# rkhunter warnings, please help [SOLVED]

## Azangod

Today rkhunter found out "Suspect files: 64", yesterday where 3

 *Quote:*   

> 
> 
> [...]
> 
>     /bin/basename                                            [ Warning ]
> ...

 

what I'm supposed to do? restarting from stage3? Re-emerging coreutils didn't change a thingLast edited by Azangod on Fri Aug 21, 2009 6:07 am; edited 1 time in total

----------

## Bircoph

1) Look into /var/log/rkhunter.log for details. (If logging is disabled, enable it in rkhunter's config.)

2) Maybe you just updated your system and rkhunter compares new files with old checksums?

----------

## Azangod

well I think I've messed-up something.

in the first place i didn't notice --propupd option popped between 1.2.9-r1 and 1.3.4-r2

other than that there are still some warnings: the old ones

 *Quote:*   

> 
> 
> [12:36:34] /usr/bin/ldd                                      [ Warning ]
> 
> [12:36:34] Warning: The command '/usr/bin/ldd' has been replaced by a script: /usr/bin/ldd: Bourne-Again shell script text executable
> ...

 

I think those warning are normal on gentoo, am I right?

----------

## eccerr0r

yes, some of those appear to be normal and should be scripts.

Provided you didn't change anything and the hacker doesn't understand how Gentoo does file integrity, you could run

```
qcheck coreutils
```

 (or whatever package or even -a )

to check whether package's files is the same as what it was when it was checked when installed.

----------

## cach0rr0

that is fine. check out the contents of those files, it's no cause for concern

----------

## Azangod

 *eccerr0r wrote:*   

> 
> 
> Provided you didn't change anything and the hacker doesn't understand how Gentoo does file integrity, you could run
> 
> ```
> ...

 

Cool! Learned something new

```

Checking sys-apps/coreutils-7.4 ...

  * 244 out of 244 files are good

```

I'm pretty sure no one has violated my machine. Thanks to you all.

Time to apply [solved] flag

----------

## orange_juice

Thanx! qcheck seems to be a great tool!

Kind regards,

George Tantiras

----------

## eccerr0r

remember:

qcheck is only good if the intruder does not know/care that it's a Gentoo system.

It's fairly trivial to make qcheck look 'good' (other systems' integrity systems are a bit harder to defeat because the checksums of the files must match those that are on their respective distribution site's checksums.  Gentoo, the only place where file integrity is checked with a 'clean' system is against Portage.

Not that it's a serious drawback, just less redundancy.  A compromised Redhat system means 'rpm' can be suspect.  That can be replaced with a fresh copy.  Then the package database contains a list off packages.  Each package's checksum should match what's on Redhat's server.  A corrupted database means the package list is gone or no longer matches Redhat's servers.

On a Gentoo system, a compromised Portage can also be replaced, as long as python, rsync, and gcc was also not altered.  Then the package database could also bn corrupted -- but this is fatal as no other system contains a copy of this data.  The only way to check for corruption is to reinstall the package, as portage's rsync contains checksums which check only source.

But in any case, If there's any suspicion of intrusion, the easiest way to ensure proper cleanup is to reinstall.  Just warning that for a blackhat, it's easier to hide your tracks in Gentoo because of the flexibility Portage provides.

----------

## orange_juice

OK! Therefore ... (to sum up) ...

If someone is sure that python, gcc and rsync are not corrupted, he can reinstall portage along with the packages that suspects for corruption (using qcheck) in order to gain some time before he makes a clean install from scratch.

A minus disadvantage is that the databases of the programs under question cannot be verified for the integrity of their contents.

However, if this procedure provides a safe solution to avoid downtimes or loss of work without burdaining the intranet or extranet network until he reinstalls ... sounds great!

Kind regards,

orange_juice

----------

## Joseph_sys

I got similar result today on both of my systems.

```
cat /var/log/rkhunter.log |grep Warning

[00:33:03] Warning: Checking for prerequisites               [ Warning ]

[00:33:03] Warning: WARNING! It is the users responsibility to ensure that when the '--propupd' option

[00:33:05] /usr/bin/ldd                                      [ Warning ]

[00:33:05] Warning: The command '/usr/bin/ldd' has been replaced by a script: /usr/bin/ldd: Bourne-Again shell script text executable

[00:33:06] /usr/bin/whatis                                   [ Warning ]

[00:33:06] Warning: The command '/usr/bin/whatis' has been replaced by a script: /usr/bin/whatis: Bourne shell script text executable

[00:33:06] /usr/bin/lwp-request                              [ Warning ]

[00:33:06] Warning: The command '/usr/bin/lwp-request' has been replaced by a script: /usr/bin/lwp-request: perl script text executable

[00:34:30]   Checking for passwd file changes                [ Warning ]

[00:34:30] Warning: Unable to check for passwd file differences: no copy of the passwd file exists.

[00:34:30]   Checking for group file changes                 [ Warning ]

[00:34:30] Warning: Unable to check for group file differences: no copy of the group file exists.

[00:34:31]   Checking for hidden files and directories       [ Warning ]

[00:34:31] Warning: Hidden directory found: /dev/.udev
```

Don't know what to think about it?

----------

## Azangod

 *Joseph_sys wrote:*   

> I got similar result today on both of my systems.
> 
> Don't know what to think about it?

 

As already said before, rkhunter (since te last version) stores hashes of some system files.

When upgrading your machine you have to call rkhunter --propupd to update rkhunter hash db.

If you did'nt upgrade anything... well... something happened on your machine.

oh! some warnings are normal on gentoo systems such as:

```

[00:33:05] Warning: The command '/usr/bin/ldd' has been replaced by a script: /usr/bin/ldd: Bourne-Again shell script text executable 

[00:34:31]   Checking for hidden files and directories       [ Warning ]

[00:34:31] Warning: Hidden directory found: /dev/.udev

```

(don't remember all of them)

----------

## kernelOfTruth

 *orange_juice wrote:*   

> Thanx! qcheck seems to be a great tool!
> 
> Kind regards,
> 
> George Tantiras

 

++

 :Smile: 

----------

