49]          Try running the command 'prelink /usr/bin/curl' 
to resolve dependency errors.
 > [18:55:49]          The file hash value has changed
 > [18:55:49]          The file size has changed
 >
 > The warning gives me the immediate fix, and it works.  But the 
problem recurs after almost
 > every "yum update" (both under F-19, and since updating to F-20), 
though not on the same
 > packages each time. What's the real problem?  Is there something yum 
should be doing, but
 > isn't?  Is there something I should be doing, but I don't know it?

Since I'm doing things manually, I just need to do a "prelink -qa" after 
the "yum update" is done but before running rkhunter.  No yum deficiency 
here.

 > 3. Since updating to F-20, I'm seeing this warning:
 >
 > [18:56:18]
 > [18:56:18] Checking for GasKit Rootkit...
 > [18:56:18]   Checking for file '/dev/dev/gaskit/sshd/sshdd'  [ Not 
found ]
 > [18:56:18]   Checking for directory '/dev/dev'               [ Found ]
 > [18:56:18]   Checking for directory '/dev/dev/gaskit'        [ Not 
found ]
 > [18:56:18]   Checking for directory '/dev/dev/gaskit/sshd'   [ Not 
found ]
 > [18:56:18] Warning: GasKit Rootkit                           [ Warning ]
 > [18:56:18]          Directory '/dev/dev' found
 > [18:56:18]
 >
 > The directory "/dev/dev/" contains one entry:
 >
 > bash.6[dev]: ll
 > total 0
 > lrwxrwxrwx. 1 root root 10 Jan 29 13:48 resume -> ../../sda5
 > bash.7[dev]:
 >
 > Doing "file resume" gives this:
 >
 > bash.21[dev]: file resume
 > resume: broken symbolic link to `../../sda5'
 > bash.22[dev]:
 >
 >I see no "sda5" in the root directory.  A "df" shows no filesystem. An 
"ls -a" of the root
 > directory shows one file I did not expect:
 >
 > -rw-r--r--.   1 root root 178665 Jan 29 18:50 .readahead
 >
 > It seems to be binary.
 >
 > Do I have a security problem?  What are "/dev/dev/resume" and 
"/.readahead"?

This is a false positive.  Someone else already recognized the problem 
and submitted a bugzilla.  The "/.readahead" file is not a problem.

 > thanks,
 > Bill.

I thank everyone who tried to help for their time, effort, and patience.
Bill.

More information about the users mailing list