[Rkhunter-users] question about file's dependencies
Hello, we've been running rookit for sometime, and got this in our report this morning, and was wondering if this is something to be concerned with or not === /usr/sbin/prelink: /bin/more: at least one of file's dependencies has changed since prelinking /bin/more [ BAD ] === I ran the rkhunter --update before and aftewards and still got the same results. The updates showed no problems. This is on a Red Hat Enterprise Linux ES release 4 (Nahant Update 4) Machine. Any suggestion or help would be apperciated. TIA, Mike(mickalo)Blezien === Thunder Rain Internet Publishing Providing Internet Solution that Work http://www.thunder-rain.com === - Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.phpp=sourceforgeCID=DEVDEV ___ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users
Re: [Rkhunter-users] question about file's dependencies
After reading through the FAQ's, found and corrected the problem :) Had to resync the prelink as outlined in the FAQ's. Mike - Original Message - From: Mike Blezien [EMAIL PROTECTED] To: rkhunter-users@lists.sourceforge.net Sent: Saturday, January 13, 2007 6:51 AM Subject: [Rkhunter-users] question about file's dependencies Hello, we've been running rookit for sometime, and got this in our report this morning, and was wondering if this is something to be concerned with or not === /usr/sbin/prelink: /bin/more: at least one of file's dependencies has changed since prelinking /bin/more [ BAD ] === I ran the rkhunter --update before and aftewards and still got the same results. The updates showed no problems. This is on a Red Hat Enterprise Linux ES release 4 (Nahant Update 4) Machine. Any suggestion or help would be apperciated. TIA, Mike(mickalo)Blezien - Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.phpp=sourceforgeCID=DEVDEV ___ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users
Re: [Rkhunter-users] question about file's dependencies
On Sat, 2007-01-13 at 07:27 -0600, Mike Blezien wrote: After reading through the FAQ's, found and corrected the problem :) Had to resync the prelink as outlined in the FAQ's. Hmm, we need to go through the FAQ again. Prelinking is no verification of a file's integrity. As such I would run 'rpm -Vf /bin/more' to ensure that the file and its package are correct (no output indicates that it is okay). Although it can, and has been, argued that even that does not *guarantee* that the file is genuine! It is for you to satisfy yourself that the file/package is valid; RKH can only indicate that something has changed. John. -- --- John Horne, University of Plymouth, UK Tel: +44 (0)1752 233914 E-mail: [EMAIL PROTECTED] Fax: +44 (0)1752 233839 - Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.phpp=sourceforgeCID=DEVDEV ___ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users
Re: [Rkhunter-users] question about file's dependencies
Hello John, after running the following: - $ rpm -Vf /bin/more # OUTPUT .M../bin/mount .M../bin/umount .M../usr/bin/chfn .M../usr/bin/chsh .M../usr/bin/newgrp .M../usr/bin/write - so I assume all is ok here. I followed the instruction from the FAQ's regarding this prelink problem, which seems to have solved the issue earlier noted with the following steps: Step 1) run /etc/cron.daily/prelink Step 2) run sh /usr/local/rkhunter/lib/rkhunter/scripts/hashupd.sh Step 3) rerun rkhunter -c after running rkhunter -c again, everything appeared to be fine, no errors reported. Mike - Original Message - From: John Horne [EMAIL PROTECTED] To: rkhunter-users@lists.sourceforge.net Sent: Saturday, January 13, 2007 10:30 AM Subject: Re: [Rkhunter-users] question about file's dependencies On Sat, 2007-01-13 at 07:27 -0600, Mike Blezien wrote: After reading through the FAQ's, found and corrected the problem :) Had to resync the prelink as outlined in the FAQ's. Hmm, we need to go through the FAQ again. Prelinking is no verification of a file's integrity. As such I would run 'rpm -Vf /bin/more' to ensure that the file and its package are correct (no output indicates that it is okay). Although it can, and has been, argued that even that does not *guarantee* that the file is genuine! It is for you to satisfy yourself that the file/package is valid; RKH can only indicate that something has changed. John. - Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.phpp=sourceforgeCID=DEVDEV ___ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users
Re: [Rkhunter-users] question about file's dependencies
here is the output: -rwxr-xr-x 1 root root 84232 May 24 2006 /bin/mount* -rwxr-xr-x 1 root root 54412 May 24 2006 /bin/umount* -rwx--x--x 1 root root 17708 May 24 2006 /usr/bin/chfn* -rwx--x--x 1 root root 18392 May 24 2006 /usr/bin/chsh* -rwx--x--x 1 root root 7700 May 24 2006 /usr/bin/newgrp* -rwxr-xr-x 1 root tty 10124 May 24 2006 /usr/bin/write* Mike - Original Message - From: John Horne [EMAIL PROTECTED] To: rkhunter-users@lists.sourceforge.net Sent: Saturday, January 13, 2007 11:04 AM Subject: Re: [Rkhunter-users] question about file's dependencies On Sat, 2007-01-13 at 10:38 -0600, Mike Blezien wrote: Hello John, after running the following: - $ rpm -Vf /bin/more # OUTPUT .M../bin/mount .M../bin/umount .M../usr/bin/chfn .M../usr/bin/chsh .M../usr/bin/newgrp .M../usr/bin/write - so I assume all is ok here. I would say not. The 'M' indicates that the files mode have changed. From an RHEL4 system I get: # ls -l /bin/mount /bin/umount /usr/bin/chfn /usr/bin/chsh /usr/bin/newgrp /usr/bin/write -rwsr-xr-x 1 root root 84232 May 24 2006 /bin/mount -rwsr-xr-x 1 root root 54412 May 24 2006 /bin/umount -rws--x--x 1 root root 17708 May 24 2006 /usr/bin/chfn -rws--x--x 1 root root 18392 May 24 2006 /usr/bin/chsh -rws--x--x 1 root root 7700 May 24 2006 /usr/bin/newgrp -rwxr-sr-x 1 root tty 10124 May 24 2006 /usr/bin/write Can you do the same to see