rkhunter mails to root: should I worry?
in [Debian]
|
Prev: playing/ripping audio cds
Next: Pronunciation of "metacity" (was Manage window: change positions, etc.)
From: Dino Vliet on 23 Mar 2010 17:50 Dear Debian people, I'm getting rkhunter mails every day and have noticed the following contents: Warning: The file properties have changed: File: /usr/bin/dpkg Current hash: 77e5b6a35981d5d16310a1925d9566cd41d1b0fa Stored hash : 84f64e4ee0a279ae5bd20462da339e7998c1c5a2 Current inode: 190559 Stored inode: 161 Current file modification time: 1268081693 Stored file modification time : 1263332111 Warning: The file properties have changed: File: /usr/bin/dpkg-query Current hash: 9ca28d57c1e29d3274fbb6ef0da064627c9190b1 Stored hash : e9f2df60680f8554bf660aad2d4171434ad42c0e Current inode: 190555 Stored inode: 163 Current file modification time: 1268081693 Stored file modification time : 1263332111 Warning: The file properties have changed: File: /usr/bin/sudo Current hash: b50414ec4fbc62fa24435a60fe35d58fc80cf1bc Stored hash : dcdb650d0a16dec64f2336454f84372b7827092e Current inode: 178665 Stored inode: 1389509 Current size: 127240 Stored size: 127208 Current file modification time: 1267546475 Stored file modification time : 1233083286 Warning: Application 'exim', version '4.69', is out of date, and possibly a security risk. Warning: Application 'gpg', version '1.4.9', is out of date, and possibly a security risk. Warning: Application 'openssl', version '0.9.8g', is out of date, and possibly a security risk. Warning: Application 'sshd', version '5.1p1', is out of date, and possibly a security risk. Should I worry? What are these messages I'm seeing? Especially the ones that are reporting that the utilities sudo, dpkg-query and dpkg have changed. How do I know these are legitimate? I'm running debain 5.0 on a amd64 system. BrgdsDino
From: Oliver Schneider on 23 Mar 2010 19:50
> Should I worry? What are these messages I'm seeing? Especially the ones > that are reporting that the utilities�sudo,�dpkg-query and�dpkg have > changed. How do I know these are legitimate? You should know whether the respective packages owning those files were updated by you (our the unattended security updates mechanism) lately. Otherwise try to see from the system log. Also, the .deb files likely contain some hashes that you can look up on a "known clean" system, because obviously if a real rootkit is involved you shouldn't trust information found in the system log. > I'm running debain 5.0 on a amd64 system. The last three warnings I get regularly. Debian is a bit slower to update to the latest versions, but on the other hand some security-relevant patches get backported so I wouldn't be too worried about those (including exim). // Oliver -- To UNSUBSCRIBE, email to debian-user-REQUEST(a)lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmaster(a)lists.debian.org Archive: http://lists.debian.org/20100323234713.283490(a)gmx.net |