[Rkhunter-users] Identifying prelink dependencies
Brought to you by:
dogsbody
Menu
▾
▴
[Rkhunter-users] Identifying prelink dependencies
|
From: Angus M. <an...@po...> - 2012-02-14 13:54:17
|
I'm running rkhunter 1.3.8 on a CentOS 5.7 box.
Last night, rkhunter's regular run warned me that:
/bin/bash
/bin/csh
/bin/more
/bin/sh
/bin/tcsh
had all changed.
This isn't necessarily bad, because I'm actively configuring the box and
have been installing a lot of software. All rkhunter's other checks come
up clean.
I ran rkhunter --propupd, and now rkhunter tells me that it doesn't have
any hashes for the files in question, which I take to mean that they
haven't been prelinked. Checking with
prelink --verify --sha /bin/bash
reports that
at least one of file's dependencies has changed since prelinking
My question is: is there a way to find out which dependency has been
changed? If I knew why these warnings are coming up, that might help me
decide whether it's cause for alarm or not.
My secondary question is: does that particular combination of changed
files sound familiar to anyone? Is it a case of "Yeah, that'll happen,
don't worry about it", or "Ohmigod! It's the 5udd3nD34th rootkit! Run
screaming for the hills!"?
Thanks,
Angus
|