Re: rkhunter warning meaning

To: debian-user@lists.debian.org
Subject: Re: rkhunter warning meaning
From: Joe <joe@jretrading.com>
Date: Tue, 5 Nov 2013 20:03:07 +0000
Message-id: <[🔎] 20131105200307.12f95d44@jretrading.com>
In-reply-to: <[🔎] 5278FCD6.5050204@mi.parisdescartes.fr>
References: <[🔎] 5278FCD6.5050204@mi.parisdescartes.fr>

On Tue, 05 Nov 2013 15:12:38 +0100
François Patte <francois.patte@mi.parisdescartes.fr> wrote:

> Bonjour,
> 
> I have some warnings from rkhunter:
> 
> 
> Warning: The file properties have changed:
>          File: /usr/sbin/rsyslogd
>          Current hash: 99fd3e8be4e7b9f553d52f6837eef50ebcebadc8
>          Stored hash : 2acece0875f8c6156c1f05df71e8c83c91dea2d0
>          Current inode: 523303    Stored inode: 523309
>          Current size: 522304    Stored size: 522400
>          Current file modification time: 1378296534 (04-sept.-2013
> 14:08:54) Stored file modification time : 1374534377 (23-juil.-2013
> 01:06:17) W
> 
> 
> What do they mean?
> 
>

This is either exactly what you run rkhunter to find, or more likely,
you have just upgraded the rsyslog package. Before upgrading a system
with any kind of intrusion detection software, you need to run it to
check the system is clean first, than run it again after the upgrade
with the appropriate parameter (--propupd in the case of rkhunter) set.
This will update the detection database.

If you *haven't* just upgraded rsyslog, you should start hunting the
intruder... but you're probably OK. From my sid system:

joe@jresid:~$ ls -l /usr/sbin/rsyslogd
-rwxr-xr-x 1 root root 522304 Sep  4 13:08 /usr/sbin/rsyslogd
joe@jresid:~$ sha1sum /usr/sbin/rsyslogd
99fd3e8be4e7b9f553d52f6837eef50ebcebadc8  /usr/sbin/rsyslogd

-- 
Joe

Reply to:

References:
- rkhunter warning meaning
  - From: François Patte <francois.patte@mi.parisdescartes.fr>

Prev by Date: screen ping-pong
Next by Date: (64-bit) linux 3.10 and nouveau oddity
Previous by thread: Re: rkhunter warning meaning
Next by thread: screen ping-pong
Index(es):
- Date
- Thread