Hi John,
I've run the rkhunter check below and get the same as a normal
rkhunter output. ie.
Warning: The file properties have changed:
File: /usr/bin/last
Current inode: 926761 Stored inode: 927515
Current file modification time: 1232722902
Stored file modification time : 1208581546
Warning: The file properties have changed:
File: /usr/bin/sudo
Current hash: d82c24a5852a96725b9e99abe8b8ee2ae50a5e22
Stored hash : a8b8876a79185207726c1de99eefbc144516c18c
Current inode: 926949 Stored inode: 927878
Current size: 107936 Stored size: 107872
Current file modification time: 1234840628
Stored file modification time : 1221069938
Warning: The file properties have changed:
File: /sbin/sulogin
Current inode: 81458 Stored inode: 81365
Current file modification time: 1232722902
Stored file modification time : 1208581546
Having read the man page, I think it means that these programs weren't
changed during a normal Ubuntu update. Hence I think I have a problem.
Is there anything else I can check before we know that I'm affected?
unspawn is assuming my technical knowledge of linux, perl etc is way
above what I have. I can do simple linux scripts, but "epoch2date()
{ EPOCH="$1"; date --date "$[$(/bin/date '+%s')-
${EPOCH}] seconds ago" '+%Y-%m-%d %H:%M:%S'; }" means very little to me.
Also, if I am affected, how do I clear the infection other than doing a
complete system rebuild?
Cheers Bob.
> Hi folks,
> I've got warnings from rkhunter, see log below.
> I know about Warning: Hidden directory found: /dev/.udev, I just
haven't
> whitelisted it yet. chkrootkit isn't reporting anything unusual.
> How do I find out if I have a problem, and apart from rebuilding my OS
> from scratch, what can I do?
>
If the warnings relate to file properties, then as unSpawn has said you
need to check the programs against a trusted source. However, as a first
check, and since you are running ubuntu, you could perhaps try something
like:
rkhunter --enable properties --rwo --pkgmgr dpkg
I'll leave it to you to check with the man page to work out what this is
actually doing :-)
John.
--
---------------------------------------------------------------
John Horne, University of Plymouth, UK Tel: +44 (0)1752 587287
E-mail: john.ho...@plymouth.ac.uk Fax: +44 (0)1752 587001
------------------------------------------------------------------------------
Open Source Business Conference (OSBC), March 24-25, 2009, San Francisco, CA
-OSBC tackles the biggest issue in open source: Open Sourcing the Enterprise
-Strategies to boost innovation and cut costs with open source participation
-Receive a $600 discount off the registration fee with the source code: SFAD
http://p.sf.net/sfu/XcvMzF8H
_______________________________________________
Rkhunter-users mailing list
Rkhunter-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/rkhunter-users
