Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
rkhunter warning meaning
37 views
Skip to first unread message
François Patte
Nov 5, 2013, 9:20:02 AM11/5/13
to
Bonjour,
I have some warnings from rkhunter:
Warning: The file properties have changed:
File: /usr/sbin/rsyslogd
Current hash: 99fd3e8be4e7b9f553d52f6837eef50ebcebadc8
Stored hash : 2acece0875f8c6156c1f05df71e8c83c91dea2d0
Current inode: 523303 Stored inode: 523309
Current size: 522304 Stored size: 522400
Current file modification time: 1378296534 (04-sept.-2013 14:08:54)
Stored file modification time : 1374534377 (23-juil.-2013 01:06:17)
W
What do they mean?
Thank you.
--
François Patte
UFR de mathématiques et informatique
Laboratoire CNRS MAP5, UMR 8145
Université Paris Descartes
45, rue des Saints Pères
F-75270 Paris Cedex 06
Tél. +33 (0)1 8394 5849
http://www.math-info.univ-paris5.fr/~patte
I have some warnings from rkhunter:
Warning: The file properties have changed:
File: /usr/sbin/rsyslogd
Current hash: 99fd3e8be4e7b9f553d52f6837eef50ebcebadc8
Stored hash : 2acece0875f8c6156c1f05df71e8c83c91dea2d0
Current inode: 523303 Stored inode: 523309
Current size: 522304 Stored size: 522400
Current file modification time: 1378296534 (04-sept.-2013 14:08:54)
Stored file modification time : 1374534377 (23-juil.-2013 01:06:17)
W
What do they mean?
Thank you.
--
François Patte
UFR de mathématiques et informatique
Laboratoire CNRS MAP5, UMR 8145
Université Paris Descartes
45, rue des Saints Pères
F-75270 Paris Cedex 06
Tél. +33 (0)1 8394 5849
http://www.math-info.univ-paris5.fr/~patte
Darac Marjal
Nov 5, 2013, 9:30:03 AM11/5/13
to
On Tue, Nov 05, 2013 at 03:12:38PM +0100, François Patte wrote:
> Bonjour,
>
> I have some warnings from rkhunter:
>
>
> Warning: The file properties have changed:
Properties of the file have changed. In other words, not just the file
> Bonjour,
>
> I have some warnings from rkhunter:
>
>
> Warning: The file properties have changed:
has changed, but information about the file has changed.
> File: /usr/sbin/rsyslogd
This is the file whose information has changed and to which the
following lines relate.
> Current hash: 99fd3e8be4e7b9f553d52f6837eef50ebcebadc8
> Stored hash : 2acece0875f8c6156c1f05df71e8c83c91dea2d0
functions are typically chosen so that even a one bit change in a file
produces a significant change in the hash. It's not possible to
determine, from the hash itself, what the change was or how big it was,
but it is clearly possible to tell that the contents of the file have
changed.
The "Current hash" shows what the hash is for the file as it currently
resides on the disk. The "Stored hash" shows the hash of the file as it
was when you last updated rkhunter's database.
> Current inode: 523303 Stored inode: 523309
(that is, everything EXCEPT the contents of the file and the file's
name(s)) are stored. So, the size of the file, where the contents of the
file are on disk, the permissions and so on. As before "Current" tells
you which inode is associated with "/usr/sbin/rsyslogd" now, and
"Stored" shows you which one was when rkhunter updated its database.
A change of inode MAY be caused by deletion and recreation of the file,
but it's possible there are other causes.
> Current size: 522304 Stored size: 522400
> Current file modification time: 1378296534 (04-sept.-2013 14:08:54)
> Stored file modification time : 1374534377 (23-juil.-2013 01:06:17)
associated with the above changes, but there is no real guarantee of
that.
(Interestingly, I notice here that SOME of this information has been
translated into your locale (French?), but not all of it. That's
probably a bug :)
Joe
Nov 5, 2013, 3:10:02 PM11/5/13
to
On Tue, 05 Nov 2013 15:12:38 +0100
François Patte <francoi...@mi.parisdescartes.fr> wrote:
> Bonjour,
>
> I have some warnings from rkhunter:
>
>
> Warning: The file properties have changed:
> File: /usr/sbin/rsyslogd
> Current hash: 99fd3e8be4e7b9f553d52f6837eef50ebcebadc8
> Stored hash : 2acece0875f8c6156c1f05df71e8c83c91dea2d0
> Current inode: 523303 Stored inode: 523309
> Current size: 522304 Stored size: 522400
> Current file modification time: 1378296534 (04-sept.-2013
> 14:08:54) Stored file modification time : 1374534377 (23-juil.-2013
> 01:06:17) W
>
>
> What do they mean?
>
>
This is either exactly what you run rkhunter to find, or more likely,
François Patte <francoi...@mi.parisdescartes.fr> wrote:
> Bonjour,
>
> I have some warnings from rkhunter:
>
>
> Warning: The file properties have changed:
> File: /usr/sbin/rsyslogd
> Current hash: 99fd3e8be4e7b9f553d52f6837eef50ebcebadc8
> Stored hash : 2acece0875f8c6156c1f05df71e8c83c91dea2d0
> Current inode: 523303 Stored inode: 523309
> Current size: 522304 Stored size: 522400
> Current file modification time: 1378296534 (04-sept.-2013
> 14:08:54) Stored file modification time : 1374534377 (23-juil.-2013
> 01:06:17) W
>
>
> What do they mean?
>
>
you have just upgraded the rsyslog package. Before upgrading a system
with any kind of intrusion detection software, you need to run it to
check the system is clean first, than run it again after the upgrade
with the appropriate parameter (--propupd in the case of rkhunter) set.
This will update the detection database.
If you *haven't* just upgraded rsyslog, you should start hunting the
intruder... but you're probably OK. From my sid system:
joe@jresid:~$ ls -l /usr/sbin/rsyslogd
-rwxr-xr-x 1 root root 522304 Sep 4 13:08 /usr/sbin/rsyslogd
joe@jresid:~$ sha1sum /usr/sbin/rsyslogd
99fd3e8be4e7b9f553d52f6837eef50ebcebadc8 /usr/sbin/rsyslogd
--
Joe
--
To UNSUBSCRIBE, email to debian-us...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listm...@lists.debian.org
Archive: http://lists.debian.org/20131105200...@jretrading.com
0 new messages