Re: [Rkhunter-users] rkhunter --propupd not working?
On Thu, 2011-06-30 at 16:06 -0400, Tanstaafl wrote: On 2011-06-30 3:36 PM, John Horne wrote: You'll need to check your system - perhaps with something like 'locate' - to see if RKH has been installed more than once. Nope, there's only one rkhunter.dat: myhost : Thu Jun 30, 16:03:07 : ~ # locate rkhunter.dat /var/lib/rkhunter/db/rkhunter.dat /var/lib/rkhunter/db/rkhunter.dat.old myhost : Thu Jun 30, 16:04:54 : ~ # I'll need to see the output from '--debug' then or perhaps the (whole) log file when you run 'rkhunter --propupd' and from when the system run of rkhunter occurs (I can compare the two then). John. -- John Horne Tel: +44 (0)1752 587287 University of Plymouth, UK Fax: +44 (0)1752 587001 -- All of the data generated in your IT infrastructure is seriously valuable. Why? It contains a definitive record of application performance, security threats, fraudulent activity, and more. Splunk takes this data and makes sense of it. IT sense. And common sense. http://p.sf.net/sfu/splunk-d2d-c2 ___ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users
Re: [Rkhunter-users] rkhunter --propupd not working?
On Fri, 2011-07-01 at 08:03 -0400, Tanstaafl wrote: On 2011-07-01 6:27 AM, John Horne wrote: I'll need to see the output from '--debug' then or perhaps the (whole) log file when you run 'rkhunter --propupd' and from when the system run of rkhunter occurs (I can compare the two then). Ok - but just for clarification - both of the overwrite to the same log file (for gentoo, /var/log/rkhunter.log)? And the .log.old is the previous logfile? Yes. John. -- John Horne Tel: +44 (0)1752 587287 University of Plymouth, UK Fax: +44 (0)1752 587001 -- All of the data generated in your IT infrastructure is seriously valuable. Why? It contains a definitive record of application performance, security threats, fraudulent activity, and more. Splunk takes this data and makes sense of it. IT sense. And common sense. http://p.sf.net/sfu/splunk-d2d-c2 ___ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users
Re: [Rkhunter-users] rkhunter --propupd not working?
On 2011-07-01 9:57 AM, Tanstaafl wrote: Ok - but again, I ran --propupd, and got the email warning about the same 6 files, then went and grabbed the current .log and .log.old files... Ok, I'm really not stupid, I promise, just had tunnel vision I guess... I was running it from the cron directory instead of from the /usr/sbin directory... I just ran --propupd from the /usr/sbin directory, then ran the cronjob manually, and everything is clean now... Sorry for wasting your time... :( -- All of the data generated in your IT infrastructure is seriously valuable. Why? It contains a definitive record of application performance, security threats, fraudulent activity, and more. Splunk takes this data and makes sense of it. IT sense. And common sense. http://p.sf.net/sfu/splunk-d2d-c2 ___ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users
Re: [Rkhunter-users] rkhunter --propupd not working?
On Thu, 2011-06-30 at 15:29 -0400, Tanstaafl wrote:
On 2011-06-28 3:40 PM, John Horne wrote:
Correct. So when you then run 'rkhunter --propupd' again it compares the
time value in the rkhunter database against that on the file itself. If
both are the same, then the file hasn't changed since 'rkhunter
--propupd' was last run.
So, the question remains, why does mine repeatedly flag the same 6 files
as having changed properties after every --propupd run...
sigh I hate the weird problems...
Hello,
The only scenario I could think of would be if perhaps there were two
installations of RKH on your system, but using different data files.
That way one RKH sees the command files as having changed, yet when you
run 'rkhunter --propupd' from the command-line it updates a different
data file ('rkhunter.dat'). Since the first rkhunter isn't looking at
that file, it reports (again) that the files have changed.
You'll need to check your system - perhaps with something like 'locate'
- to see if RKH has been installed more than once.
John.
--
John Horne, University of Plymouth, UK
Tel: +44 (0)1752 587287Fax: +44 (0)1752 587001
--
All of the data generated in your IT infrastructure is seriously valuable.
Why? It contains a definitive record of application performance, security
threats, fraudulent activity, and more. Splunk takes this data and makes
sense of it. IT sense. And common sense.
http://p.sf.net/sfu/splunk-d2d-c2
___
Rkhunter-users mailing list
Rkhunter-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/rkhunter-users
Re: [Rkhunter-users] rkhunter --propupd not working?
On 2011-06-30 3:36 PM, John Horne wrote: You'll need to check your system - perhaps with something like 'locate' - to see if RKH has been installed more than once. Nope, there's only one rkhunter.dat: myhost : Thu Jun 30, 16:03:07 : ~ # locate rkhunter.dat /var/lib/rkhunter/db/rkhunter.dat /var/lib/rkhunter/db/rkhunter.dat.old myhost : Thu Jun 30, 16:04:54 : ~ # -- All of the data generated in your IT infrastructure is seriously valuable. Why? It contains a definitive record of application performance, security threats, fraudulent activity, and more. Splunk takes this data and makes sense of it. IT sense. And common sense. http://p.sf.net/sfu/splunk-d2d-c2 ___ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users
Re: [Rkhunter-users] rkhunter --propupd not working?
On Mon, 2011-06-27 at 10:50 -0400, Tanstaafl wrote:
Hello,
I have had rkhunter installed for a long time, been working well, system
was reporting clean...
I installed a lot of system updates (gentoo linux), then the next
morning, got a report about 6 files whose properties had changed, and I
realized I forgot to run --propupd command, so I did - but it isn't
working (doesn't reset the files database so that it thinks they are
ok), I still get the same email/message about the same 6 files
properties being changed. I've tried running it 3 times now..
System checks summary
=
File properties checks...
Files checked: 144
Suspect files: 6
and from the log:
myhost : Mon Jun 27, 08:17:17 : ~
# grep Warn /var/log/rkhunter.log
[08:05:04] Info: Emailing warnings to 'root' using command '/bin/mail -s
[rkhunter] Warnings found for ${HOST_NAME}'
[08:05:30] /usr/bin/logger [ Warning ]
[08:05:30] Warning: The file properties have changed:
[08:05:38] /usr/bin/whereis[ Warning ]
[08:05:38] Warning: The file properties have changed:
[08:05:40] /sbin/fsck [ Warning ]
[08:05:40] Warning: The file properties have changed:
[08:05:47] /bin/dmesg [ Warning ]
[08:05:47] Warning: The file properties have changed:
[08:05:51] /bin/more [ Warning ]
[08:05:51] Warning: The file properties have changed:
[08:05:51] /bin/mount [ Warning ]
[08:05:51] Warning: The file properties have changed:
myhost : Mon Jun 27, 08:17:25 : ~
#
Anyone got any idea what could be causing this?
Hello,
What version of rkhunter are you using? Also can you show us the full
log entry for one of the files with a warning - that is, showing which
file properties have changed? Are you using a package manager?
John.
--
John Horne Tel: +44 (0)1752 587287
University of Plymouth, UK Fax: +44 (0)1752 587001
--
All of the data generated in your IT infrastructure is seriously valuable.
Why? It contains a definitive record of application performance, security
threats, fraudulent activity, and more. Splunk takes this data and makes
sense of it. IT sense. And common sense.
http://p.sf.net/sfu/splunk-d2d-c2
___
Rkhunter-users mailing list
Rkhunter-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/rkhunter-users
Re: [Rkhunter-users] rkhunter --propupd not working?
Thanks for the help John... On 2011-06-27 10:57 AM, John Horne wrote: What version of rkhunter are you using? 1.3.8 Also can you show us the full log entry for one of the files with a warning - that is, showing which file properties have changed? [09:57:04] /usr/bin/logger [ Warning ] [09:57:04] Warning: The file properties have changed: [09:57:04] File: /usr/bin/logger [09:57:04] Current hash: 686d03f4819c1efaba06f8792f181f0af2c13461 [09:57:04] Stored hash : b4ededa9259434e747b8579ff3aee59b075379cc [09:57:04] Current inode: 301945Stored inode: 302444 [09:57:04] Current file modification time: 1309013602 (25-Jun-2011 10:53:22) [09:57:04] Stored file modification time : 1304798960 (07-May-2011 16:09:20) [09:57:04] /usr/bin/lsattr [ OK ] And again, even though it says 'Stored file mod time is 07 May, I jhave run --propupd 3 times now... Are you using a package manager? Yes - Gentoo's... I am using the standard ebuild in portage... -- All of the data generated in your IT infrastructure is seriously valuable. Why? It contains a definitive record of application performance, security threats, fraudulent activity, and more. Splunk takes this data and makes sense of it. IT sense. And common sense. http://p.sf.net/sfu/splunk-d2d-c2 ___ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users
Re: [Rkhunter-users] rkhunter --propupd not working?
On Mon, 2011-06-27 at 12:40 -0400, Tanstaafl wrote: Thanks for the help John... On 2011-06-27 10:57 AM, John Horne wrote: What version of rkhunter are you using? 1.3.8 Also can you show us the full log entry for one of the files with a warning - that is, showing which file properties have changed? [09:57:04] /usr/bin/logger [ Warning ] [09:57:04] Warning: The file properties have changed: [09:57:04] File: /usr/bin/logger [09:57:04] Current hash: 686d03f4819c1efaba06f8792f181f0af2c13461 [09:57:04] Stored hash : b4ededa9259434e747b8579ff3aee59b075379cc [09:57:04] Current inode: 301945Stored inode: 302444 [09:57:04] Current file modification time: 1309013602 (25-Jun-2011 10:53:22) [09:57:04] Stored file modification time : 1304798960 (07-May-2011 16:09:20) [09:57:04] /usr/bin/lsattr [ OK ] And again, even though it says 'Stored file mod time is 07 May, I jhave run --propupd 3 times now... The stored time is the modification time on the file when '--propupd' was last used, not the time when '--propupd' was run. Are you using a package manager? Yes - Gentoo's... I am using the standard ebuild in portage... Sorry, no I mean are you using an rkhunter package manager in your config file? I can't think of any immediate reason for the warnings to continuously appearing. However I have a slight nagging that I did read of this some time ago for another user. You could run 'rkhunter --propupd --debug' and email me the debug file dumped in /tmp if you want. John. -- John Horne, University of Plymouth, UK Tel: +44 (0)1752 587287Fax: +44 (0)1752 587001 -- All of the data generated in your IT infrastructure is seriously valuable. Why? It contains a definitive record of application performance, security threats, fraudulent activity, and more. Splunk takes this data and makes sense of it. IT sense. And common sense. http://p.sf.net/sfu/splunk-d2d-c2 ___ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users
