On Mon, 2011-06-27 at 12:40 -0400, Tanstaafl wrote: > Thanks for the help John... > > On 2011-06-27 10:57 AM, John Horne wrote: > > What version of rkhunter are you using? > > 1.3.8 > > > Also can you show us the full log entry for one of the files with a > > warning - that is, showing which file properties have changed? > > [09:57:04] /usr/bin/logger [ Warning ] > [09:57:04] Warning: The file properties have changed: > [09:57:04] File: /usr/bin/logger > [09:57:04] Current hash: 686d03f4819c1efaba06f8792f181f0af2c13461 > [09:57:04] Stored hash : b4ededa9259434e747b8579ff3aee59b075379cc > [09:57:04] Current inode: 301945 Stored inode: 302444 > [09:57:04] Current file modification time: 1309013602 > (25-Jun-2011 10:53:22) > [09:57:04] Stored file modification time : 1304798960 > (07-May-2011 16:09:20) > [09:57:04] /usr/bin/lsattr [ OK ] > > And again, even though it says 'Stored file mod time is 07 May, I jhave > run --propupd 3 times now... > The stored time is the modification time on the file when '--propupd' was last used, not the time when '--propupd' was run.
> > Are you using a package manager? > > Yes - Gentoo's... I am using the standard ebuild in portage... > Sorry, no I mean are you using an rkhunter package manager in your config file? I can't think of any immediate reason for the warnings to continuously appearing. However I have a slight nagging that I did read of this some time ago for another user. You could run 'rkhunter --propupd --debug' and email me the debug file dumped in /tmp if you want. John. -- John Horne, University of Plymouth, UK Tel: +44 (0)1752 587287 Fax: +44 (0)1752 587001 ------------------------------------------------------------------------------ All of the data generated in your IT infrastructure is seriously valuable. Why? It contains a definitive record of application performance, security threats, fraudulent activity, and more. Splunk takes this data and makes sense of it. IT sense. And common sense. http://p.sf.net/sfu/splunk-d2d-c2 _______________________________________________ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users
