Worried about having been hacked
James Allsopp
jamesaallsopp at googlemail.com
Wed Jul 8 11:08:20 UTC 2009
Hi,
I've checked all the files you asked me to. The following is the files
from the yum whatprovides followed by that grepped on /var/log/
chkconfig-1.3.38-1.i386
Mar 26 00:53:01 Updated: chkconfig-1.3.38-1.i386
rpm-4.6.1-1.fc10.i386
Jun 10 08:34:24 Updated: rpm-4.6.1-1.fc10.i386
passwd-0.75-2.fc9.i386
never been updated.
perl-5.10.0-68.fc10.i386
Apr 22 16:54:07 Updated: 4:perl-5.10.0-68.fc10.i386
This machine was installed about August 2008. The /usr/bin/passwd is
shown in red, which I think indicates a broken symbolic link?
[root at 87-194-141-15 ~]# which chkconfig
/sbin/chkconfig
[root at 87-194-141-15 ~]# ls -l /sbin/chkconfig
-rwxr-xr-x 1 root root 28000 2008-10-29 15:35 /sbin/chkconfig
[root at 87-194-141-15 ~]# which passwd
/usr/bin/passwd
[root at 87-194-141-15 ~]# ls -l /usr/bin/passwd
-rwsr-xr-x 1 root root 25700 2008-04-08 14:48 /usr/bin/passwd
[root at 87-194-141-15 ~]# which rpm
/bin/rpm
[root at 87-194-141-15 ~]# ls -l /bin/rpm
-rwxr-xr-x 1 root root 23240 2009-05-18 12:26 /bin/rpm
[root at 87-194-141-15 ~]# which perl
/usr/bin/perl
[root at 87-194-141-15 ~]# ls -l /usr/bin/perl
-rwxr-xr-x 2 root root 8140 2009-04-14 12:26 /usr/bin/perl
None of these files seems new, but could they have been altered? This is
the first time I've seen this in rkhunter.
Jim
Frank Murphy wrote:
> On 08/07/09 10:59, James Allsopp wrote:
>> Hi,
>> I've checked this out and that was happening, but I've just had this
>> reported by rkhunter;
>>
>>
> <snip>
>
>> Warning: Package manager verification has failed:
>> File: /sbin/chkconfig
>> Try running the command 'prelink /sbin/chkconfig' to resolve
>> dependency errors.
>> The file hash value has changed
>> The file size has changed
>>
>> I'm not entirely sure what these errors mean though, have these files
>> been trojan'ed.
>>
>
> Have you updated?
> If yes, that's where you get the change.
> Check those updates against your yum logs.
> It your not sure what update to check against:
> yum whatprovides */sbin/chkconfig
>
> For above.
>
> Regards,
>
> Frank
>
More information about the users
mailing list