[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

rkhunter, changed files = problems?



Hello,

starting oct. 2nd rkhunter has started to log warings about changed
files.
At first i thought "ok" it's probably because I usualy do a "aptitude
full-upgrade" once every day or so, running SID, i386. But now I'm not
so sure...

Can anyone help me veirfy this as a false positive or a real problem?

It's my home firewall/desktop, nothing fancy, only apache and ssh
open, I'm the only user.

Regards, david.

[10:10:18] /bin/dmesg
[ Warning ]
[10:10:18] Warning: The file properties have changed:
[10:10:18]          File: /bin/dmesg
[10:10:18]          Current inode: 830723    Stored inode: 830720
[10:10:18]          Current file modification time: 1191297943
[10:10:18]          Stored file modification time : 1190434387
[10:10:19] /bin/echo                                         [ OK ]
[10:10:20] /bin/ed                                           [ OK ]
[10:10:21] /bin/egrep
[ Warning ]
[10:10:21] Warning: The file properties have changed:
[10:10:21]          File: /bin/egrep
[10:10:21]          Current hash:
7cd73efc63c459ab8a482babc041c5826f5cecb5
[10:10:21]          Stored hash :
a2b3ad467d144ca1ffdb3bea0df2e118dd530792
[10:10:21]          Current inode: 830756    Stored inode: 831002
[10:10:22]          Current size: 92468    Stored size: 92276
[10:10:22]          Current file modification time: 1191499712
[10:10:22]          Stored file modification time : 1189060044
[10:10:22] Info: Found file '/bin/egrep': it is whitelisted for the
'script replacement' check.
[10:10:23] /bin/fgrep
[ Warning ]
[10:10:23] Warning: The file properties have changed:
[10:10:23]          File: /bin/fgrep
[10:10:23]          Current hash:
e7dba608e2b07a4c8f58ef845698c5ce71d629d5
[10:10:23]          Stored hash :
2c46a7a7bef4ce1c90e39b1acf6cd33d757c3262
[10:10:24]          Current inode: 830834    Stored inode: 831003
[10:10:24]          Current size: 52912    Stored size: 51248
[10:10:24]          Current file modification time: 1191499712
[10:10:24]          Stored file modification time : 1189060044
[10:10:24] Info: Found file '/bin/fgrep': it is whitelisted for the
'script replacement' check.
[10:10:25] /bin/grep
[ Warning ]
[10:10:25] Warning: The file properties have changed:
[10:10:25]          File: /bin/grep
[10:10:25]          Current hash:
a0989f2cd518f36254f8c247a4a8c5e250e2f9d8
[10:10:26]          Stored hash :
983854833309906246a0b1e34f1ba04ebb6d0651
[10:10:26]          Current inode: 830755    Stored inode: 831001
[10:10:26]          Current size: 100468    Stored size: 96372
[10:10:26]          Current file modification time: 1191499712
[10:10:26]          Stored file modification time : 1189060044
[10:10:27] /bin/ip                                           [ OK ]
[10:10:28] /bin/kill
[ Warning ]
[10:10:28] Warning: The file properties have changed:
[10:10:29]          File: /bin/kill
[10:10:29]          Current inode: 830772    Stored inode: 830725
[10:10:29]          Current file modification time: 1191589008
[10:10:29]          Stored file modification time : 1189455008
[10:10:30] /bin/login                                        [ OK ]
[10:10:31] /bin/ls                                           [ OK ]
[10:10:31] /bin/lsmod                                        [ OK ]
[10:10:32] /bin/mktemp                                       [ OK ]
[10:10:33] /bin/more
[ Warning ]
[10:10:34] Warning: The file properties have changed:
[10:10:34]          File: /bin/more
[10:10:34]          Current inode: 830724    Stored inode: 830721
[10:10:34]          Current file modification time: 1191297943
[10:10:34]          Stored file modification time : 1190434387
[10:10:35] /bin/mount
[ Warning ]
[10:10:35] Warning: The file properties have changed:
[10:10:35]          File: /bin/mount
[10:10:35]          Current hash:
1a878ee3c6d0d320260e472e4f9761e582413a43
[10:10:36]          Stored hash :
d1474694f1390da8dcc3fca5198599cd46d165fc
[10:10:36]          Current inode: 830721    Stored inode: 830866
[10:10:36]          Current size: 61264    Stored size: 60976
[10:10:36]          Current file modification time: 1191297943
[10:10:36]          Stored file modification time : 1190434387
[10:10:37] /bin/mv                                           [ OK ]
[10:10:38] /bin/netstat                                      [ OK ]
[10:10:39] /bin/ps
[ Warning ]
[10:10:39] Warning: The file properties have changed:
[10:10:39]          File: /bin/ps
[10:10:39]          Current inode: 830865    Stored inode: 830751
[10:10:39]          Current file modification time: 1191589008
[10:10:40]          Stored file modification time : 1189455008
[10:10:40] /bin/pwd                                          [ OK ]
[10:10:41] /bin/readlink                                     [ OK ]
[10:10:42] /bin/sed
[ Warning ]
[10:10:42] Warning: The file properties have changed:
[10:10:42]          File: /bin/sed
[10:10:42]          Current hash:
f157d60c55e7d5d90392feb5ab78613a491538f7
[10:10:43]          Stored hash :
4c933909719f1ac21794157d32fa3edf6efe1a02
[10:10:43]          Current inode: 830833    Stored inode: 830747
[10:10:43]          Current size: 40436    Stored size: 40308
[10:10:43]          Current file modification time: 1191079864
[10:10:43]          Stored file modification time : 1187193844
[10:10:44] /bin/sh                                           [ OK ]
[10:10:45] /bin/su                                           [ OK ]
[10:10:46] /bin/touch                                        [ OK ]
[10:10:47] /bin/uname                                        [ OK ]
[10:10:48] /bin/which
[ Warning ]
[10:10:48] Warning: The file properties have changed:
[10:10:48] Warning: The file properties have changed:
[10:10:48]          File: /bin/which
[10:10:49]          Current inode: 830831    Stored inode: 830863
[10:10:49]          Current file modification time: 1191159100
[10:10:49]          Stored file modification time : 1190225529
[10:10:49] Info: Found file '/bin/which': it is whitelisted for the
'script replacement' check.
[10:10:50] /bin/tcsh                                         [ OK ]
...



Reply to: