strange rkhunter md5 bad find [archive] - defender hosting forums

strange rkhunter md5 bad find [archive] - defender hosting forums defender hosting forums > powervps virtual private servers > linux vps - security and tuning > strange rkhunter md5 bad find pda view full version : strange rkhunter md5 bad find izzy12-20-2005, 04:18 ammd5 compared: 51 incorrect md5 checksums: 4 strange rkhunter find yesterday after the daily cron check. there was no update yesterday as the file dates are way back last month. no bad report till yesterday. any one else found this on their vps? anyone have a clue as to why all of sudden these files come up bad? thanks for any light on this. first reported after daily cron check 19/12/2005 6:20:21pm next daily cron check 20/12/2005 6:20:19pm still bad after rkhunter --update 20/12/2005 6:40:00pm /bin/dmesg [ bad ] 18/11/2005 2:24:25pm /bin/kill [ bad ] 18/11/2005 2:24:25pm /bin/login [ bad ] 18/11/2005 2:24:25pm /bin/mount [ bad ] 18/11/2005 2:24:25pm these are the only other files with the same dates in /bin/: /bin/arch 18/11/2005 2:24:25pm /bin/more 18/11/2005 2:24:25pm /bin/unmount 18/11/2005 2:24:25pm pvutrix12-20-2005, 05:32 amyep, same thing here... rkhunter --update doesn't help... ozgreg12-20-2005, 06:40 ami whitelisted those files by adding the md5 hashing into the rkhunter.conf file located in /usr/local/etc perl /usr/local/rkhunter/lib/rkhunter/scripts/filehashmd5.pl location of file chief12-20-2005, 10:19 amsame thing here, except there were no programs listed just [bad] in the e-mail. charles? sergey12-20-2005, 10:49 amthe package in your system is newer than in rhhunter database. when michael boelen (the author of rkhunter) will update rkhunter database for rh everything will be ok. i checked all binaries manually and checksum matches with the signature of rpm. :) dario12-20-2005, 11:15 amall those files are part of util-linux package. fedora released yesterday updated package. if you have yum running as cron job, that could be answer. they are updated. dario azc12-20-2005, 11:52 amthanks for posting this. i've been getting 5 "line: [ bad ]" entries the last couple of days. izzy12-24-2005, 03:01 amthe package in your system is newer than in rhhunter database. when michael boelen (the author of rkhunter) will update rkhunter database for rh everything will be ok. i checked all binaries manually and checksum matches with the signature of rpm. :)still not convinced, as the day before i noticed it there was no changes to the system or the files and there was no bad files. check out the dates in my original post. these are fact not theory. the next day there was still no changes to the system or the files yet rkhunter decided there were 4 files with bad checksums. obviously something changed but not the files as the dates are indicative of no change for a month. rkhunter has not been upgraded by me for over a month. did something happen at the vps level that i have not been made aware of perhaps? anyway, its all dutch to me ;). norm132212-25-2005, 08:31 ami didn't get the names of the bad files either. is there a way to update rkhunter to show the filenames in the report, before i'm too far gone? ;) -- norm izzy12-25-2005, 10:19 amwhat do you get when you type rkhunter -c at the shell prompt? also at the shell prompt type rkhunter -h will give you the parameters. the daily cron looks like this on my server. /etc/cron.daily/rkhunter.sh #!/bin/bash (/usr/local/bin/rkhunter -c --cronjob 2>&1 | mail -s "rkhunter scan details" youremail@youraddress)replace youremail@youraddress with yours. hth :) charlie12-25-2005, 11:13 ami have been getting the exact same thing for the same number of days. seems like sometimes the security alert scripts just like to mess with your mind. izzy12-25-2005, 11:35 amall those files are part of util-linux package. fedora released yesterday updated package. if you have yum running as cron job, that could be answer. they are updated. darioi have rh9 and no yum on cron. :) esc12-26-2005, 02:50 pmi investigated somewhat into this issue. those md5 errors which some of us have seen recently are false positives caused by an outdated rkhunter md5 database. the reason for this, at least on my vps is the following: on 2005-12-22 upcp (the automatic cpanel update script which is started by cron every day) loaded a security update of the util-linux-2.12-19 package, namely util-linux-2.12-19.1.legacy (see the release-notes here (http://www.fedoralegacy.org/updates/fc2/2005-12-18-flsa_2005_168326__updated_util_linux_and_mount_pac kages_fix_security_issue.html) ). rkhunter's current md5s are only for util-linux-2.12-18 and util-linux-2.12-19 and those error-marked files are changed in the package. on your system this might have been a few days earlier or later. the date of the release was 2005-12-18. one can investigate this in detail by issuing 'rkhunter --checkall --skip-keypress --createlogfile' as root from the shell. this will create a logfile in /var/log/rkhunter.log containing all the details. probably you might first update rkhunter (wget http:// downloads.rootkit.nl/rkhunter-1.2.7.tar.gz) and the md5 data (rkhunter --update) to its latest versions. you can whitelist those files in /usr/local/etc/rkhunter.conf to stop the errors or wait a few days until rkhunter updates it md5 data. the syntax for the whitelisting is explained in the .conf file. erich charles12-26-2005, 06:46 pmtony was going to report this to the rkhunter developer/maintainer, as last time he made an update very quickly. not sure where we stand with it, but i'll follow up on this. charles izzy12-27-2005, 01:35 amthanks erich you were right with regard to the nightly cpup. i found the update to the util-linux in the cron report emailed on sunday december 18. i have attached a condensed version of the report to let folks see the problems they had finding a mirror. charles, i wrote rkhunter early when i first discovered this issue but have not heard back but then again i didn't expect to. i am still curious why just 4 files out of a whole bunch in this upgrade had checksum errors. one would have thought the whole package would be affected. here is a list of all the files in the util-linux package for your interest. util-linux is a suite of essential utilities for any linux system. it contains the following programs: addpart, agetty, blockdev, cal, cfdisk, chfn, chkdupexe, chrt, chsh, col, colcrt, colrm, column, ctrlaltdel, cytune, ddate, delpart, display-services, dmesg, elvtune, fastboot, fasthalt, fdformat, fdisk, flock, fsck.cramfs, fsck.minix, getopt, halt, hexdump, hwclock, initctl, ionice, ipcrm, ipcs, isosize, kill, last, line, logger, login, look, losetup, mcookie, mesg, mkfs, mkfs.bfs, mkfs.cramfs, mkfs.minix, mkswap, more, mount, namei, need, newgrp, partx, pg, pivot_root, provide, ramsize, raw, rdev, readprofile, reboot, rename, renice, reset, rev, rootflags, script, scriptreplay, setsid, setterm, sfdisk, shutdown, simpleinit, swapoff, swapon, taskset, tailf, tunelp, ul, umount, vidmode, vipw, wall, whereis, and write.:) chris01-07-2006, 09:40 amso maybe i'm dense . . . but what's the solution to this. been occurring on 1 of my 2 vps's for several weeks. thanks for any guidance. falsedawn01-08-2006, 12:43 ameasiest solution is to just ignore it till the rkhunter developer does an update. :-) izzy01-08-2006, 07:26 pmeasiest solution is to just ignore it till the rkhunter developer does an update. :-)indeed as i and many others have written to the developer, but as of this post i have not had a reply nor has there been an update fix. i also checked the files contents after the bad checksum issue against a copy of the file before the issue and found absolutely no changes at all. so it appears to be just the checksum that was altered on those 4 files only, for reasons that i don't understand just yet. additionally, you can whitelist the files as mentioned in ozgreg and esc's posts above. :) fred01-08-2006, 10:28 pmwhitelist isn't a good thing imo... i do prefer to receive false alert that i know for sure it's false alert than to not receive alert at all later after the host was compromised ... tony01-15-2006, 08:53 pmhi guys, michael - the developer of rkhunter - is going to be updating the db for us to account for swsoft binaries. this should be done in the next few days. i'll post here with more info when i have it. chris02-05-2006, 10:07 ami'm still getting this on one of my vps's . . . i can clearly remember fixing it by updating "something" on the other one . . .but for the life of me can't figure out what it was. did a search on cpanel and can't find it . . . any suggestions? thanks elix02-05-2006, 12:16 pmrkhunter --update that might do it. vps-vince02-05-2006, 01:02 pmrkhunter --update that might do it. tried that, got this: [~]# rkhunter --update running updater... mirrorfile /usr/local/rkhunter/lib/rkhunter/db/mirrors.dat rotated using mirror http://mirror01.mirror.rkhunter.org [db] mirror file : skipped error: can't obtain valid version tag from downloaded file (or 404 error). possi ble outdated mirror. [db] md5 hashes system binaries : skipped error: can't obtain valid version tag from downloaded file (or 404 error). possi ble outdated mirror. [db] operating system information : skipped error: can't obtain valid version tag from downloaded file (or 404 error). possi ble outdated mirror. [db] md5 blacklisted tools/binaries : skipped error: can't obtain valid version tag from downloaded file (or 404 error). possi ble outdated mirror. [db] known good program versions : skipped error: can't obtain valid version tag from downloaded file (or 404 error). possi ble outdated mirror. [db] known bad program versions : skipped error: can't obtain valid version tag from downloaded file (or 404 error). possi any other info on this one? - vince elix02-07-2006, 08:05 pmodd. i ran that on a box just the other day and it worked fine. izzy02-08-2006, 01:14 am@ vince ran this just now and it has obviously rotated the mirror to a usable one. perhaps when you tried it the mirrors were not rotating. often it pays to try again a few times if those errors appear when updating. # rkhunter --update running updater... mirrorfile /usr/local/rkhunter/lib/rkhunter/db/mirrors.dat rotated using mirror http://mirror14.mirror.rkhunter.org [db] mirror file : up to date [db] md5 hashes system binaries : up to date [db] operating system information : up to date [db] md5 blacklisted tools/binaries : up to date [db] known good program versions : up to date [db] known bad program versions : up to date ready. #@ tony as you can see there is still no update for the original md5 problem which was to take only a few days to complete. vps-vince02-08-2006, 04:56 pmjust ran it again, and got this: # rkhunter --update running updater... mirrorfile /usr/local/rkhunter/lib/rkhunter/db/mirrors.dat rotated using mirror http://mirror07.mirror.rkhunter.org [db] mirror file : update available action: database updated (current version: 2005033000, new version 2005050700) [db] md5 hashes system binaries : update available action: database updated (current version: 2005040601, new version 2005121400) [db] operating system information : update available action: database updated (current version: 2005032500, new version 2005102800) [db] md5 blacklisted tools/binaries : up to date [db] known good program versions : update available action: database updated (current version: 2005040300, new version 2005111500) [db] known bad program versions : update available action: database updated (current version: 2005040300, new version 2005111500) ready. - vince izzy02-08-2006, 07:06 pmlooks good vince, now you have the latest versions and like the rest of us are waiting for the 2006xxxxxx versions that hopefully will fix the md5 bad issue. more than likely some kind soul will post here when there is an update availble or you can keep trying the update as often as you feel is adequate. i check every few days (when i can remember). ;) for a full list of root kit hunter shell commands try: rkhunter --help :) esc02-09-2006, 03:05 ami'm still getting this on one of my vps's . . . i can clearly remember fixing it by updating "something" on the other one . . .but for the life of me can't figure out what it was. did a search on cpanel and can't find it . . . any suggestions? did you perhaps reinstall util-linux-2.12-19? you might find a clue in the logs. erich slaid02-16-2006, 07:47 amhello. rkhunter have a new update (rkjunter -- update) and it give again error on the same problem. any idea about what is wrong? i dont think my vps is not compromised... sl sdjl02-17-2006, 12:29 pmyup, rootkit hunter is now on version 1.2.8. to install it, follow the instructions at configserver: http://www.configserver.com/blog/index.php?itemid=27 david edit oh yes, i see what you mean now. the errors still appear after updating.. asterisk02-21-2006, 04:29 amsame here. i've been receiving errors regarding bad hashes and old or patched programs after the update of both program and database files to the latest 1.2.8. pvutrix03-30-2006, 07:32 ami still get these errors, eventhough my rkhunter is daily updated... any solution for this? izzy03-30-2006, 05:09 pmi still get these errors, eventhough my rkhunter is daily updated... any solution for this? the same bad checksum errors are still being reported even after db "updates" mentioned in tony's post above. no solution other than the 'whitelist' hacks posted in this thread. asterisk03-31-2006, 08:10 amhow many bad finds do you get? i'm getting 5 - dmesg, kill, login, mount under /bin and kill under /usr/bin. also i'm getting 2 under applications tagged as old or patched - gnupg and openssh. izzy03-31-2006, 01:27 pmnothing has changed for me, still the same as in my first post. /bin/dmesg [ bad ] /bin/kill [ bad ] /bin/login [ bad ] /bin/mount [ bad ] gnupg 1.2.1 [ old or patched version ] openssl 0.9.7a [ old or patched version ] openssh 3.5p1 [ old or patched version ] iirc, the old or patched issue is cpanel related as they do their own patching of versions they use. these have not changed since i first installed rkhunter way back. wokman04-12-2007, 01:59 pma) will someone from defender hosting please post the correct md5 hashes for: /bin/dmesg /bin/kill /bin/login /bin/mount so that those who care can verify the files are ok that rkhunter is marking [bad] running rkhunter 1.2.9 and ran --update (problem still persists) b) are these the correct current application versions (more rkhunter errors)? - gnupg 1.2.4 [ old or patched version ] - openssl 0.9.7a [ old or patched version ] - openssh 3.6.1p2 [ old or patched version ] thanks! c) has anyone tried the hashupd.sh script located at http://sourceforge.net/project/showfiles.php?group_id=155034&package_id=200881? does this fix the md5 rkhunter problem? phild04-14-2007, 03:57 amc) has anyone tried the hashupd.sh script located at http://sourceforge.net/project/showfiles.php?group_id=155034&package_id=200881? does this fix the md5 rkhunter problem? yes, the hashupd.sh update fixes the problem. here's a bash oneliner i use all the time to update a server/vps' rkhunter installation. enjoy: version=1.2.9;echo installing rkhunter v$version...&&echo -n downloading...&&wget --quiet http://easynews.dl.sourceforge.net/sourceforge/rkhunter/rkhunter-$version.tar.gz http://easynews.dl.sourceforge.net/sourceforge/rkhunter/hashupd.sh&&echo done&&echo -n extracting...&&tar zxf rkhunter-$version.tar.gz&&echo done&&echo -n installing...&&cd rkhunter-$version&&./installer.sh 2>&1 >/dev/null&&echo done&&echo -n updating rkhunter...&&/usr/local/bin/rkhunter --update 2>&1 >/dev/null && /usr/local/bin/rkhunter --update 2>&1 >/dev/null &&echo done&&echo -n running hash updater...&&chmod +x ../hashupd.sh && ../hashupd.sh -t /tmp 2>&1 >/dev/null&&echo done&&echo -n cleaning up...&&cd ..&&rm -rf rkhunter-$version* hashupd.sh &&echo done the versions mentioned by rkhunter are all old, outdated packages. wokman04-14-2007, 11:52 pmthank you phil - this solved the problem and the script is very handy! sdjl04-17-2007, 05:05 pmi'd like to say this worked for me alos, but it seems to error out when trying to run the hashupd.sh script: installing rkhunter v1.2.9... downloading...done extracting...done installing...done updating rkhunter...done running hash updater...chmod: cannot access `../hashupd.sh': no such file or directory i can download the has update script and manually run that, but i quite like the convenience of doing it all in one long command. david phild04-19-2007, 09:33 pmhi sdjl, my apologies, the forum inserted url codes around my url, very annoying. i've altered my previous post, should just work, copy and paste! :d i'd like to say this worked for me alos, but it seems to error out when trying to run the hashupd.sh script: installing rkhunter v1.2.9... downloading...done extracting...done installing...done updating rkhunter...done running hash updater...chmod: cannot access `../hashupd.sh': no such file or directory i can download the has update script and manually run that, but i quite like the convenience of doing it all in one long command. david sdjl04-20-2007, 06:54 amthanks for the update phil. david vbulletin® v3.6.5, copyright ©2000-2007, jelsoft enterprises ltd.

strange rkhunter md5 bad find [archive] - defender hosting forums Pr�c�dent 145 Pr�c�dent 144 Pr�c�dent 143 Pr�c�dent 142 Pr�c�dent 141 Pr�c�dent 140 Pr�c�dent 139 Pr�c�dent 138 Pr�c�dent 137 Pr�c�dent 136 Pr�c�dent 135 Pr�c�dent 134 Pr�c�dent 133 Pr�c�dent 132 Pr�c�dent 131 Pr�c�dent 130 Pr�c�dent 129 Pr�c�dent 128 Pr�c�dent 127 Pr�c�dent 126 Pr�c�dent 125 Pr�c�dent 124 Pr�c�dent 123 Pr�c�dent 122 Pr�c�dent 121 Pr�c�dent 120 Pr�c�dent 119 Pr�c�dent 118 Pr�c�dent 117 Pr�c�dent 116 Suivant 147 Suivant 148 Suivant 149 Suivant 150 Suivant 151 Suivant 152 Suivant 153 Suivant 154 Suivant 155 Suivant 156 Suivant 157 Suivant 158 Suivant 159 Suivant 160 Suivant 161 Suivant 162 Suivant 163 Suivant 164 Suivant 165 Suivant 166 Suivant 167 Suivant 168 Suivant 169 Suivant 170 Suivant 171 Suivant 172 Suivant 173 Suivant 174 Suivant 175 Suivant 176