Using rkhunter 1.3.3. cvs of 6th October 2008 I have to report that once only I get a warning for this file in today's 16.50 h cronjob. Not before and not after:
[16:52:35] //usr/sbin/vipw [ Warning ] [16:52:35] Warning: The file properties have changed: [16:52:35] File: //usr/sbin/vipw [16:52:35] Current hash: 37f1adce84d73bb92921c3bbdc074e919ce01d3d [16:52:35] Stored hash : 575d90229ec34de850e99c08c6eb4bec [16:52:35] Current inode: 345517 Stored inode: 14172689 Wrong in the above are both the 'current hash' and the 'stored inode' values: md5sum /usr/sbin/vipw 575d90229ec34de850e99c08c6eb4bec /usr/sbin/vipw stat /usr/sbin/vipw File: `/usr/sbin/vipw' Size: 47676 Blocks: 96 IO Block: 4096 regular file Device: 816h/2070d Inode: 345517 Links: 1 Access: (0755/-rwxr-xr-x) Uid: ( 0/ root) Gid: ( 0/ root) Access: 2008-10-31 17:51:01.000000000 +0000 Modify: 2008-08-27 18:30:35.000000000 +0000 Change: 2008-08-28 04:35:38.000000000 +0000 rpm -Vv shadow-utils |grep sbin/vipw ........ /usr/sbin/vipw rpm -qi shadow-utils |grep Inst Install Date: Thu 28 Aug 2008 04:35:38 UTC Build Host: n1.mandriva.com So neither the inode nor the checksum has changed since late August. # ls -al /var/lib/rkhunter/db/r* -rw-r----- 1 root root 12747 2008-10-29 21:49 /var/lib/rkhunter/db/rkhunter.dat -rw-r----- 1 root root 12746 2008-10-26 10:19 /var/lib/rkhunter/db/rkhunter.dat.old # grep vipw /var/lib/rkhunter/db/r* /var/lib/rkhunter/db/rkhunter.dat:File:/usr/sbin/vipw:575d90229ec34de850e99c08c6eb4bec:14172689:0755:0:0:47676:1219861835:shadow-utils: /var/lib/rkhunter/db/rkhunter.dat.old:File:/usr/sbin/vipw:575d90229ec34de850e99c08c6eb4bec:14172689:0755:0:0:47676:1219861835:shadow-utils: The last time I ran 'rkhunter --propupd' was done yesterday before the 23.50 cronjob. There was no error then, but today at 16.50 there is the above error. Now a manual run of rkh at 17.50 again shows no error. I don't know how to look further into this freak occurrence (which it is, I suppose), but I thought you might want to know of it anyway. HTH Kind regards, =Dick Gevers= ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/ _______________________________________________ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users
