#23 Bad hashes on RHEL 3

main
closed
unSpawn
5
2007-05-11
2007-05-08
Rohit Gupta
No

I installed RkHunter and it is giving error on Bad Hashes

/bin/cat [ BAD ]
/bin/chmod [ BAD ]
/bin/chown [ BAD ]
/bin/date [ BAD ]
/bin/dmesg [ BAD ]
/bin/env [ BAD ]
/bin/grep [ OK ]
/bin/kill [ BAD ]
/bin/login [ BAD ]
/bin/ls [ BAD ]
/bin/more [ BAD ]
/bin/mount [ BAD ]
/bin/netstat [ OK ]
/bin/ps [ OK ]
/bin/su [ BAD ]
/sbin/chkconfig [ OK ]
/sbin/depmod [ OK ]
/sbin/ifconfig [ OK ]
/sbin/init [ OK ]
/sbin/insmod [ OK ]
/sbin/ip [ OK ]
/sbin/modinfo [ OK ]
/sbin/runlevel [ OK ]
/sbin/sulogin [ OK ]
/sbin/sysctl [ OK ]
/sbin/syslogd [ OK ]
/usr/bin/chattr [ OK ]
/usr/bin/du [ BAD ]
/usr/bin/file [ OK ]
/usr/bin/find [ OK ]
/usr/bin/head [ BAD ]
/usr/bin/kill [ BAD ]
/usr/bin/killall [ OK ]
/usr/bin/lsattr [ OK ]
/usr/bin/md5sum [ BAD ]
/usr/bin/passwd [ OK ]
/usr/bin/pstree [ OK ]
/usr/bin/sha1sum [ BAD ]
/usr/bin/slocate [ OK ]
/usr/bin/stat [ BAD ]
/usr/bin/strings [ OK ]
/usr/bin/top [ OK ]
/usr/bin/users [ BAD ]
/usr/bin/vmstat [ OK ]
/usr/bin/w [ OK ]
/usr/bin/watch [ OK ]
/usr/bin/wc [ BAD ]
/usr/bin/wget [ OK ]
/usr/bin/whereis [ BAD ]
/usr/bin/who [ BAD ]
/usr/bin/whoami [ BAD ]
/usr/sbin/xinetd [ OK ]

Is it something really BAD for the box? Where does RKHUnter gets the hashes.

Most of them are linked to coreutils-4.5.3-28.1 and util-linux-2.11y-31.18

I found that /usr/local/rkhunter/lib/rkhunter/db/defaulthashes.dat contains the hash values for a specific distribution e.g for RedHat Enterprise the OS ID is 722.

Do we know that from where rkhunter gets the values for these hashes?

The version number of Redhat on the box is 2.4.21-47.ELsmp

You think the reason I am getting these errors is because of the New Released Version of Redhat Enterprise Edition

On the another server where I am running coreutils-4.5.3-28, I dont see any errors from rkhunter.

-----------------------------------------
-----------------------------------------
-----------------------------------------
-----------------------------------------

I have upgraded my versions of coreutils-4.5.3-28.1 and util-linux-2.11y-31.18 to

coreutils-4.5.3-28.4 and util-linux-2.11y-31.19

and this is what I get

Quote:
[root@server RPMS]# rpm -qf `which more`
util-linux-2.11y-31.19

Quote:
[root@server RPMS]# rpm -qf `which cat`
coreutils-4.5.3-28.4

-----------------------------------------
-----------------------------------------
-----------------------------------------
-----------------------------------------

i ran

Quote:
rkhunter -c --createlogfile

[19:50:38] ---------------------------- MD5 hash tests ---------------------------
[19:50:38] Starting MD5 checksum test (/usr/local/rkhunter/lib/rkhunter/scripts/filehashmd5.pl)
[19:50:38] /bin/cat Hash NOT valid (My MD5: c5953b025c1e9e3e7b6c14755d53093d, expected: 2a8b71a3501fe4d4c15db2b11c3c694b)
[19:50:38] Using whitelists to compare MD5 hash (searching for c5953b025c1e9e3e7b6c14755d53093d)
[19:50:38] No whitelisted MD5 hash found for /bin/cat
[19:50:38] MD5 hash for my file (/bin/cat) is c5953b025c1e9e3e7b6c14755d53093d, but is not in database
[19:50:38] End of whitelist compare
[19:50:38] Checking /bin/cat against hashes in database (2a8b71a3501fe4d4c15db2b11c3c694b) failed
[19:50:39] RPM info: your package 'coreutils-4.5.3-28.4'
[19:50:39] RPM info: packages in database:
[19:50:39] ---
[19:50:39] 722:/bin/cat:c5953b025c1e9e3e7b6c14755d53093d:-:-:coreutils-4.5.3-28.4
[19:50:39] ---

[19:50:39] /bin/dmesg Hash NOT valid (My MD5: 6608ea1ebe87a3948156528d5a96ee60, expected: fd9e9d463711ba3ae35aafcc9b0e3a77)
[19:50:39] Using whitelists to compare MD5 hash (searching for 6608ea1ebe87a3948156528d5a96ee60)
[19:50:39] No whitelisted MD5 hash found for /bin/dmesg
[19:50:39] MD5 hash for my file (/bin/dmesg) is 6608ea1ebe87a3948156528d5a96ee60, but is not in database
[19:50:39] End of whitelist compare
[19:50:39] Checking /bin/dmesg against hashes in database (fd9e9d463711ba3ae35aafcc9b0e3a77) failed
[19:50:39] RPM info: your package 'util-linux-2.11y-31.19'
[19:50:39] RPM info: packages in database:
[19:50:39] ---
[19:50:39] 722:/bin/dmesg:6608ea1ebe87a3948156528d5a96ee60:-:-:util-linux-2.11y-31.19
[19:50:39] ---

BUT i still get these errors. You think if it is false positive?

The version of rkhunter I am running is latest 1.2.9

I also run chkrootkit and it doesn't complain abt anything??

Any help would be really appreciated

Discussion

  • Rohit Gupta

    Rohit Gupta - 2007-05-08
    • priority: 5 --> 9
     
  • unSpawn

    unSpawn - 2007-05-11

    Logged In: YES
    user_id=600864
    Originator: NO

    ...and next to that:
    >Is it something really BAD for the box?
    Not if you can verify the files' integrity is OK against a (remote copy) of the RPM (rpm -qVv proto://path/name.rpm).

    >Where does RKHUnter gets the hashes.
    Hashes were collected from pristine OS installs.

    >I also run chkrootkit and it doesn't complain abt anything?
    CRT doesn't run these tests.

    Regards, unSpawn

     
  • unSpawn

    unSpawn - 2007-05-11

    Logged In: YES
    user_id=600864
    Originator: NO

    Hello $RKH_TRACKER_SUBMITTER,

    Thanks for showing your support.

    In this case it would be better to first:
    - search the (accompanying or online) FAQ and
    - the (archives of the) rkhunter-users mailing list
    because this problem has been handled there extensively.
    For RKH 1.2.9 the temporary "fix" is to run "hashupd"
    which you can find at our SF D/L site, instructions are
    in the FAQ.

    *Please note that when hashupd says so, you should not
    submit your hashes or distro info to RKH's SF tracker, the
    rkhunter-users mailinglist or me because we're moving
    towards RKH 1.3.0 in which this type of problems will
    not occur anymore.

    Regards, $RKH_TRACKER_HANDLER

     
  • unSpawn

    unSpawn - 2007-05-11
    • priority: 9 --> 5
    • assigned_to: nobody --> unspawn
    • status: open --> pending
     
  • John Horne

    John Horne - 2007-05-11

    Logged In: YES
    user_id=665381
    Originator: NO

    Closing call. I already emailed the user about this problem last Wednesday. Why they then decided to open a support request I don't know.

    John.

     
  • John Horne

    John Horne - 2007-05-11
    • status: pending --> closed
     

Get latest updates about Open Source Projects, Conferences and News.

Sign up for the SourceForge newsletter:





No, thanks