Rkhunter reports file properties have changed

facebook twitter digg google delicious technorati stumbleupon myspace wordpress linkedin gmail igoogle windows live tumblr viadeo yahoo buzz yahoo mail yahoo bookmarks favorites email print

Posted by CountMurphy on Server Fault See other posts from Server Fault or by CountMurphy
Published on 2012-03-21T23:07:40Z Indexed on 2012/03/21 23:31 UTC
Read the original article Hit count: 240

Filed under:

I am running a fully updated LTS copy of Ubuntu server. Today I ran rkhunter (as I do from time to time). This is the output I got:

 Warning: The file properties have changed:
[15:52:25]          File: /bin/ps
[15:52:25]          Current hash: f22991ec93ae966c856d367f42fc3d8a484bd827
[15:52:25]          Stored hash : 1892268bf195ac118076b1b0f53e7a637eb6fbb3
[15:52:25]          Current inode: 142902    Stored inode: 130894
[15:52:25]          Current file modification time: 1324307913 (19-Dec-2011 07:18:33)
[15:52:25]          Stored file modification time : 1260992081 (16-Dec-2009 11:34:41)



 Warning: The file properties have changed:
[15:52:33]          File: /usr/bin/ldd
[15:52:33]          Current hash: f1e2ca5aa3a28994e2cebb64c993a72b7d97b28c
[15:52:33]          Stored hash : 295d9cedb121a5e431a39a6d201ecd7ce5640497
[15:52:33]          Current inode: 2236210    Stored inode: 2234359
[15:52:33]          Current size: 5280    Stored size: 5279
[15:52:33]          Current file modification time: 1331165514 (07-Mar-2012 16:11:54)
[15:52:33]          Stored file modification time : 1295653965 (21-Jan-2011 15:52:45)



 Warning: The file properties have changed:
[15:52:37]          File: /usr/bin/pgrep
[15:52:37]          Current hash: 3eada9a96760f3e2c9111cfe32901d1432813c1d
[15:52:37]          Stored hash : ce265d0db9964b173fe5036f703a9b8d66e55df3
[15:52:37]          Current inode: 2229646    Stored inode: 2224867
[15:52:37]          Current file modification time: 1324307913 (19-Dec-2011 07:18:33)
[15:52:37]          Stored file modification time : 1260992081 (16-Dec-2009 11:34:41)




Warning: The file properties have changed:
[15:52:41]          File: /usr/bin/top
[15:52:41]          Current hash: 6be13737d8b0950cea2f1ae3a46d4af713dbe971
[15:52:41]          Stored hash : c7b495ecef3982eeb6f08a511861b1a1ae8775e6
[15:52:41]          Current inode: 2229629    Stored inode: 2224862
[15:52:41]          Current file modification time: 1324307913 (19-Dec-2011 07:18:33)
[15:52:41]          Stored file modification time : 1260992081 (16-Dec-2009 11:34:41)



Warning: The file properties have changed:
[15:52:53]          File: /usr/sbin/cron
[15:52:53]          Current hash: e783ca973f970aa8a4bf5edc670e690b33914c3d
[15:52:53]          Stored hash : 4718257a8060736b9058aed025c992f02a74a5a7
[15:52:53]          Current inode: 2224719    Stored inode: 2228839
[15:52:54]          Current file modification time: 1330965568 (05-Mar-2012 08:39:28)

There were also a few other I left out. Has my server been rooted? I am running fail2ban and do monitor failed ssh logins. nothing has come up. Could someone compare these hashes to their copy of Ubuntu Server (lts)? Please tell me these are false positives.....

Edit: is something else like rkhunter I can run for a second scan?

© Server Fault or respective owner

facebook twitter digg google delicious technorati stumbleupon myspace wordpress linkedin gmail igoogle windows live tumblr viadeo yahoo buzz yahoo mail yahoo bookmarks favorites email print

Related posts about ubuntu

Categories cloud

.NET ASP.NET iphone linux python Windows mysql android sql windows-7 html c ruby-on-rails css objective-c ubuntu networking sql-server wpf asp.net-mvc ruby database Xml apache AJAX osx security regex django Performance 12.04 windows-xp mac web-development iphone-sdk vb.net Silverlight apache2 flash server perl best-practices email installation eclipse visual-studio algorithm windows-server-2008 winforms wcf firefox bash dns /Oracle