On Tue, 2012-02-14 at 08:27 -0500, Angus McIntyre wrote: > Checking with > > prelink --verify --sha /bin/bash > > reports that > > at least one of file's dependencies has changed since prelinking > > My question is: is there a way to find out which dependency has been > changed? > Not that I know of. Whatever library calls '/bin/bash' makes one or more have changed, and you would need to determine which file (library) contained the functions/subroutines being called.
> > My secondary question is: does that particular combination of changed > files sound familiar to anyone? > Yup. > Is it a case of "Yeah, that'll happen, don't worry about it", or > "Ohmigod! It's the 5udd3nD34th rootkit! Run screaming for the hills!"? > Yup, it happens. I tend to do 'grep prelink /var/log/rkhunter.log', and if there are only a few files mentioned then just manually prelink them: prelink /bin/bash /bin/cash /bin/more... then run 'rkhunter --propupd'. If there has been an update to 'glibc' (typically) then you may find loads of files reporting prelink problems. In that case 'prelink -qa' usually handles it (again run 'rkhunter --propupd' afterwards). John. -- John Horne Tel: +44 (0)1752 587287 Plymouth University, UK Fax: +44 (0)1752 587001 ------------------------------------------------------------------------------ Keep Your Developer Skills Current with LearnDevNow! The most comprehensive online learning library for Microsoft developers is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3, Metro Style Apps, more. Free future releases when you subscribe now! http://p.sf.net/sfu/learndevnow-d2d _______________________________________________ Rkhunter-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/rkhunter-users
