Re: [Rkhunter-users] missing hashes 3
Dan wrote: Are you still getting persistent prelink errors? I have not had these for a very long time, and usually found that simply running 'prelink filename' resolves any prelink problem. Unfortunately so, It only happens on two binaries now but this is on all my fully patched/updated CentOS 4.x boxes # prelink /usr/bin/less prelink: /usr/lib/libncursesw.so.5.4: .debug_loc adjusting unfinished # prelink /usr/bin/pstree prelink: /usr/lib/libncurses.so.5.4: .debug_loc adjusting unfinished I don't think it's a huge problem. That seems to be a RHEL prelink bug: https://bugzilla.redhat.com/show_bug.cgi?id=240658 Nils Breunese. -- ___ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users
Re: [Rkhunter-users] missing hashes 3
Unfortunately so, It only happens on two binaries now but this is on all my fully patched/updated CentOS 4.x boxes # prelink /usr/bin/less prelink: /usr/lib/libncursesw.so.5.4: .debug_loc adjusting unfinished # prelink /usr/bin/pstree prelink: /usr/lib/libncurses.so.5.4: .debug_loc adjusting unfinished I don't think it's a huge problem. That seems to be a RHEL prelink bug: https://bugzilla.redhat.com/show_bug.cgi?id=240658 That's the one! You would have thought they would have fixed it by now :-p I'm not complaining though as I don't pay them any money :-) Dan -- ___ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users
Re: [Rkhunter-users] missing hashes 3
That seems to be a RHEL prelink bug: https://bugzilla.redhat.com/show_bug.cgi?id=240658 That's the one! You would have thought they would have fixed it by now :-p I'm not complaining though as I don't pay them any money :-) No, but we (my employers) do :-) Having said that though, this problem does not exist at RHEL 4.7. Which is why I asked if you were still having the problem. I don't see why CentOS should fail, but RHEL works fine. Actually I don't see this problem on any RHEL 3 or 4 servers, nor on CentOS 5.2. That is a bit strange! Reading up on some of the issues with this prelinking bug it certainly seems to be a little hit and miss. As an aside issue, could you run rkhunter with debugging enabled please: rkhunter --debug --enable properties and email me the resultant file. It should start with /tmp/rkhunter-debug, but will have random numbers/letters appended to the name. I have been thinking more about the problem, and would like to see exactly where it fails. Thanks. Sure, will send it to you off list :-) Dan -- ___ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users
Re: [Rkhunter-users] missing hashes 3
With the release of 1.3.2 is it possible to whitelist these files or do I have to hack /usr/local/bin/rkhunter again to delete the entries to these three files? Sorry but whitelisting is still not possible with 1.3.2. It is on my todo list, but I have just had so much other (non-RKH) stuff to do that it has not progressed very far. No worries, thanks for keeping it on the radar :-) Can I please find out if this has been implemented in v1.3.4? I did look but couldn't find anything. I have v1.3.4 up and running and it works great, thank you for a great tool :-) Take care Dan -- ___ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users
Re: [Rkhunter-users] missing hashes 3
On Thu, 2009-01-01 at 20:57 +, Dogsbody wrote: With the release of 1.3.2 is it possible to whitelist these files or do I have to hack /usr/local/bin/rkhunter again to delete the entries to these three files? Sorry but whitelisting is still not possible with 1.3.2. It is on my todo list, but I have just had so much other (non-RKH) stuff to do that it has not progressed very far. No worries, thanks for keeping it on the radar :-) Can I please find out if this has been implemented in v1.3.4? I did look but couldn't find anything. No it hasn't been implemented. I cannot do it until I have fixed another part of RKH, and I cannot do that bit because at the moment I'm having some problems with it. (It's not an easy problem and is taking much longer than I anticipated.) Are you still getting persistent prelink errors? I have not had these for a very long time, and usually found that simply running 'prelink filename' resolves any prelink problem. John. -- --- John Horne, University of Plymouth, UK Tel: +44 (0)1752 587287 E-mail: john.ho...@plymouth.ac.uk Fax: +44 (0)1752 587001 -- ___ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users
Re: [Rkhunter-users] missing hashes 3
Hi John, No it hasn't been implemented. I cannot do it until I have fixed another part of RKH, and I cannot do that bit because at the moment I'm having some problems with it. (It's not an easy problem and is taking much longer than I anticipated.) No worries at all, I just wanted to make sure I wasn't missing something myself :-) Are you still getting persistent prelink errors? I have not had these for a very long time, and usually found that simply running 'prelink filename' resolves any prelink problem. Unfortunately so, It only happens on two binaries now but this is on all my fully patched/updated CentOS 4.x boxes # prelink /usr/bin/less prelink: /usr/lib/libncursesw.so.5.4: .debug_loc adjusting unfinished # prelink /usr/bin/pstree prelink: /usr/lib/libncurses.so.5.4: .debug_loc adjusting unfinished I don't think it's a huge problem. Dan -- ___ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users
