Re: rootkithunter gives warnings for sh and perl.SOLVED

[sp11 <sp113438@telfort.nl>]

On Sun, 3 Feb 2013 15:49:33 -0700
Bob Proulx <bob@proulx.com> wrote:

> sp11 wrote:
> > [23:01:57] Warning: The file properties have changed:
> 
> Changed from what?
> 
> > [23:01:57]          File: /bin/sh
> > [23:01:57]          Current hash:
> > add19e504c254758f2ea8dcda3821c77fafb4923 [23:01:57]          Stored
> > hash : 3e4f053d7520819f5e45a7792c972b05e4ff234e [23:01:57]
> > Current inode: 1958022    Stored inode: 1957896 [23:01:57]
> > Current file modification time: 1359928637 (03-Feb-2013 22:57:17)
> > [23:01:57]          Stored file modification time : 1342538237
> > (17-Jul-2012 17:17:17)
> > 
> > 
> > [23:02:04] Warning: The file properties have changed:
> > [23:02:04]          File: /usr/bin/perl
> > [23:02:04]          Current hash:
> > 13e50d52280d120bf8c71c7eaf4e7431c9afa392 [23:02:04]          Stored
> > hash : f62bbb9e85d386d16f97ea0f3e8afaaf36a36696
> 
> On my up to date Squeeze amd64 system:
> 
>   $ sha1sum /bin/bash /usr/bin/perl
>   add19e504c254758f2ea8dcda3821c77fafb4923  /bin/bash
>   13e50d52280d120bf8c71c7eaf4e7431c9afa392  /usr/bin/perl
> 
> They match your versions.  So I would say that whatever is happening
> here that it is a false positive.
> 
> I would guess that rkhunter has cached values for those files and that
> those cached values are stale.  Figure out where it is getting those
> stored values from and update them.
> 
> Bob

Then the values in /var/lib/rkhunter/db/rkhunter.dat are wrong.
I reinstalled rkhunter and the warnings don't appear now.

Thanks fot ypur prompt answer!