Re: rkhunter / chkrootkit
Incoming from Mark-Walter@t-online.de:
>
> chkrootkit found nothing but rkhunter found quite a lot:
>
> /bin/login /bin/su /usr/bin/locate /usr/sbin/useradd /usr/sbin/usermod
> /usr/sbin/vip
>
> All these binaries have been alerted within rkhunter.
>
> I got a message like this [ and there was indeed an debian
> update of passwd(login) but to get sure I need reilly competent
> advices]:
>
> Rootkit Hunter found some bad or unknown hashes. This can be happen due
> replaced binaries or updated packages (which give other hashes). Be sure
> your hashes are fully updated (rkhunter --update). If you're in doubt
> about these hashes, contact the author ...
>
> And another alert was this:
>
> Checking /dev for suspicious files... [ Warning!
> (unusual files found) ]
>
> What's up now I would expect someone has replaced my /bin/login
- what version of chkrootkit are you running? Latest is 0.44.
- rkhunter appears to only be showing a "tripwire" sort of alert.
Its recognition of what's on the system apparently wasn't updated
when you installed new software, and that would be the mistake you
made that's causing this confusion.
So, I'd say the prudent things to do are:
- install and run the latest chkrootkit.
- rkhunter --update
However, I don't run rkhunter. Is there an rkhunter-users mailing
list anywhere? Perhaps you can check their archive?
--
Any technology distinguishable from magic is insufficiently advanced.
(*) http://www.spots.ab.ca/~keeling Please don't Cc: me.
- -
Reply to: