rkhunter sshd warning
Wolfgang S. Rupprecht
wolfgang.rupprecht at gmail.com
Sun Mar 16 21:13:19 UTC 2014
Kevin Fenzi <kevin at scrye.com> writes:
> On Sun, 16 Mar 2014 12:59:29 -0700
> "Wolfgang S. Rupprecht" <wolfgang.rupprecht at gmail.com> wrote:
>> Are other people seeing this? I'm not looking forward to a full scrub
>> and clean installation.
>
> Did you recently install or update openssh-server, openssh or
> telnet-server ? When you update packages you need to re-run
> 'rkhunter --propupd' to update it's db.
>
> The /dev/dev/ thing is a dracut bug from a while back. You can safely
> remove that /dev/dev/ directory and it's contents.
$ grep ssh /var/log/yum.log
Jan 06 19:27:53 Updated: openssh-6.4p1-3.fc20.x86_64
Jan 06 19:28:23 Updated: openssh-server-6.4p1-3.fc20.x86_64
Jan 06 19:28:23 Updated: openssh-clients-6.4p1-3.fc20.x86_64
Jan 06 19:28:23 Installed: openssh-askpass-6.4p1-3.fc20.x86_64
I do nightly yum updates but ssh* hasn't updated in a long while. I
also recall the file updated messages are a bit different, complaining
that an inode changed.
I also did an 'rpm -Va' to see if the hash changed, but it hadn't.
While it is possible that rpm was replaced with a version that lies, I
honestly can't believe the rabbit hole goes that deep. I'm leaning
towards something bad having happened to upstream's rkhunter.
I guess I should check with a fedora live usb just to be sure. (Again,
I have to trust that the tools aren't doctored so much that burning a
live image is still doable without inserting a trojan.)
-wolfgang
More information about the users
mailing list