rkhunter warnings

Raina Otoni ro3159 at gmail.com
Thu Oct 12 14:14:18 UTC 2006


Hello

My Fedora Core 5 server has same message since updated to version
2006092302. It may be a prelink issue.



Vikram Goyal wrote:
> Hello,
> 
> I'm using FC5 and recently I started getting warnings from rkhunter cron
> check. I manually also updated the hashes with same results.
> 
> What may be the reason??? Any ideas...Anything to worry...
> 
> I'm pasting some relevant portions from the mail.
> 
> --------------------- Start Rootkit Hunter Update ---------------------
> 
> Running rkhunter updater... Tue, 10 Oct 2006 04:02:02 +0530
> 
> Mirrorfile /var/rkhunter/db/mirrors.dat rotated
> Using mirror http://mirror11.mirror.rkhunter.org
> [DB] Mirror file                      : Mirror outdated. Skipped
> Info (current version: 2006092302, version of mirror: 2006041300)
> [DB] MD5 hashes system binaries       : Mirror outdated. Skipped
> Info (current version: 2006100500, version of mirror: 2006022800)
> [DB] Operating System information     : Mirror outdated. Skipped
> Info (current version: 2006100500, version of mirror: 2006051200)
> [DB] MD5 blacklisted tools/binaries   : Up to date
> [DB] Known good program versions      : Up to date
> [DB] Known bad program versions       : Up to date
> 
> Finished rkhunter updater.. Tue, 10 Oct 2006 04:15:45 +0530
> Ready.
> 
> ---------------------- Start Rootkit Hunter Scan ----------------------
> 
> Rootkit Hunter 1.2.8 is running
> Tue, 10 Oct 2006 04:15:45 +0530
> Determining OS... Ready
> 
> 
> Checking binaries
> * Selftests
>      Strings (command)     [ OK ]
> 
> 
> * System tools
> Info: prelinked files found
> Performing 'known good' check...
>  /bin/cat  [ BAD ]
>  /bin/chmod  [ BAD ]
>  /bin/chown  [ BAD ]
>  /bin/date  [ BAD ]
>  /bin/dmesg  [ BAD ]
>  /bin/env  [ BAD ]
>  /bin/grep  [ BAD ]
>  /bin/kill  [ BAD ]
>  /bin/login  [ BAD ]
> <snip>
>  /usr/bin/whoami  [ BAD ]
> --------------------------------------------------------------------------------
> Rootkit Hunter found some bad or unknown hashes. This can be happen due replaced
> binaries or updated packages (which give other hashes). Be sure your hashes are
> fully updated (rkhunter --update). If you're in doubt about these hashes, contact
> the author (fill in the contact form).
> --------------------------------------------------------------------------------
> <snip>
> ---------------------------- Scan results ----------------------------
> 
> MD5
> MD5 compared: 51
> Incorrect MD5 checksums: 51
> 
> File scan
> Scanned files: 342
> Possible infected files: 0
> 
> Application scan
> Scanning took 174 seconds
> 
> ------------------- Tue, 10 Oct 2006 04:18:39 +0530 -------------------
> 
> Do you have some problems, undetected rootkits, false positives, ideas
> or suggestions?
> Please e-mail me by filling in the contact form (@http://www.rootkit.nl)
> 
> -----------------------------------------------------------------------
> Thanks!


-- 
Raina Otoni <ro3159 at gmail.com>




More information about the users mailing list