[Rkhunter-users] Warning: "has been replaced by a script"
Brought to you by:
dogsbody
From: Peter L. <pet...@gm...> - 2013-09-29 15:36:37
|
I am running tkhunter 1.4.0 on Ubuntu 11.4 (the latest version of Ubuntu that run on my hardware). I run tkhunter with the following call sudo rkhunter --check --rwo and get the following returned. Warning: The command '/usr/sbin/adduser' has been replaced by a script: /usr/sbin/adduser: a /usr/bin/perl script text executable Warning: The command '/usr/bin/ldd' has been replaced by a script: /usr/bin/ldd: Bourne-Again shell script text executable Warning: The command '/usr/bin/lwp-request' has been replaced by a script: /usr/bin/lwp-request: a /usr/bin/perl -w script text executable Warning: The command '/sbin/chkconfig' has been replaced by a script: /sbin/chkconfig: a /usr/bin/perl script text executable Warning: The command '/bin/which' has been replaced by a script: /bin/which: POSIX shell script text executable I have Googled these messages and it appears they are quite common but it is not clear whether they should be shite listed or not. They are all ASCII files and all seem to be Perl text except to /bin/which which appears to be linux shell code. Most of the scripts say what they do. /usr/sbin/adduser: a utility to add users to the system /usr/bin/ldd: This file is part of the GNU C Library....This is the `ldd' command, which lists what shared libraries are used by given dynamically-linked executables. It works by invoking the run-time dynamic linker as a command and setting the environment variable LD_TRACE_LOADED_OBJECTS to a non-empty value. /usr/bin/lwp-request: This program can be used to send requests to WWW servers and your local file system. The request content for POST and PUT methods is read from stdin. The content of the response is printed on stdout. Error messages are printed on stderr. The program returns a status value indicating the number of URLs that failed. /sbin/chkconfig: Doesn't actually say what it does but is well commented throughout and elicits user input, with error messages in the main function. /bin/which: Looks like shell code with no comments My question is, which of these should be white listed or declared to be false positives? Thanks, Peter |