Re: rkhunter / chkrootkit
Hi Rick,
> Why don't you make a copy of one or more of those binaries, then
> re-retrieve and install the Woody package of the same release, and
> compare md5sums of the resulting binaries? (Note that you should make
> very sure it's the same release, or you'll get a different md5sum for
> entirely innocent reasons.)
indeed, I could do it. After an established contact to one of the
maintainer the previous advice to --update the md5sum from the
rkhunter server solved the problem and it was not an irregularity
within the debian server. So they've updated now which was required.
> > Checking /dev for suspicious files... [ Warning!
> > (unusual files found) ]
> Well? What files? The fact that rkhunter has an opinion is not, by
> itself, particularly interesting. You either have to know rkhunter
> very, very well, such that you have a high degree of faith in its
> opinions, or need to investigate for yourself what it claims is
> suspicious. Preferably both.
Don't know what files as there was no output and by the way it was
the first time I used rkhunter.
> > - ProFTPd 1.2.5rc1 [Vulnerable ]
> > - OpenSSH 3.4p1 [Vulnerable ]
> > - GnuPG 1.0.6 [Vulnerable ]
> Well? _Are_ those actually vulnerable, or is rkhunter making bad
> assumptions? If you are running a conventional woody system, then
> you're receiving backported security fixes -- which does not change the
> package version number. Ergo, if rkhunter is stating the foregoing
> strictly on the basis of version numbers, then it is making a common
> elementary error.
Hm, to be honest I wasn't able to read the source code but I don't think
that my ProFTP is not vulnerable and I've to agree rkhunter is not
able to detect the correct version so you're right.
> > Incorrect MD5 checksums: 6
> Which ones? And on what basis is it saying they're incorrect? You
> don't say.
The binaries mentioned above.
--
Best Regards,
Mark
Reply to: