rkhunter warns of inode change by no file modification date changes

Posted by Nicholas Tolley Cottrell on Server Fault See other posts from Server Fault or by Nicholas Tolley Cottrell
Published on 2014-06-02T09:13:00Z Indexed on 2014/06/02 9:29 UTC
Read the original article Hit count: 293

Filed under:

centos

|

yum

|

rkhunter

I have several systems running Centos 6 with rkhunter installed. I have a daily cron running rkhunter and reporting back via email.

I very often get reports like:

---------------------- Start Rootkit Hunter Scan ----------------------
Warning: The file properties have changed:
        File: /sbin/fsck
        Current inode: 6029384    Stored inode: 6029326
Warning: The file properties have changed:
        File: /sbin/ip
        Current inode: 6029506    Stored inode: 6029343
Warning: The file properties have changed:
        File: /sbin/nologin
        Current inode: 6029443    Stored inode: 6029531
Warning: The file properties have changed:
        File: /bin/dmesg
        Current inode: 13369362    Stored inode: 13369366

From what I understand, rkhunter will usually report a changed hash and/or modification date on the scanned files to, so this leads me to think that there is no real change.

My question: is there some other activity on the machine that could make the inode change (running ext4) or is this really yum making regular (~ once a week) changes to these files as part of normal security updates?

© Server Fault or respective owner

Related posts about centos

Problems with repositories on CentOS 3.9

as seen on Super User - Search for 'Super User'
Hello, I have CentOS 3.9 for i386. When I try to instal some thing with yum, i.e: yum install firefox or yum install firefox* or yum list firefox and so on, I get: +++++++++++++++++++ yum info firefox Gathering header information file(s) from server(s) Server: CentOS-3 - Addons Server: CentOS-3 -… >>> More
Problems with repositories on CentOS 3.9

as seen on Stack Overflow - Search for 'Stack Overflow'
Hello, I have CentOS 3.9 for i386. When I try to instal some thing with yum, i.e: yum install firefox or yum install firefox* or yum list firefox and so on, I get: +++++++++++++++++++ yum info firefox Gathering header information file(s) from server(s) Server: CentOS-3 - Addons Server: CentOS-3 -… >>> More
centos yum problems

as seen on Server Fault - Search for 'Server Fault'
I am really new to using linux and have just formatted my centos 5.2 vps and am trying to install links by using the command yum install links. But the following error gets displayed: [root@inverses ~]# yum install links Loading "fastestmirror" plugin Loading mirror speeds from cached hostfile *… >>> More
Networking issues with Linux server (CentOS 5.3)

as seen on Server Fault - Search for 'Server Fault'
I have a Linux server hosting our bug tracking software (CentOS 5.2 Kernel 2.6.18-128.4.1.el5) that I have having some strange network problems with. The machine is configured with two NICS, one for the public interface and the other for our server back end network. The problem is that after doing… >>> More
Networking issues with Linux server (CentOS 5.3)

as seen on Server Fault - Search for 'Server Fault'
I have a Linux server hosting our bug tracking software (CentOS 5.2 Kernel 2.6.18-128.4.1.el5) that I have having some strange network problems with. The machine is configured with two NICS, one for the public interface and the other for our server back end network. The problem is that after doing… >>> More

Related posts about yum

yum update works but yum --security update fails to work in Fedora 12

as seen on Server Fault - Search for 'Server Fault'
I had already installed the yum-security before. And I was going to do an update by entering the following command: [root@localhost /]# yum update Loaded plugins: presto, priorities, refresh-packagekit, security Skipping security plugin, no data Setting up Update Process Resolving Dependencies Skipping… >>> More
Need help with yum,python and php in CentOS. (I made a complete mess!)

as seen on Server Fault - Search for 'Server Fault'
a while back I wanted to install some plugins for Trac but it required python 2.5 I tried installing it (I don't remember how) and the only thing I managed was to have two versions of python (2.4 and 2.5). Trac still uses the old version but the console uses 2.5 (python -V = Python 2.5.2). Anyway… >>> More
Need help with yum,python and php in CentOS. (I made a complete mess!)

as seen on Server Fault - Search for 'Server Fault'
Hello, a while back I wanted to install some plugins for Trac but it required python 2.5 I tried installing it (I don't remember how) and the only thing I managed was to have two versions of python (2.4 and 2.5). Trac still uses the old version but the console uses 2.5 (python -V = Python 2.5.2)… >>> More
Fedora 13 - No module named yum

as seen on Super User - Search for 'Super User'
This is driving me bananas! After a recent update in Fedora 13 64bit, my yum is gone: $> yum update There was a problem importing one of the Python modules required to run yum. The error leading to this problem was: No module named yum Please install a package which provides this module,… >>> More
How to subscribe to the free Oracle Linux errata yum repositories

as seen on Oracle Blogs - Search for 'Oracle Blogs'
Now that updates and errata for Oracle Linux are available for free (both as in beer and freedom), here's a quick HOWTO on how to subscribe your Oracle Linux system to the newly added yum repositories on our public yum server, assuming that you just installed Oracle Linux from scratch, e.g. by using… >>> More