Strange RKHunter MD5 BAD Find

#1 12-20-2005, 04:18 AM

MD5 compared: 51
Incorrect MD5 checksums: 4

Strange rkhunter find yesterday after the daily cron check.
There was no update yesterday as the file dates are way back last month.

No BAD report till yesterday.

Any one else found this on their VPS?

Anyone have a clue as to why all of sudden these files come up BAD?

Thanks for any light on this.

First reported after daily cron check 19/12/2005 6:20:21PM
Next daily cron check 20/12/2005 6:20:19PM
Still BAD after rkhunter --update 20/12/2005 6:40:00PM

/bin/dmesg [ BAD ] 18/11/2005 2:24:25PM
/bin/kill [ BAD ] 18/11/2005 2:24:25PM
/bin/login [ BAD ] 18/11/2005 2:24:25PM
/bin/mount [ BAD ] 18/11/2005 2:24:25PM

These are the only other files with the same dates in /bin/:
/bin/arch 18/11/2005 2:24:25PM
/bin/more 18/11/2005 2:24:25PM
/bin/unmount 18/11/2005 2:24:25PM

PvUtrix · #2 12-20-2005, 05:32 AM

Yep, same thing here...

rkhunter --update doesn't help...

#3 12-20-2005, 06:40 AM

I whitelisted those files by adding the md5 hashing into the rkhunter.conf file located in /usr/local/etc

perl /usr/local/rkhunter/lib/rkhunter/scripts/filehashmd5.pl location of file

chief · #4 12-20-2005, 10:19 AM

Same thing here, except there were no programs listed just [BAD] in the e-mail. Charles?

#5 12-20-2005, 10:49 AM

The package in your system is newer than in rhhunter database. When Michael Boelen (the author of rkhunter) will update rkhunter database for RH everything will be ok. I checked all binaries manually and checksum matches with the signature of rpm.

dario · #6 12-20-2005, 11:15 AM

All those files are part of util-linux package. Fedora released yesterday updated package. If you have yum running as cron job, that could be answer. They are updated.

Dario

#7 12-20-2005, 11:52 AM

Thanks for posting this. I've been getting 5 "Line: [ BAD ]" entries the last couple of days.

#8 12-24-2005, 03:01 AM

Quote:

Originally Posted by Sergey

The package in your system is newer than in rhhunter database. When Michael Boelen (the author of rkhunter) will update rkhunter database for RH everything will be ok. I checked all binaries manually and checksum matches with the signature of rpm.

Still not convinced, as the day before I noticed it there was no changes to the system or the files and there was no BAD files. Check out the dates in my original post. These are fact not theory.
The next day there was still no changes to the system or the files yet rkhunter decided there were 4 files with BAD checksums. Obviously something changed but not the files as the dates are indicative of no change for a month. Rkhunter has not been upgraded by me for over a month. Did something happen at the VPS level that I have not been made aware of perhaps?
Anyway, its all Dutch to me

.

#9 12-25-2005, 08:31 AM

I didn't get the names of the BAD files either.

Is there a way to update rkhunter to show the filenames in the report, before I'm too far gone?

--
Norm

#10 12-25-2005, 10:19 AM

What do you get when you type rkhunter -c at the shell prompt?

Also at the shell prompt type rkhunter -h will give you the parameters.

The daily cron looks like this on my server.
/etc/cron.daily/rkhunter.sh

Code:

#!/bin/bash
(/usr/local/bin/rkhunter -c --cronjob 2>&1 | mail -s "RKhunter Scan Details" youremail@youraddress)

Replace youremail@youraddress with yours.
HTH