msgbartop
A chronological documentation test project, nothing serious, really!
msgbarbottom

18 Dec 2007 Determine false positive from rkhunter

Posted by

I’ve installed rkhunter, a rootkit checking script, on a Ubuntu 7.10 (Gutsy Gibbons) distro and today it mailed a message saying that 3 files had their properties changed. The files were /usr/bin/chattr, /usr/bin/lsattr and /usr/bin/perlBefore doing anything I tried to update rkhunter to see if there had been any updates to fix this message rkhunter --update but the files were still giving a error warning. Since I haven’t used Debian/Ubuntu systems much I had to find a way to determine if these files had been tampered with. If this had been a RedHat system I would have run the command rpm -V packagename to verify if a package has been tampered with.I found the package list at http://packages.ubuntu.com and entered the program paths I’ve shown above in the “Search the contents of packages” search box. The result after the search for /usr/bin/chattr, /usr/bin/lsattr and /usr/bin/perl

       

  • /usr/bin/chattr was in the package base/e2fsprogs
  •    

  • /usr/bin/lsattr was in the package base/e2fsprogs
  •    

  • /usr/bin/perl was in the package base/perl-base

Downloaded the packages from the same website and verified the downloads using md5sum and then used the ar command to unpack/extract the files.

ar -x *.deb

This will give two tarballs control.tar.gz and data.tar.gz. The first is the information dpkg needs to do a proper installation and configuration of the package, the second contains the binaries and data files.When I extracted the tarball named data.tar.gz and wrote a little script using md5sum on each of the files to determine that all files were valid with the correct size, sum etc.The md5sum script

#!/bin/bash# This script have to be run from the path you extracted the debian packagefor FILE in " /usr/bin/chattr /usr/bin/lsattr /usr/bin/perl usr/bin/chattr usr/bin/lsattr usr/bin/perl"do        md5sum $FILE > md5sums.txtdoneecho If this number is larger than the amount of files compared, then something is fishyecho `awk -F " " '{ print $1 }'< md5sums.txt | sort | uniq | wc -l`

Luckily my system files had the same md5sum as the files extracted from the downloaded package. This proves that my system was not compromised, at least not these files anyway.The script can be downloaded hereThe error message from rkhunter

Warning: The file properties have changed:         File: /usr/bin/chattr         Current hash: 4703e5adba10128a0abbc036cefae73f754db142         Stored hash : 2502e2f117415f56cd64568b042a91dd3ef79b80         Current inode: 1735115    Stored inode: 1733967         Current size: 7228    Stored size: 7296         Current file modification time: 1197053992         Stored file modification time : 1189103575Warning: The file properties have changed:         File: /usr/bin/lsattr         Current hash: c3eba9c1952ccf894f8f71b999b081fe5ad5f4de         Stored hash : 4ba9ee6cb8455509347059f7917ef7ed4bab6891         Current inode: 1735124    Stored inode: 1734372         Current size: 6000    Stored size: 6068         Current file modification time: 1197053992         Stored file modification time : 1189103575Warning: The file properties have changed:         File: /usr/bin/perl         Current hash: 9c4d220d96fbaf9aaedbe4e034a767e8d510d7f6         Stored hash : 155faff21807a6ad3687806ba7737223cd56ac68         Current inode: 1733338    Stored inode: 1733472         Current size: 1078128    Stored size: 1078160         Current file modification time: 1196759924         Stored file modification time : 1191046830

Tags: , , , , , , , ,

Comments are closed.