Re: [Rkhunter-users] missing hashes 3
On Thu, 2008-02-28 at 01:01 +, Dogsbody wrote: With the release of 1.3.2 is it possible to whitelist these files or do I have to hack /usr/local/bin/rkhunter again to delete the entries to these three files? Sorry but whitelisting is still not possible with 1.3.2. It is on my todo list, but I have just had so much other (non-RKH) stuff to do that it has not progressed very far. John. -- --- John Horne, University of Plymouth, UK Tel: +44 (0)1752 233914 E-mail: [EMAIL PROTECTED] Fax: +44 (0)1752 233839 - This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse012070mrt/direct/01/ ___ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users
Re: [Rkhunter-users] missing hashes 3
With the release of 1.3.2 is it possible to whitelist these files or do I have to hack /usr/local/bin/rkhunter again to delete the entries to these three files? Sorry but whitelisting is still not possible with 1.3.2. It is on my todo list, but I have just had so much other (non-RKH) stuff to do that it has not progressed very far. No worries, thanks for keeping it on the radar :-) Take care Dan - This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse012070mrt/direct/01/ ___ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users
Re: [Rkhunter-users] missing hashes 3
It's a known problem caused by prelinking (https://bugzilla.redhat.com/show_bug.cgi?id=240658). The rkhunter.dat file will have entries for these commands, but as the message says no *hash* entry. If you run something like 'prelink /usr/bin/less' you will get an error. This is what RKH sees. Ahh, OK, thank you. Is there any way to exclude these binaries that give errors? I had a look through the /etc/rkhunter.conf file but couldn't find anything, perhaps remove the lines from rkhunter.dat? The FAQ file also mentions about the 'missing hashes' error. Was I looking in the wrong place then? I went to the Rootkit Hunter homepage [1] and clicked through to the FAQ [2] but couldn't even find the word missing. Thanks again Dan [1] http://rkhunter.sourceforge.net/ [2] http://sourceforge.net/docman/display_doc.php?docid=35179group_id=155034 - This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2005. http://clk.atdmt.com/MRT/go/vse012070mrt/direct/01/ ___ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users
Re: [Rkhunter-users] missing hashes 3
On Sun, 2007-12-30 at 22:26 +, John Horne wrote: On Sun, 2007-12-30 at 13:38 +1100, Larry wrote: John Horne wrote: On Tue, 2007-12-25 at 12:54 +, Dogsbody wrote: It's a known problem caused by prelinking OK .. but how can we fix/get around this in RKHunter? The only way I can think of is if you use the RPM package manager. Running 'rpm -Vf /usr/bin/less' it should give no error (it will show no output at all). If you set the PKGMGR option in rkhunter.conf, then run 'rkhunter --propupd' afterwards. Doh! No that won't work, rpm verification uses prelinking itself. I suspect the only possible way would be to disable the 'hashes' test completely. I can think of no other way of avoiding the problem. I'll look in to some method that could be used for the next release. John. -- --- John Horne, University of Plymouth, UK Tel: +44 (0)1752 233914 E-mail: [EMAIL PROTECTED] Fax: +44 (0)1752 233839 - This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2005. http://clk.atdmt.com/MRT/go/vse012070mrt/direct/01/ ___ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users
Re: [Rkhunter-users] missing hashes 3
It's a known problem caused by prelinking OK .. but how can we fix/get around this in RKHunter? The only way I can think of is if you use the RPM package manager. Running 'rpm -Vf /usr/bin/less' it should give no error (it will show no output at all). If you set the PKGMGR option in rkhunter.conf, then run 'rkhunter --propupd' afterwards. Doh! No that won't work, rpm verification uses prelinking itself. I suspect the only possible way would be to disable the 'hashes' test completely. I can think of no other way of avoiding the problem. I'll look in to some method that could be used for the next release. I have just been playing around with removing the relevant three lines from the rkhunter.dat file but that didn't work. The only way I have found so far is to remove the three files from PROP_FILE_LIST in /usr/local/bin/rkhunter. Dan - This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2005. http://clk.atdmt.com/MRT/go/vse012070mrt/direct/01/ ___ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users
Re: [Rkhunter-users] missing hashes 3
On Tue, 2007-12-25 at 12:54 +, Dogsbody wrote: Hi, After upgrading my operating system (CentOS 4.5 to 4.6) I am getting some errors I don't quite understand. After upgrading I did a --propupd. # rkhunter --propupd [ Rootkit Hunter version 1.3.0 ] File updated: searched for 147 files, found 124, missing hashes 3 # rkhunter --cronjob --report-warnings-only Warning: No hash value found for file '/usr/bin/less' in the rkhunter.dat file. Warning: No hash value found for file '/usr/bin/lynx' in the rkhunter.dat file. Warning: No hash value found for file '/usr/bin/pstree' in the rkhunter.dat file. # grep /less /var/log/rkhunter.log [12:26:32] /usr/bin/less [ Warning ] [12:26:32] Warning: No hash value found for file '/usr/bin/less' in the rkhunter.dat file. It's a known problem caused by prelinking (https://bugzilla.redhat.com/show_bug.cgi?id=240658). The rkhunter.dat file will have entries for these commands, but as the message says no *hash* entry. If you run something like 'prelink /usr/bin/less' you will get an error. This is what RKH sees. The FAQ file also mentions about the 'missing hashes' error. John. -- --- John Horne, University of Plymouth, UK Tel: +44 (0)1752 233914 E-mail: [EMAIL PROTECTED] Fax: +44 (0)1752 233839 - This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2005. http://clk.atdmt.com/MRT/go/vse012070mrt/direct/01/ ___ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users
