Re: rootkithunter gives warnings for sh and perl
Try rkhunter --update
Then check your system again. I don't have installed this tool.
2013/2/3 Bob Proulx <bob@proulx.com>:
> sp11 wrote:
>> [23:01:57] Warning: The file properties have changed:
>
> Changed from what?
>
>> [23:01:57] File: /bin/sh
>> [23:01:57] Current hash: add19e504c254758f2ea8dcda3821c77fafb4923
>> [23:01:57] Stored hash : 3e4f053d7520819f5e45a7792c972b05e4ff234e
>> [23:01:57] Current inode: 1958022 Stored inode: 1957896
>> [23:01:57] Current file modification time: 1359928637 (03-Feb-2013 22:57:17)
>> [23:01:57] Stored file modification time : 1342538237 (17-Jul-2012 17:17:17)
>>
>>
>> [23:02:04] Warning: The file properties have changed:
>> [23:02:04] File: /usr/bin/perl
>> [23:02:04] Current hash: 13e50d52280d120bf8c71c7eaf4e7431c9afa392
>> [23:02:04] Stored hash : f62bbb9e85d386d16f97ea0f3e8afaaf36a36696
>
> On my up to date Squeeze amd64 system:
>
> $ sha1sum /bin/bash /usr/bin/perl
> add19e504c254758f2ea8dcda3821c77fafb4923 /bin/bash
> 13e50d52280d120bf8c71c7eaf4e7431c9afa392 /usr/bin/perl
>
> They match your versions. So I would say that whatever is happening
> here that it is a false positive.
>
> I would guess that rkhunter has cached values for those files and that
> those cached values are stale. Figure out where it is getting those
> stored values from and update them.
>
> Bob
Reply to: