Results 1 to 6 of 6
  1. #1

    RKHUNTER and MD5 Incorrect

    Hello

    I installed rkhunter 1.2.8 and get a lot of problem

    First when I run it rkhunter -c I get

    problem is like this

    /usr/sbin/prelink: /lib/tls/libc-2.3.2.so has dependency cycle
    /usr/sbin/prelink: /usr/bin/w: at least one of file's dependencies has changed since prelinking
    /usr/sbin/prelink: /lib/tls/libc-2.3.2.so has dependency cycle
    /usr/sbin/prelink: /usr/bin/w: at least one of file's dependencies has changed since prelinking
    /usr/bin/w [ BAD ]
    /usr/sbin/prelink: /lib/tls/libc-2.3.2.so has dependency cycle
    /usr/sbin/prelink: /usr/bin/whereis: at least one of file's dependencies has changed since prelinking
    /usr/bin/whereis [ BAD ]
    /usr/sbin/prelink: /lib/tls/libc-2.3.2.so has dependency cycle
    /usr/sbin/prelink: /usr/bin/which: at least one of file's dependencies has changed since prelinking
    /usr/bin/which [ BAD ]
    /usr/sbin/prelink: /lib/tls/libc-2.3.2.so has dependency cycle
    /usr/sbin/prelink: /usr/bin/who: at least one of file's dependencies has changed since prelinking
    /usr/sbin/prelink: /lib/tls/libc-2.3.2.so has dependency cycle
    /usr/sbin/prelink: /usr/bin/who: at least one of file's dependencies has changed since prelinking
    /usr/bin/who [ BAD ]
    /usr/sbin/prelink: /lib/tls/libc-2.3.2.so has dependency cycle
    /usr/sbin/prelink: /usr/sbin/chroot: at least one of file's dependencies has changed since prelinking
    /usr/sbin/prelink: /lib/tls/libc-2.3.2.so has dependency cycle
    /usr/sbin/prelink: /usr/sbin/chroot: at least one of file's dependencies has changed since prelinking
    /usr/sbin/chroot [ BAD ]
    /usr/sbin/prelink: /lib/tls/libc-2.3.2.so has dependency cycle
    /usr/sbin/prelink: /usr/sbin/useradd: at least one of file's dependencies has changed since prelinking
    /usr/sbin/prelink: /lib/tls/libc-2.3.2.so has dependency cycle
    /usr/sbin/prelink: /usr/sbin/useradd: at least one of file's dependencies has changed since prelinking
    /usr/sbin/useradd [ BAD ]
    /usr/sbin/prelink: /lib/tls/libc-2.3.2.so has dependency cycle
    /usr/sbin/prelink: /usr/sbin/vipw: at least one of file's dependencies has changed since prelinking
    /usr/sbin/vipw [ BAD ]
    /usr/sbin/prelink: /lib/tls/libc-2.3.2.so has dependency cycle
    /usr/sbin/prelink: /usr/sbin/xinetd: at least one of file's dependencies has changed since prelinking
    /usr/sbin/xinetd [ BAD ]


    in the first

    then enter and everything is [Ok]

    Then enter and everything is [ Clean ]

    Then enter everything is [ Ok ]

    Then enter and I get

    * Allround tests
    Checking hostname... Found. Hostname is hostname ****
    Checking for passwordless user accounts... OK
    Checking for differences in user accounts... OK. No changes.
    Checking for differences in user groups... OK. No changes.
    Checking boot.local/rc.local file...
    - /etc/rc.local [ OK ]
    - /etc/rc.d/rc.local [ OK ]
    - /usr/local/etc/rc.local [ Not found ]
    - /usr/local/etc/rc.d/rc.local [ Not found ]
    - /etc/conf.d/local.start [ Not found ]
    - /etc/init.d/boot.local [ Not found ]
    Checking rc.d files...
    Processing........................................
    ........................................
    ........................................
    ........................................
    ........................................
    ........................................
    ....................
    Result rc.d files check [ OK ]
    Checking history files
    Bourne Shell [ OK ]

    * Filesystem checks
    Checking /dev for suspicious files... [ OK ]
    Scanning for hidden files... [ Warning! ]
    ---------------
    /etc/.pwd.lock
    /etc/.whostmgrft
    /etc/.fstab.swp
    /etc/.demousers
    /etc/.demodomains
    ---------------
    Please inspect: /etc/.fstab.swp (\<head HTML document text)



    Then enter

    Application advisories
    * Application scan
    Checking Apache2 modules ... [ Not found ]
    Checking Apache configuration ... [ OK ]

