rkhunter: right way to handle warnings further?
Posted
by
zuba
on Ask Ubuntu
See other posts from Ask Ubuntu
or by zuba
Published on 2013-02-14T09:18:00Z
Indexed on
2013/11/05
4:14 UTC
Read the original article
Hit count: 384
rkhunter
I googled some and checked out two first links it found:
- http://www.skullbox.net/rkhunter.php
- http://www.techerator.com/2011/07/how-to-detect-rootkits-in-linux-with-rkhunter/
They don't mention what shall I do in case of such warnings:
Warning: The command '/bin/which' has been replaced by a script: /bin/which: POSIX shell script text executable
Warning: The command '/usr/sbin/adduser' has been replaced by a script: /usr/sbin/adduser: a /usr/bin/perl script text executable
Warning: The command '/usr/bin/ldd' has been replaced by a script: /usr/bin/ldd: Bourne-Again shell script text executable
Warning: The file properties have changed:
File: /usr/bin/lynx
Current hash: 95e81c36428c9d955e8915a7b551b1ffed2c3f28
Stored hash : a46af7e4154a96d926a0f32790181eabf02c60a4
Q1: Is there more extended HowTos which explain how to deal with different kind warnings?
And the second question. Were my actions sufficient to resolve these warnings?
a) To find the package which contains the suspicious file, e.g. it is debianutils for the file /bin/which
~ > dpkg -S /bin/which
debianutils: /bin/which
b) To check the debianutils package checksums:
~ > debsums debianutils
/bin/run-parts OK
/bin/tempfile OK
/bin/which OK
/sbin/installkernel OK
/usr/bin/savelog OK
/usr/sbin/add-shell OK
/usr/sbin/remove-shell OK
/usr/share/man/man1/which.1.gz OK
/usr/share/man/man1/tempfile.1.gz OK
/usr/share/man/man8/savelog.8.gz OK
/usr/share/man/man8/add-shell.8.gz OK
/usr/share/man/man8/remove-shell.8.gz OK
/usr/share/man/man8/run-parts.8.gz OK
/usr/share/man/man8/installkernel.8.gz OK
/usr/share/man/fr/man1/which.1.gz OK
/usr/share/man/fr/man1/tempfile.1.gz OK
/usr/share/man/fr/man8/remove-shell.8.gz OK
/usr/share/man/fr/man8/run-parts.8.gz OK
/usr/share/man/fr/man8/savelog.8.gz OK
/usr/share/man/fr/man8/add-shell.8.gz OK
/usr/share/man/fr/man8/installkernel.8.gz OK
/usr/share/doc/debianutils/copyright OK
/usr/share/doc/debianutils/changelog.gz OK
/usr/share/doc/debianutils/README.shells.gz OK
/usr/share/debianutils/shells OK
c) To relax about /bin/which
as I see OK
/bin/which OK
d) To put the file /bin/which
to /etc/rkhunter.conf
as SCRIPTWHITELIST="/bin/which"
e) For warnings as for the file /usr/bin/lynx
I update checksum with rkhunter --propupd /usr/bin/lynx.cur
Q2: Do I resolve such warnings right way?
© Ask Ubuntu or respective owner