Hi, I've been running rkhunter 1.2.8 daily on an FC4 machine for several months. A couple of days ago I started seeing the following in the rkhunter.log: ... [04:09:54] /bin/dmesg Hash NOT valid (My MD5: d1720cee15e8beebe20dff0ec9b48c6d, expected: 1dd06fe152f4ab4807e148bb500ec131) [04:09:54] Using whitelists to compare MD5 hash (searching for d1720cee15e8beebe20dff0ec9b48c6d) [04:09:54] No whitelisted MD5 hash found for /bin/dmesg [04:09:54] MD5 hash for my file (/bin/dmesg) is d1720cee15e8beebe20dff0ec9b48c6d, but is not in database [04:09:54] End of whitelist compare [04:09:54] Checking /bin/dmesg against hashes in database (1dd06fe152f4ab4807e148bb500ec131) failed [04:09:55] RPM info: your package 'util-linux-2.12p-9.7' [04:09:55] RPM info: packages in database: [04:09:55] --- [04:09:55] 180:/bin/dmesg:d1720cee15e8beebe20dff0ec9b48c6d:-:-:util- linux-2.12p-9.7 [04:09:55] --- [04:09:55] /bin/env hash valid, found in database [04:09:55] /bin/grep hash valid, found in database [04:09:55] /bin/kill Hash NOT valid (My MD5: 51d21d16200ac56857f7981708dc39ea, expected: 0298eccfee61053ff43ebcb6cb87839c) [04:09:55] Using whitelists to compare MD5 hash (searching for 51d21d16200ac56857f7981708dc39ea) [04:09:55] No whitelisted MD5 hash found for /bin/kill [04:09:55] MD5 hash for my file (/bin/kill) is 51d21d16200ac56857f7981708dc39ea, but is not in database [04:09:55] End of whitelist compare [04:09:55] Checking /bin/kill against hashes in database (0298eccfee61053ff43ebcb6cb87839c) failed [04:09:55] RPM info: your package 'util-linux-2.12p-9.7' [04:09:55] RPM info: packages in database: [04:09:55] --- [04:09:55] 180:/bin/kill:51d21d16200ac56857f7981708dc39ea:-:-:util- linux-2.12p-9.7 ...
About 50% of the binaries checked were reported as [BAD] The machine has not been updated at all in the last few weeks - can I therefore assume that it has been compromised? Or is there a possibility that this is a false positive? Many thanks for your help and advice. Al Fleming ------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642 _______________________________________________ Rkhunter-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/rkhunter-users
