Hello unspawn, Thank you for sharing your thoughts on why RKH might report files were moved to new inodes.
Your advice inspired me to compare the checksums of my moved files to those in a repository. I'm happy to report they all matched. This seems to me to contradict my theory that a root kit moved the files. I should also mention that none of the moved files belonged to any package that was upgraded (or re-installed) which contradicts my upgrade theory. Maybe the virtual private server's hypervisor moved the files to achieve some administrative function comparable to garbage collection in memory. Thanks, Kingsley On 09/11/11 12:57, unsp...@hushmail.com wrote: > On Sun, 11 Sep 2011 04:00:35 +0200 "Kingsley G. Morse Jr." > <kings...@loaner.com> wrote: > >rkhunter said fifteen files were moved to new inodes on August 22, > 2011. > > >What do you think? > > I think you have not read FAQ item "Rootkit Hunter tells me there > is something wrong with my system. What do I do?" (and basically > all of chapter 3) before doing anything... > > > In case of warnings you should *not* make changes to the file > system and investigate first. Reinstalling packages will overwrite > any "evidence" (if any). Reinstalling packages and then running "-- > check" will not cause hash warnings if hash values match. Running "- > -propupd" will erase previous attribute values and update them all > to the current state. Also, if you run RKH without "--append-log" > (or "copy on error" rkhunter.conf setting), there will be no > previous log to look at. With the limited information available I > can only see the old inode numbers were closely grouped together as > are most of the new ones and none of the files listed showed any > change in attributes other than inode. This should be consistent > with having reinstalled the package(s) these files belong to and > not a rootkit warning (no foreign files or processes listed, no > string values, etc, etc). If you suspect there is more at play than > your own SNAFU then you should run checks booting a Live CD. As > there's no evidence of foul play I suggest you 0) look at where > your distro logs update information and 1) compare package > signature or hash and then package contents with those from a known > good repo. > > > Best regards, > unSpawn > --- > ------------------------------------------------------------------------------ Doing More with Less: The Next Generation Virtual Desktop What are the key obstacles that have prevented many mid-market businesses from deploying virtual desktops? How do next-generation virtual desktops provide companies an easier-to-deploy, easier-to-manage and more affordable virtual desktop model.http://www.accelacomm.com/jaw/sfnl/114/51426474/ _______________________________________________ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users
