Re: rkhunter / chkrootkit
Hi Rick, Why don't you make a copy of one or more of those binaries, then re-retrieve and install the Woody package of the same release, and compare md5sums of the resulting binaries? (Note that you should make very sure it's the same release, or you'll get a different md5sum for entirely innocent reasons.) indeed, I could do it. After an established contact to one of the maintainer the previous advice to --update the md5sum from the rkhunter server solved the problem and it was not an irregularity within the debian server. So they've updated now which was required. Checking /dev for suspicious files... [ Warning! (unusual files found) ] Well? What files? The fact that rkhunter has an opinion is not, by itself, particularly interesting. You either have to know rkhunter very, very well, such that you have a high degree of faith in its opinions, or need to investigate for yourself what it claims is suspicious. Preferably both. Don't know what files as there was no output and by the way it was the first time I used rkhunter. - ProFTPd 1.2.5rc1 [Vulnerable ] - OpenSSH 3.4p1[Vulnerable ] - GnuPG 1.0.6 [Vulnerable ] Well? _Are_ those actually vulnerable, or is rkhunter making bad assumptions? If you are running a conventional woody system, then you're receiving backported security fixes -- which does not change the package version number. Ergo, if rkhunter is stating the foregoing strictly on the basis of version numbers, then it is making a common elementary error. Hm, to be honest I wasn't able to read the source code but I don't think that my ProFTP is not vulnerable and I've to agree rkhunter is not able to detect the correct version so you're right. Incorrect MD5 checksums: 6 Which ones? And on what basis is it saying they're incorrect? You don't say. The binaries mentioned above. -- Best Regards, Mark -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: rkhunter / chkrootkit
Incoming from [EMAIL PROTECTED]: chkrootkit found nothing but rkhunter found quite a lot: /bin/login /bin/su /usr/bin/locate /usr/sbin/useradd /usr/sbin/usermod /usr/sbin/vip All these binaries have been alerted within rkhunter. I got a message like this [ and there was indeed an debian update of passwd(login) but to get sure I need reilly competent advices]: Rootkit Hunter found some bad or unknown hashes. This can be happen due replaced binaries or updated packages (which give other hashes). Be sure your hashes are fully updated (rkhunter --update). If you're in doubt about these hashes, contact the author ... And another alert was this: Checking /dev for suspicious files... [ Warning! (unusual files found) ] What's up now I would expect someone has replaced my /bin/login - what version of chkrootkit are you running? Latest is 0.44. - rkhunter appears to only be showing a tripwire sort of alert. Its recognition of what's on the system apparently wasn't updated when you installed new software, and that would be the mistake you made that's causing this confusion. So, I'd say the prudent things to do are: - install and run the latest chkrootkit. - rkhunter --update However, I don't run rkhunter. Is there an rkhunter-users mailing list anywhere? Perhaps you can check their archive? -- Any technology distinguishable from magic is insufficiently advanced. (*)http://www.spots.ab.ca/~keeling Please don't Cc: me. - - -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: rkhunter / chkrootkit
Quoting [EMAIL PROTECTED] ([EMAIL PROTECTED]): Rootkit Hunter found some bad or unknown hashes. This can be happen due replaced binaries or updated packages (which give other hashes). Be sure your hashes are fully updated (rkhunter --update). If you're in doubt about these hashes, contact the author ... Why don't you make a copy of one or more of those binaries, then re-retrieve and install the Woody package of the same release, and compare md5sums of the resulting binaries? (Note that you should make very sure it's the same release, or you'll get a different md5sum for entirely innocent reasons.) And another alert was this: Checking /dev for suspicious files... [ Warning! (unusual files found) ] Well? What files? The fact that rkhunter has an opinion is not, by itself, particularly interesting. You either have to know rkhunter very, very well, such that you have a high degree of faith in its opinions, or need to investigate for yourself what it claims is suspicious. Preferably both. What's up now I would expect someone has replaced my /bin/login binary which makes me feel unhappy or is there nothing to worry about ? - ProFTPd 1.2.5rc1 [Vulnerable ] - OpenSSH 3.4p1[Vulnerable ] - GnuPG 1.0.6 [Vulnerable ] Well? _Are_ those actually vulnerable, or is rkhunter making bad assumptions? If you are running a conventional woody system, then you're receiving backported security fixes -- which does not change the package version number. Ergo, if rkhunter is stating the foregoing strictly on the basis of version numbers, then it is making a common elementary error. At last there was this error messages: Incorrect MD5 checksums: 6 Which ones? And on what basis is it saying they're incorrect? You don't say. -- Cheers, There are 10 kinds of people in the world, those who Rick Moen know ternary, those who don't, and those who are now [EMAIL PROTECTED] looking for their dictionaries. -- Ron Fabre -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]