On Thu, 2008-12-04 at 18:14 -0600, Mike McCarty wrote: > Mark Misulich wrote:
> > When I run rkhunter -c --sk --rwo --pkgmgr RPM here is the readout: > > > > Warning: The file properties have changed: > > File: /bin/awk > > Current inode: 529951356 Stored inode: 859939 > > These files have been replaced. Have you done an upgrade > recently, which might have replaced these files? If you > actually use RPM, then your number of warnings should > decrease, unless you've done an upgrade. Or you've been > compromized somehow. > Yes, odd that only the inode number has been mentioned. If the file is part of a package (and awk is part of gawk on my Fedora system), then the inode check is ignored if the file passes the package manager check (and if it didn't pass then there should have been more warnings messages). With something like an upgrade or even replacing the file (as a trojan), then I would expect more warnings - typically a change of file size and hash value at least - and that would be regardless of whether the package manager was used or not. To have *only* the inode mentioned seems very odd. I suspect we would need to see the whole of the log file in order to see more clearly what is going on. That would then tell us what the actual command line is, whether the package manager is actually available, and whether prelinking is being used or not. John. -- --------------------------------------------------------------- John Horne, University of Plymouth, UK Tel: +44 (0)1752 587287 E-mail: [EMAIL PROTECTED] Fax: +44 (0)1752 587001 ------------------------------------------------------------------------------ SF.Net email is Sponsored by MIX09, March 18-20, 2009 in Las Vegas, Nevada. The future of the web can't happen without you. Join us at MIX09 to help pave the way to the Next Web now. Learn more and register at http://ad.doubleclick.net/clk;208669438;13503038;i?http://2009.visitmix.com/ _______________________________________________ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users
