rkhunter sshd warning
Wolfgang S. Rupprecht
wolfgang.rupprecht at gmail.com
Sun Mar 16 22:04:08 UTC 2014
John Horne <john.horne at plymouth.ac.uk> writes:
> On Sun, 2014-03-16 at 12:59 -0700, Wolfgang S. Rupprecht wrote:
>> ---------------------- Start Rootkit Hunter Scan
>> ----------------------
>> Warning: The file '/usr/sbin/sshd' exists on the system, but it is
>> not present in the 'rkhunter.dat' file.
>> Warning: The file '/usr/bin/ssh' exists on the system, but it is
>> not present in the 'rkhunter.dat' file.
>> Warning: The file '/usr/bin/telnet' exists on the system, but it
>> is not present in the 'rkhunter.dat' file.
>>
> You should have run 'rkhunter --propupd' after installing the new
> release of RKH.
>
> From the RKH CHANGELOG file for release 1.4.2:
>
> - The 'ssh', 'sshd' and 'telnet' commands are now checked as part of
> the file properties test.
>
>
> So these commands are now being checked automatically.
> Run 'rkhunter --propupd'.
Thanks! I'm beginning to wonder if rkhunter is ever going to find any
real intrusions for me if I keep on having to run 'rkhunter --propupd'.
A clever intruder is just going to wait until a batch of changes goe out
and then add their trojan. The --propupd is going to approve it in the
sweep and it will have succeeded in coming in under the wire. To be
useful rkhunter really needs to know how to identify changed files by
knowing the hashes, sizes etc without grabbing them from the local
system.
-wolfgang
More information about the users
mailing list