if the output is the same (in particular the permissions and ownership) please. I followed the instruction from the FAQ's regarding this prelink problem, which seems to have solved the issue earlier noted with the following steps: Yes, I cannot argue against what you have done since it is in the FAQ. However, perhaps the FAQ should point out that running prelink (or /etc/cron.daily/prelink) 'gets around' this error message. It does not verify that the files have not been corrupted in some way. Running 'rpm -V', as your ouput shows, indicates that some files, albeit that /bin/more is not included!, have indeed changed. Whilst prelinking may well cause the MD5 checksum to change ('rpm -V' shows this as a '5' and was the main reason for adding the prelink section to the FAQ), the fact that the files mode has changed is more serious. Prelinking wouldn't have caused that change, but running prelink prevents the error from appearing again (or until something else changes). John. -- --- John Horne, University of Plymouth, UK Tel: +44 (0)1752 233914 E-mail: [EMAIL PROTECTED] Fax: +44 (0)1752 233839 - Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.phpp=sourceforgeCID=DEVDEV ___ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users - Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.phpp=sourceforgeCID=DEVDEV ___ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users
Re: [Rkhunter-users] question about file's dependencies
On Sat, 2007-01-13 at 11:10 -0600, Mike Blezien wrote: here is the output: -rwxr-xr-x 1 root root 84232 May 24 2006 /bin/mount* -rwxr-xr-x 1 root root 54412 May 24 2006 /bin/umount* -rwx--x--x 1 root root 17708 May 24 2006 /usr/bin/chfn* -rwx--x--x 1 root root 18392 May 24 2006 /usr/bin/chsh* -rwx--x--x 1 root root 7700 May 24 2006 /usr/bin/newgrp* -rwxr-xr-x 1 root tty 10124 May 24 2006 /usr/bin/write* Quick glance seems to indicate that your files have lost the suid bit ('rws'); guid for the 'write' command ('r-s'). No idea why. John. -- --- John Horne, University of Plymouth, UK Tel: +44 (0)1752 233914 E-mail: [EMAIL PROTECTED] Fax: +44 (0)1752 233839 - Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.phpp=sourceforgeCID=DEVDEV ___ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users
Re: [Rkhunter-users] question about file's dependencies
On Sat, 2007-01-13 at 11:24 -0600, Mike Blezien wrote: Ok, I see that know. We do run this on a Cpanel/WebHost Mgr system. Not sure that would make a difference. This is the problem - why have they changed? Neither me nor RKH can answer that. Perhaps other files have changed as well (you would need to run 'rpm -Va' for that and then go through the output to see if the changed files (usually config files) are known to you). What is the specific chmod commands to reset suid bits, isn't something like chmod 4755 or similar ? Personally I would reinstall the whole package (util-linux I think - 'rpm -qf /bin/more' will tell you the name), and then re-verify it. Yes, 4755 will reset the suid bit. 2755 for the guid bit on the write command. Note though that reinstalling or resetting the suid/guid bits may cause the problem to happen again. cpanel/whatever may change the bits again. John. -- --- John Horne, University of Plymouth, UK Tel: +44 (0)1752 233914 E-mail: [EMAIL PROTECTED] Fax: +44 (0)1752 233839 - Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.phpp=sourceforgeCID=DEVDEV ___ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users
Re: [Rkhunter-users] question about file's dependencies
On Sat, 2007-01-13 at 17:04 +, John Horne wrote: On Sat, 2007-01-13 at 10:38 -0600, Mike Blezien wrote: Hello John, after running the following: - $ rpm -Vf /bin/more # OUTPUT .M../bin/mount .M../bin/umount .M../usr/bin/chfn .M../usr/bin/chsh .M../usr/bin/newgrp .M../usr/bin/write - so I assume all is ok here. It may be worth pointing out something here before anyone says anything. The question could be asked, why did RKH find a change with /bin/more, but nothing with /bin/mount, /bin/umount etc? RKH version 1.2.9 checks the files MD5 hash values. In the case of /bin/more that had changed; probably by prelinking since running prelink solved that. However, the above 'rpm -V' command shows that the above files have indeed changed but not their hash value (this would be indicated by a '5'). Other tests check if the files have had their permissions changed to '777', or have been replaced by a shell script. The next release of RKH goes a bit further and performs better testing. It will detected all the above problems. For each file checked, the uid/gid, permissions, dtm, inode and hash value are checked. A check if the 'other' permission has become writeable is done (hence 'rwxr-xrwx' is detected, whereas 1.2.9 does not do this), and a check if the file type is a 'script' is done - hence replacements by perl/awk/whatever scripts are detected (1.2.9 only checks for shell scripts). Next release will also use SHA1 hash checking by default, but this is configurable to MD5 or any other hash function the user has available (sha512, etc). Okay, back to the coding I guess... :-) John. -- --- John Horne, University of Plymouth, UK Tel: +44 (0)1752 233914 E-mail: [EMAIL PROTECTED] Fax: +44 (0)1752 233839 - Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.phpp=sourceforgeCID=DEVDEV ___ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users
[Rkhunter-users] MD5 error
I'm wondering if anyone else has seen this problem, or has a fix. I get aBAD checksum for 'wget', even after running 'rkhunter --update'. However, if I uninstall wget and rkhunter( yum), then reinstall both, it's ok for a day, then the next day it's bad again. I seem to have a gremlin. I'm running Fedora 5. Jim - Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.phpp=sourceforgeCID=DEVDEV ___ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users