[Rkhunter-users] Identifying prelink dependencies
Brought to you by:
dogsbody
From: Angus M. <an...@po...> - 2012-02-14 13:54:17
|
I'm running rkhunter 1.3.8 on a CentOS 5.7 box. Last night, rkhunter's regular run warned me that: /bin/bash /bin/csh /bin/more /bin/sh /bin/tcsh had all changed. This isn't necessarily bad, because I'm actively configuring the box and have been installing a lot of software. All rkhunter's other checks come up clean. I ran rkhunter --propupd, and now rkhunter tells me that it doesn't have any hashes for the files in question, which I take to mean that they haven't been prelinked. Checking with prelink --verify --sha /bin/bash reports that at least one of file's dependencies has changed since prelinking My question is: is there a way to find out which dependency has been changed? If I knew why these warnings are coming up, that might help me decide whether it's cause for alarm or not. My secondary question is: does that particular combination of changed files sound familiar to anyone? Is it a case of "Yeah, that'll happen, don't worry about it", or "Ohmigod! It's the 5udd3nD34th rootkit! Run screaming for the hills!"? Thanks, Angus |