Re: rkhunter / chkrootkit
Quoting Mark-Walter@t-online.de (Mark-Walter@t-online.de):
> Rootkit Hunter found some bad or unknown hashes. This can be happen due
> replaced binaries or updated packages (which give other hashes). Be sure
> your hashes are fully updated (rkhunter --update). If you're in doubt
> about these hashes, contact the author ...
Why don't you make a copy of one or more of those binaries, then
re-retrieve and install the Woody package of the same release, and
compare md5sums of the resulting binaries? (Note that you should make
very sure it's the same release, or you'll get a different md5sum for
entirely innocent reasons.)
> And another alert was this:
>
> Checking /dev for suspicious files... [ Warning!
> (unusual files found) ]
Well? What files? The fact that rkhunter has an opinion is not, by
itself, particularly interesting. You either have to know rkhunter
very, very well, such that you have a high degree of faith in its
opinions, or need to investigate for yourself what it claims is
suspicious. Preferably both.
> What's up now I would expect someone has replaced my /bin/login
> binary which makes me feel unhappy or is there nothing to
> worry about ?
>
> - ProFTPd 1.2.5rc1 [Vulnerable ]
> - OpenSSH 3.4p1 [Vulnerable ]
> - GnuPG 1.0.6 [Vulnerable ]
Well? _Are_ those actually vulnerable, or is rkhunter making bad
assumptions? If you are running a conventional woody system, then
you're receiving backported security fixes -- which does not change the
package version number. Ergo, if rkhunter is stating the foregoing
strictly on the basis of version numbers, then it is making a common
elementary error.
> At last there was this error messages:
>
> Incorrect MD5 checksums: 6
Which ones? And on what basis is it saying they're incorrect? You
don't say.
--
Cheers, There are 10 kinds of people in the world, those who
Rick Moen know ternary, those who don't, and those who are now
rick@linuxmafia.com looking for their dictionaries. -- Ron Fabre
Reply to: