Hi Matt, rkhunter creates a database (MD5SUM's) of some files, if they change for any reason, like a system upgrade/update, it will complain about it. rkhunter should be run again to get the new MD5SUM's. This applies for any Host Intruder Detection System (HIDS) (i.e. tripwire, AIDE, etc...).
> Anyway, this reminded me of an interesting article on ldd I read the other > day: I did read that article too, but who runs ldd as root? :P Rodolfo Martínez Dirección de Proyectos Aleux México | http://www.aleux.com 2010/1/21 Matthew Hannigan <[email protected]>: > On Fri, Jan 22, 2010 at 09:20:46AM +1100, Alan L Tyree wrote: >> On Thu, 21 Jan 2010 15:54:01 -0600 >> Rodolfo Martínez <[email protected]> wrote: >> >> > Hi Alan, >> > >> > You can find what package provides the ldd program, and then verify >> > the integrity of the package. If it really changed I think you should >> > look for any suspicious activity in your server. >> > >> > I think you can find the package with dpkg -S $(which ldd) and you can >> > check its integrity with debsum. >> > >> > ldd shouldn't change, unless you have updated your system. >> >> Just checking the Debian Security site >> ( http://www.debian.org/security/) I see that it was updated for the >> amd64 architecture. >> >> Thanks for the lesson on how to check out this sort of thing. >> >> Cheers, >> Alan > > > So everything looks fine. I wonder why rkhunter complained. Doesn't > coordinate with the packaging system? > > Anyway, this reminded me of an interesting article on ldd I read the other > day: > > http://www.catonmat.net/blog/ldd-arbitrary-code-execution/ > > Fun > > Matt > > -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
