Hello unSpawn,
thanks for the feedback.
Unfortunately, just before we run rkhunter and got those positives we also
had installed r-fx network "les" tool, a tool that changes the attributes
of
the main executables to make them available only to root. So, tripwire
reported positives, since it checks for files attributes, on all those
executables affected by the tool, which included those I am getting
positives for.
Rpm -V returns ".M...... /usr/bin/write", file mode change...
Thanks
>
>
> ----- Original Message -----
> From: "unspawn" <un...@ro...>
> To: "Carlito - Ps2Fantasy.com" <ca...@ps...>
> Cc: <rkh...@li...>
> Sent: Sunday, January 29, 2006 2:51 PM
> Subject: Re: [Rkhunter-users] RkHunter reports positives after patches
>
>
>> Hello Carlito,
>>
>> On Sun, 29 Jan 2006, Carlito - Ps2Fantasy.com wrote:
>>> We have a report on one server of some positives; the machine has rh9
>>> patched every time a new fedora legacy update comes out.
>>>
>>> These are the positives we are getting:
>>>
>>> /bin/dmesg [ BAD ]
>>> /bin/kill [ BAD ]
>>> /bin/login [ BAD ]
>>> /bin/mount [ BAD ]
>>
>> See if the util-linux rpm itself checks out fine (use "rpm -V util-linux"
>> or with -p and RPM from mirror).
>>
>> * If you already run a filesystem integrity checker like Aide, Samhain or
>> even tripwire (and you keep a copy of the database off-site) it would be
>> good to check, just to be sure.
>>
>>
>> Cheers, unSpawn
>>
>>
>> --
>> Internal Virus Database is out-of-date.
>> Checked by AVG Free Edition.
>> Version: 7.1.371 / Virus Database: 267.14.17/227 - Release Date:
>> 1/11/2006
>>
>>
>
|
