Hi John, > On Sat, 2008-02-23 at 13:25 +1000, Michael Mansour wrote: > > Hi, > > > > I have the following two warnings from rkhunter 1.3.0 on two Scientific > > Linux > > 4.5 x86_64 servers (Red Hat Enterprise Linux 4 Update 5 derivatives): > > > > [14:14:10] /usr/bin/chattr [ Warning ] > > [14:14:10] Warning: Package manager verification has failed: > > [14:14:10] File: /usr/bin/chattr > > [14:14:10] The file hash value has changed > > [14:14:10] The file size has changed > > [14:14:10] The file modification time has changed > > > > [14:14:20] /usr/bin/lsattr [ Warning ] > > [14:14:20] Warning: Package manager verification has failed: > > [14:14:20] File: /usr/bin/lsattr > > [14:14:20] The file hash value has changed > > [14:14:20] The file size has changed > > [14:14:20] The file modification time has changed > > > > and: > > > > # rpm -qf /usr/bin/lsattr > > e2fsprogs-1.35-12.11.el4_6.1.i386 > > e2fsprogs-1.35-12.11.el4.1.x86_64 > > > > [EMAIL PROTECTED] ~]# rpm -qf /usr/bin/chattr > > e2fsprogs-1.35-12.11.el4_6.1.i386 > > e2fsprogs-1.35-12.11.el4.1.x86_64 > > > > (Note: I linked /usr/local/lib to /usr/local/lib64 to test whether rkhunter > > 1.3.0 works properly on this platform) > > > > I've also setup PKGMGR=RPM. > > > > When rkhunter reports "The file size has changed" etc, changed from what? > > the > > original distribution? the last time I ran the --propupd ? > > > Because you are using the package manager it means that RPM verification > fails for those files. If you run 'rpm -Vf /usr/bin/chattr' it will show > that something has changed (same for lsattr). The file attributes do > not correspond to those of what should be the currently installed > files - > i.e. the files have changed.
Ok thanks for this. No idea why these two files would have changed, as checking various other 32bit servers there's no problems. I have about another 6 64bit linux boxes still running rkhunter 1.2.9 (but they are SL5.1, not SL4.5 as above) but I'll see if I find a similar problem there when I have the time to update those. For now I've just whitelisted those two files on both those two servers. Thanks again. Michael. > John. > > -- > --------------------------------------------------------------- > John Horne, University of Plymouth, UK Tel: +44 (0)1752 233914 > E-mail: [EMAIL PROTECTED] Fax: +44 (0)1752 233839 > > ------------------------------------------------------------------------- > This SF.net email is sponsored by: Microsoft > Defy all challenges. Microsoft(R) Visual Studio 2008. > http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/ > _______________________________________________ > Rkhunter-users mailing list > Rkhunter-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/rkhunter-users ------- End of Original Message ------- ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/ _______________________________________________ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users