    * Application version scan
    - Exim MTA 4.52 [ OK ]
    - GnuPG 1.2.3 [ Old or patched version ]
    - Apache [unknown] [ OK ]
    - Bind DNS 9.2.2-P3 [ Unknown ]
    - OpenSSL 0.9.7a [ Old or patched version ]
    - PHP 4.4.3 [ Unknown ]
    - PHP 4.4.3 [ Unknown ]
    - Procmail MTA 3.22 [ OK ]
    - OpenSSH 3.6.1p2 [ Old or patched version ]


    then scan result

    ---------------------------- Scan results ----------------------------

    MD5
    MD5 compared: 85
    Incorrect MD5 checksums: 50

    File scan
    Scanned files: 342
    Possible infected files: 0

    Application scan
    Vulnerable applications: 3

    Scanning took 288 seconds

    and when I open /var/log/rkhunter.log

    /usr/local/bin/rkhunter --cronjob --report-warnings-only


    [21:20:14] ---------------------------- MD5 hash tests -------------------------
    --
    [21:20:14] Starting MD5 checksum test (/usr/local/rkhunter/lib/rkhunter/scripts/
    filehashmd5.pl)
    [21:20:14] Found cache file of prelinked files
    [21:20:14] Using prelink binary: /usr/sbin/prelink
    [21:20:14] /bin/cat Hash NOT valid (My MD5: d41d8cd98f00b204e9800998ecf8427e, ex
    pected: a45803dea41b624f2076f5fb70afeb16)
    [21:20:14] /bin/cat Hash NOT valid (My MD5: d41d8cd98f00b204e9800998ecf8427e, ex
    pected: b718b6ae81bdd11d9a8a0fe89a27c6b7)
    [21:20:14] Using whitelists to compare MD5 hash (searching for d41d8cd98f00b204e
    9800998ecf8427e)
    [21:20:15] No whitelisted MD5 hash found for /bin/cat
    [21:20:15] MD5 hash for my file (/bin/cat) is d41d8cd98f00b204e9800998ecf8427e,
    but is not in database
    [21:20:15] End of whitelist compare
    [21:20:15] Checking /bin/cat against hashes in database (a45803dea41b624f2076f5f
    b70afeb16
    b718b6ae81bdd11d9a8a0fe89a27c6b7) failed
    [21:20:15] RPM info: your package 'coreutils-5.0-34.1'
    [21:20:15] RPM info: packages in database: coreutils-5.0-34.1
    [21:20:15] ---
    [21:20:15] 118:/bin/cat:d41d8cd98f00b204e9800998ecf8427e:-:-:coreutils-5.0-34.1
    [21:20:15] ---
    [21:20:15] /bin/chown Hash NOT valid (My MD5: d41d8cd98f00b204e9800998ecf8427e,
    expected: 87229374ff3e4bcba96ee7c90bc8e95b)
    [21:20:15] /bin/chown Hash NOT valid (My MD5: d41d8cd98f00b204e9800998ecf8427e,
    expected: ee1d6ebb32d6beebfb356641ce2ce29e)
    [21:20:15] Using whitelists to compare MD5 hash (searching for d41d8cd98f00b204e
    9800998ecf8427e)
    [21:20:15] No whitelisted MD5 hash found for /bin/chown
    [21:20:15] MD5 hash for my file (/bin/chown) is d41d8cd98f00b204e9800998ecf8427e
    , but is not in database
    [21:20:15] End of whitelist compare
    [21:20:15] Checking /bin/chown against hashes in database (87229374ff3e4bcba96ee
    7c90bc8e95b
    ee1d6ebb32d6beebfb356641ce2ce29e) failed
    [21:20:15] RPM info: your package 'coreutils-5.0-34.1'
    [21:20:15] RPM info: packages in database:
    coreutils-5.0-34.1
    [21:20:15] ---
    [21:20:15] 118:/bin/chown:d41d8cd98f00b204e9800998ecf8427e:-:-:coreutils-5.0-34.
    1


    and a lot like this

    is that mean my server is hacked ???

    My kernel 2.4.22-1.2199.nptl

    with cpanel

    please help me

  2. #2
    Join Date
    Oct 2004
    Location
    India
    Posts
    491
    Looks a scarry one. Which distro is this ? Michael of rootkit.nl earlier have confirmed that redhat 9 has some known problem as that reports incorrect md5sums.
    ESC :wq!

  3. #3
    Join Date
    Mar 2003
    Location
    California USA
    Posts
    13,294
    Pretty normal if your prelinking got broken. run this and rerun rkhunter:

    /usr/sbin/prelink -avmR
    Steven Ciaburri | Industry's Best Server Management - Rack911.com
    Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com
    Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
    FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance

  4. #4
    Join Date
    Mar 2003
    Location
    California USA
    Posts
    13,294
    FYI:

    My kernel 2.4.22-1.2199.nptl
    Exploitable upgrade it.
    Steven Ciaburri | Industry's Best Server Management - Rack911.com
    Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com
    Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
    FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance

  5. #5
    Join Date
    Mar 2006
    Location
    Servers
    Posts
    1,588
    Steven is : 2.4.21-40.ELsmp and 2.4.21-47.ELsmp exploitables ?



    Thanks.
    QHoster.com - Web Hosting with DDoS Protection | Shared & Reseller in Europe/North America
    Linux/Windows RDP VPS 13 Locations : UK, US (5 states), Mexico, Canada, Bulgaria, Lithuania,
    Italy, France, Germany,Netherlands, Switzerland, Rissia, Singapore | OpenVPN/PPTP Enabled
    INSTANT | PayPal, Skrill, Payza, Bitcoin, WebMoney, Perfect Money, Ukash, CashU, paysafecard

  6. #6
    Join Date
    Mar 2003
    Location
    California USA
    Posts
    13,294
    2.4.21-40.ELsmp = yes
    Steven Ciaburri | Industry's Best Server Management - Rack911.com
    Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com
    Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
    FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •