18 Dec 2007 Determine false positive from rkhunter

Posted by Hans-Henry Jakobsen

I’ve installed rkhunter, a rootkit checking script, on a Ubuntu 7.10 (Gutsy Gibbons) distro and today it mailed a message saying that 3 files had their properties changed. The files were /usr/bin/chattr, /usr/bin/lsattr and /usr/bin/perl
Before doing anything I tried to update rkhunter to see if there had been any updates to fix this message rkhunter --update but the files were still giving a error warning. Since I haven’t used Debian/Ubuntu systems much I had to find a way to determine if these files had been tampered with. If this had been a RedHat system I would have run the command rpm -V packagename to verify if a package has been tampered with.

I found the package list at http://packages.ubuntu.com and entered the program paths I’ve shown above in the “Search the contents of packages” search box. The result after the search for /usr/bin/chattr, /usr/bin/lsattr and /usr/bin/perl

• /usr/bin/chattr was in the package base/e2fsprogs
• /usr/bin/lsattr was in the package base/e2fsprogs
• /usr/bin/perl was in the package base/perl-base

Downloaded the packages from the same website and verified the downloads using md5sum and then used the ar command to unpack/extract the files.

ar -x *.deb

This will give two tarballs control.tar.gz and data.tar.gz. The first is the information dpkg needs to do a proper installation and configuration of the package, the second contains the binaries and data files.

When I extracted the tarball named data.tar.gz and wrote a little script using md5sum on each of the files to determine that all files were valid with the correct size, sum etc.

The md5sum script

#!/bin/bash
# This script have to be run from the path you extracted the debian package

for FILE in " /usr/bin/chattr /usr/bin/lsattr /usr/bin/perl usr/bin/chattr usr/bin/lsattr usr/bin/perl"
do
        md5sum $FILE > md5sums.txt
done
echo If this number is larger than the amount of files compared, then something is fishy
echo `awk -F " " '{ print $1 }'< md5sums.txt | sort | uniq | wc -l`

Luckily my system files had the same md5sum as the files extracted from the downloaded package. This proves that my system was not compromised, at least not these files anyway.

The script can be downloaded here

The error message from rkhunter

Warning: The file properties have changed:
         File: /usr/bin/chattr
         Current hash: 4703e5adba10128a0abbc036cefae73f754db142
         Stored hash : 2502e2f117415f56cd64568b042a91dd3ef79b80
         Current inode: 1735115    Stored inode: 1733967
         Current size: 7228    Stored size: 7296
         Current file modification time: 1197053992
         Stored file modification time : 1189103575
Warning: The file properties have changed:
         File: /usr/bin/lsattr
         Current hash: c3eba9c1952ccf894f8f71b999b081fe5ad5f4de
         Stored hash : 4ba9ee6cb8455509347059f7917ef7ed4bab6891
         Current inode: 1735124    Stored inode: 1734372
         Current size: 6000    Stored size: 6068
         Current file modification time: 1197053992
         Stored file modification time : 1189103575
Warning: The file properties have changed:
         File: /usr/bin/perl
         Current hash: 9c4d220d96fbaf9aaedbe4e034a767e8d510d7f6
         Stored hash : 155faff21807a6ad3687806ba7737223cd56ac68
         Current inode: 1733338    Stored inode: 1733472
         Current size: 1078128    Stored size: 1078160
         Current file modification time: 1196759924
         Stored file modification time : 1191046830

Tags: ar, bash, chattr, Debian, gutsy gibbons, lsattr, perl, rkhunter, Ubuntu