Today I find that some strange things happened on rkhunter, some files belong to it missing: $ rpm -V rkhunter ..?..... /etc/cron.daily/01-rkhunter ..?..... /etc/rkhunter.conf ..?..... /etc/sysconfig/rkhunter ..?..... /usr/bin/rkhunter missing /usr/lib/rkhunter/scripts/check_modules.pl missing /usr/lib/rkhunter/scripts/check_port.pl missing /usr/lib/rkhunter/scripts/check_update.sh missing /usr/lib/rkhunter/scripts/filehashmd5.pl missing /usr/lib/rkhunter/scripts/filehashsha1.pl missing /usr/lib/rkhunter/scripts/showfiles.pl missing /var/rkhunter/db/backdoorports.dat missing /var/rkhunter/db/defaulthashes.dat missing /var/rkhunter/db/md5blacklist.dat missing /var/rkhunter/db/mirrors.dat missing /var/rkhunter/db/os.dat missing /var/rkhunter/db/programs_bad.dat missing /var/rkhunter/db/programs_good.dat Is this a updating problem of rkhunter itself? Or some rootkits kill it?
El Miércoles, 11 de Octubre de 2006 04:07, hanpingtian@gmail.com escribió:
Today I find that some strange things happened on rkhunter, some files belong to it missing: $ rpm -V rkhunter ..?..... /etc/cron.daily/01-rkhunter ..?..... /etc/rkhunter.conf ..?..... /etc/sysconfig/rkhunter ..?..... /usr/bin/rkhunter missing /usr/lib/rkhunter/scripts/check_modules.pl missing /usr/lib/rkhunter/scripts/check_port.pl missing /usr/lib/rkhunter/scripts/check_update.sh missing /usr/lib/rkhunter/scripts/filehashmd5.pl missing /usr/lib/rkhunter/scripts/filehashsha1.pl missing /usr/lib/rkhunter/scripts/showfiles.pl missing /var/rkhunter/db/backdoorports.dat missing /var/rkhunter/db/defaulthashes.dat missing /var/rkhunter/db/md5blacklist.dat missing /var/rkhunter/db/mirrors.dat missing /var/rkhunter/db/os.dat missing /var/rkhunter/db/programs_bad.dat missing /var/rkhunter/db/programs_good.dat Is this a updating problem of rkhunter itself? Or some rootkits kill it?
I've never install rkhunter from a RPM, I always use it from a tarball. By the way, I've not found out that problems in normal situation. So, maybe you should check your logs in order to see if someone broke into your box.
When I use rkhunter or other rootkit-detector I'm used to install it on a no default path, maybe this way rootkits won't be able to delete any file either trojanized one.
Greetings.
I see, the permissions of those files forbid no-root user to check them: -rwxr-x--- 1 root root 1687 Mar 19 2006 /etc/cron.daily/01-rkhunter -rw-r----- 1 root root 1519 Mar 19 2006 /etc/rkhunter.conf -rw-r----- 1 root root 333 Jun 6 2005 /etc/sysconfig/rkhunter -rwxr-x--- 1 root root 141594 Mar 19 2006 /usr/bin/rkhunter .....
But I find the hash checking failed on some programs: ...... /usr/bin/watch [ BAD ] /usr/bin/wc [ BAD ] /usr/bin/wget [ OK ] /usr/bin/whereis [ BAD ] /usr/bin/who [ BAD ] /usr/bin/whoami [ BAD ] -------------------------------------------------------------------------------- Rootkit Hunter found some bad or unknown hashes. This can be happen due replaced binaries or updated packages (which give other hashes). Be sure your hashes are fully updated (rkhunter --update). If you're in doubt about these hashes, contact the author (fill in the contact form). -------------------------------------------------------------------------------- What does this mean?
hanpingtian@gmail.com wrote:
But I find the hash checking failed on some programs: ...... /usr/bin/watch [ BAD ] /usr/bin/wc [ BAD ] /usr/bin/wget [ OK ] /usr/bin/whereis [ BAD ] /usr/bin/who [ BAD ] /usr/bin/whoami [ BAD ]
Rootkit Hunter found some bad or unknown hashes. This can be happen due replaced binaries or updated packages (which give other hashes). Be sure your hashes are fully updated (rkhunter --update). If you're in doubt about these hashes, contact the author (fill in the contact form).
What does this mean?
This should be fixed by now. The problem was with the FC support in rkhunter's database files. It didn't have the proper FC5 hashes until recently. See BZ 189796 This changed sometime between 10/08/06 and 10/20/06.
-
Kevin Cummings -
Manuel Aróstegui -
平天韩