I'm running rkhunter 1.3.8 on a CentOS 5.7 box.
Last night, rkhunter's regular run warned me that:
/bin/bash
/bin/csh
/bin/more
/bin/sh
/bin/tcsh
had all changed.
This isn't necessarily bad, because I'm actively configuring the box and
have been installing a lot of software. All rkhunter's other checks come
up clean.
I ran rkhunter --propupd, and now rkhunter tells me that it doesn't have
any hashes for the files in question, which I take to mean that they
haven't been prelinked. Checking with
prelink --verify --sha /bin/bash
reports that
at least one of file's dependencies has changed since prelinking
My question is: is there a way to find out which dependency has been
changed? If I knew why these warnings are coming up, that might help me
decide whether it's cause for alarm or not.
My secondary question is: does that particular combination of changed
files sound familiar to anyone? Is it a case of "Yeah, that'll happen,
don't worry about it", or "Ohmigod! It's the 5udd3nD34th rootkit! Run
screaming for the hills!"?
Thanks,
Angus
------------------------------------------------------------------------------
Keep Your Developer Skills Current with LearnDevNow!
The most comprehensive online learning library for Microsoft developers
is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3,
Metro Style Apps, more. Free future releases when you subscribe now!
http://p.sf.net/sfu/learndevnow-d2d
_______________________________________________
Rkhunter-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/rkhunter-users
