Re: [Rkhunter-users] How do I check if "the file properties have changed" is a false positive?

Sun, 22 Aug 2021 18:00:52 -0700 

I would assume you are using dnf or something to update the system?

If you also run logwatch (which if you are running rkhunter I assume you
would ;-) then it shows packages updated recently.

Otherwise you can try, for example, (fedora/redhat)

        rpm -q --whatprovides /usr/bin/ssh
then
        rpm -qi openssh-clients
then
        grep openssh-clients /var/log/dnf.rpm.log
if you are really interested.

Ubuntu? /var/log/apt ?

Cheers

John

On Sat, 2021-08-21 at 20:55 +0000, matthewhtb--- via Rkhunter-users wrote:
> I ran Rkhunter 1.4.6 and received many “Warning” messages. I realize that
> Rkhunter has a hash for various executables and provides the “Warning” if
> the hashes of the current files are different. There were 24 occasions
> where the file hash had changed which strikes me as a lot. Three examples
> are below.
> 
> Is there a way to check if these are false positives (as they result from
> Ubuntu updating the executables) or something more concerning?
> 
> I have never run rkhunter --proupd
> 
> -----
> 
> Warning: The file properties have changed:
> File: /usr/bin/ssh
> Current hash: e875b1185577ff872fbaabde481cc196af03745c530403c830
> 3f00fe35859bf7
> Stored hash : 240970e65242586bf8160f3cebc4a7e8c7074a5fc203219af1
> 53fa858490f81c
> Current inode: 1051539 Stored inode: 1049714
> Current file modification time: 1627044912 (23-Jul-2021 13:55:12)
> Stored file modification time : 1590737829 (29-May-2020 08:37:09)
> 
> Warning: The file properties have changed:
> File: /usr/bin/ps
> Current hash: 701d30ed7055d688aad76e94f43f6da71bf6ca58caa961cee5
> f38d0c45c0aa52
> Stored hash : 6e1be2ff79adf6a05ad09b6df87618a5f9857378a2978beb1d
> ec12e20fd34844
> Current inode: 1050911 Stored inode: 1049547
> Current file modification time: 1622222850 (28-May-2021 18:27:30)
> Stored file modification time : 1582782727 (27-Feb-2020 05:52:07)
> 
> Warning: The file properties have changed:
> File: /usr/sbin/groupadd
> Current hash: c4a51fd9348b4981d8cd5a4d9115e25dd1b7647129d01f31b9
> 62936d96c33b8d
> Stored hash : 05b11bc4a81adda19d9e899ee05faa79553fd9bfd088911ec6
> ec9b31f358beb2
> Current inode: 1050480 Stored inode: 1057423
> Current file modification time: 1626300498 (14-Jul-2021 23:08:18)
> Stored file modification time : 1590647867 (28-May-2020 07:37:47)
> 
> 
> 
> _______________________________________________
> Rkhunter-users mailing list
> Rkhunter-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/rkhunter-users




_______________________________________________
Rkhunter-users mailing list
Rkhunter-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/rkhunter-users

Reply via email to