Re: [Rkhunter-users] missing hashes 3
Hallo, Larry, Du (rkhunter) meintest am 28.12.07: /var/lib/rkhunter/db/rkhunter.dat There you should find an entry for less (among many other entrys). It should be a new file (produced by rkhunter --propupd). /usr/local/rkhunter/lib/rkhunter/db/rkhunter.dat is where I found mine, all of the ones RKHunter is whinging about are listed without hashes and show the correct path! Strange. Should be: File:/usr/bin/less:hash:some1:rights:owner:group:length:some2 Viele Gruesse! Helmut - This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2005. http://clk.atdmt.com/MRT/go/vse012070mrt/direct/01/ ___ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users
Re: [Rkhunter-users] missing hashes 3
Hi Helmut, /var/lib/rkhunter/db/rkhunter.dat There you should find an entry for less (among many other entrys). It should be a new file (produced by rkhunter --propupd). Yes, as Larry says, this file seems to get updated except for the hashes for these three files, it's all very strange. # grep /less /var/lib/rkhunter/db/rkhunter.dat File:/usr/bin/less::594466:0755:0:0:101788:1158143116: What tells which -a less locate bin/less | grep less$ # which -a less /usr/bin/less # locate bin/less | grep less$ /usr/bin/less Dan - This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2005. http://clk.atdmt.com/MRT/go/vse012070mrt/direct/01/ ___ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users
Re: [Rkhunter-users] missing hashes 3
Hallo, Dogsbody, Du (dan) meintest am 28.12.07: There you should find an entry for less (among many other entrys). It should be a new file (produced by rkhunter --propupd). Yes, as Larry says, this file seems to get updated except for the hashes for these three files, it's all very strange. Just to make you nervous: can you put clean files into your computer (via a live CD)? Perhaps for the md5sum job too. # which -a less /usr/bin/less # locate bin/less | grep less$ /usr/bin/less Ok - no second file. Viele Gruesse! Helmut - This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2005. http://clk.atdmt.com/MRT/go/vse012070mrt/direct/01/ ___ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users
Re: [Rkhunter-users] missing hashes 3
On Tue, 25 Dec 2007 13:54:32 +0100 Dogsbody [EMAIL PROTECTED] wrote: # grep /less /var/lib/rkhunter/db/rkhunter.dat File:/usr/bin/less::594466:0755:0:0:101788:1158143116: Dan, could please you *gzip*, attach and send the log (/tmp/rkhunter-debug) from running 'rkhunter --debug --propupd' to me and John? -- Reconnect with your classmates. Click here for information on your classmate reunion. http://tagline.hushmail.com/fc/Ioyw6h4fIDWskZcc2TRuDMuHpQ6yzIGQ9L1gVvDy2fgfmUlPgful5u/ TIA, unSpawn - This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2005. http://clk.atdmt.com/MRT/go/vse012070mrt/direct/01/ ___ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users
Re: [Rkhunter-users] missing hashes 3
[EMAIL PROTECTED] wrote: Hmm. Well, maybe you're not doing anything wrong. What does 'file /usr/bin/less' say? I am having this problem too .. tried all the 'options' resolving it would be nice so I do not get the compromised message each morning. [EMAIL PROTECTED] [~]# file /usr/bin/less /usr/bin/less: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), for GNU/Linux 2.2.5, dynamically linked (uses shared libs), stripped [EMAIL PROTECTED] [~]# file /usr/bin/lynx /usr/bin/lynx: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), for GNU/Linux 2.2.5, dynamically linked (uses shared libs), stripped [EMAIL PROTECTED] [~]# file /usr/bin/pstree /usr/bin/pstree: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), for GNU/Linux 2.2.5, dynamically linked (uses shared libs ), stripped Thanks, Larry - This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2005. http://clk.atdmt.com/MRT/go/vse012070mrt/direct/01/ ___ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users
Re: [Rkhunter-users] missing hashes 3
# rkhunter --propupd [ Rootkit Hunter version 1.3.0 ] File updated: searched for 147 files, found 124, missing hashes 3 # grep /less /var/lib/rkhunter/db/rkhunter.dat File:/usr/bin/less::594466:0755:0:0:101788:1158143116: Can you please tell me what I'm doing wrong. Hmm. Well, maybe you're not doing anything wrong. What does 'file /usr/bin/less' say? Well I'm glad it's not just me :-) # file /usr/bin/less /usr/bin/less: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), for GNU/Linux 2.2.5, dynamically linked (uses shared libs), stripped Please let me know if there is anything else I can do to help. Dan - This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2005. http://clk.atdmt.com/MRT/go/vse012070mrt/direct/01/ ___ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users