Results 1 to 6 of 6
Thread: RKHUNTER and MD5 Incorrect
-
08-31-2006, 02:23 PM #1WHT Addict
- Join Date
- Apr 2004
- Posts
- 149
RKHUNTER and MD5 Incorrect
Hello
I installed rkhunter 1.2.8 and get a lot of problem
First when I run it rkhunter -c I get
problem is like this
/usr/sbin/prelink: /lib/tls/libc-2.3.2.so has dependency cycle
/usr/sbin/prelink: /usr/bin/w: at least one of file's dependencies has changed since prelinking
/usr/sbin/prelink: /lib/tls/libc-2.3.2.so has dependency cycle
/usr/sbin/prelink: /usr/bin/w: at least one of file's dependencies has changed since prelinking
/usr/bin/w [ BAD ]
/usr/sbin/prelink: /lib/tls/libc-2.3.2.so has dependency cycle
/usr/sbin/prelink: /usr/bin/whereis: at least one of file's dependencies has changed since prelinking
/usr/bin/whereis [ BAD ]
/usr/sbin/prelink: /lib/tls/libc-2.3.2.so has dependency cycle
/usr/sbin/prelink: /usr/bin/which: at least one of file's dependencies has changed since prelinking
/usr/bin/which [ BAD ]
/usr/sbin/prelink: /lib/tls/libc-2.3.2.so has dependency cycle
/usr/sbin/prelink: /usr/bin/who: at least one of file's dependencies has changed since prelinking
/usr/sbin/prelink: /lib/tls/libc-2.3.2.so has dependency cycle
/usr/sbin/prelink: /usr/bin/who: at least one of file's dependencies has changed since prelinking
/usr/bin/who [ BAD ]
/usr/sbin/prelink: /lib/tls/libc-2.3.2.so has dependency cycle
/usr/sbin/prelink: /usr/sbin/chroot: at least one of file's dependencies has changed since prelinking
/usr/sbin/prelink: /lib/tls/libc-2.3.2.so has dependency cycle
/usr/sbin/prelink: /usr/sbin/chroot: at least one of file's dependencies has changed since prelinking
/usr/sbin/chroot [ BAD ]
/usr/sbin/prelink: /lib/tls/libc-2.3.2.so has dependency cycle
/usr/sbin/prelink: /usr/sbin/useradd: at least one of file's dependencies has changed since prelinking
/usr/sbin/prelink: /lib/tls/libc-2.3.2.so has dependency cycle
/usr/sbin/prelink: /usr/sbin/useradd: at least one of file's dependencies has changed since prelinking
/usr/sbin/useradd [ BAD ]
/usr/sbin/prelink: /lib/tls/libc-2.3.2.so has dependency cycle
/usr/sbin/prelink: /usr/sbin/vipw: at least one of file's dependencies has changed since prelinking
/usr/sbin/vipw [ BAD ]
/usr/sbin/prelink: /lib/tls/libc-2.3.2.so has dependency cycle
/usr/sbin/prelink: /usr/sbin/xinetd: at least one of file's dependencies has changed since prelinking
/usr/sbin/xinetd [ BAD ]
in the first
then enter and everything is [Ok]
Then enter and everything is [ Clean ]
Then enter everything is [ Ok ]
Then enter and I get
* Allround tests
Checking hostname... Found. Hostname is hostname ****
Checking for passwordless user accounts... OK
Checking for differences in user accounts... OK. No changes.
Checking for differences in user groups... OK. No changes.
Checking boot.local/rc.local file...
- /etc/rc.local [ OK ]
- /etc/rc.d/rc.local [ OK ]
- /usr/local/etc/rc.local [ Not found ]
- /usr/local/etc/rc.d/rc.local [ Not found ]
- /etc/conf.d/local.start [ Not found ]
- /etc/init.d/boot.local [ Not found ]
Checking rc.d files...
Processing........................................
........................................
........................................
........................................
........................................
........................................
....................
Result rc.d files check [ OK ]
Checking history files
Bourne Shell [ OK ]
* Filesystem checks
Checking /dev for suspicious files... [ OK ]
Scanning for hidden files... [ Warning! ]
---------------
/etc/.pwd.lock
/etc/.whostmgrft
/etc/.fstab.swp
/etc/.demousers
/etc/.demodomains
---------------
Please inspect: /etc/.fstab.swp (\<head HTML document text)
Then enter
Application advisories
* Application scan
Checking Apache2 modules ... [ Not found ]
Checking Apache configuration ... [ OK ]
* Application version scan
- Exim MTA 4.52 [ OK ]
- GnuPG 1.2.3 [ Old or patched version ]
- Apache [unknown] [ OK ]
- Bind DNS 9.2.2-P3 [ Unknown ]
- OpenSSL 0.9.7a [ Old or patched version ]
- PHP 4.4.3 [ Unknown ]
- PHP 4.4.3 [ Unknown ]
- Procmail MTA 3.22 [ OK ]
- OpenSSH 3.6.1p2 [ Old or patched version ]
then scan result
---------------------------- Scan results ----------------------------
MD5
MD5 compared: 85
Incorrect MD5 checksums: 50
File scan
Scanned files: 342
Possible infected files: 0
Application scan
Vulnerable applications: 3
Scanning took 288 seconds
and when I open /var/log/rkhunter.log
/usr/local/bin/rkhunter --cronjob --report-warnings-only
[21:20:14] ---------------------------- MD5 hash tests -------------------------
--
[21:20:14] Starting MD5 checksum test (/usr/local/rkhunter/lib/rkhunter/scripts/
filehashmd5.pl)
[21:20:14] Found cache file of prelinked files
[21:20:14] Using prelink binary: /usr/sbin/prelink
[21:20:14] /bin/cat Hash NOT valid (My MD5: d41d8cd98f00b204e9800998ecf8427e, ex
pected: a45803dea41b624f2076f5fb70afeb16)
[21:20:14] /bin/cat Hash NOT valid (My MD5: d41d8cd98f00b204e9800998ecf8427e, ex
pected: b718b6ae81bdd11d9a8a0fe89a27c6b7)
[21:20:14] Using whitelists to compare MD5 hash (searching for d41d8cd98f00b204e
9800998ecf8427e)
[21:20:15] No whitelisted MD5 hash found for /bin/cat
[21:20:15] MD5 hash for my file (/bin/cat) is d41d8cd98f00b204e9800998ecf8427e,
but is not in database
[21:20:15] End of whitelist compare
[21:20:15] Checking /bin/cat against hashes in database (a45803dea41b624f2076f5f
b70afeb16
b718b6ae81bdd11d9a8a0fe89a27c6b7) failed
[21:20:15] RPM info: your package 'coreutils-5.0-34.1'
[21:20:15] RPM info: packages in database: coreutils-5.0-34.1
[21:20:15] ---
[21:20:15] 118:/bin/cat:d41d8cd98f00b204e9800998ecf8427e:-:-:coreutils-5.0-34.1
[21:20:15] ---
[21:20:15] /bin/chown Hash NOT valid (My MD5: d41d8cd98f00b204e9800998ecf8427e,
expected: 87229374ff3e4bcba96ee7c90bc8e95b)
[21:20:15] /bin/chown Hash NOT valid (My MD5: d41d8cd98f00b204e9800998ecf8427e,
expected: ee1d6ebb32d6beebfb356641ce2ce29e)
[21:20:15] Using whitelists to compare MD5 hash (searching for d41d8cd98f00b204e
9800998ecf8427e)
[21:20:15] No whitelisted MD5 hash found for /bin/chown
[21:20:15] MD5 hash for my file (/bin/chown) is d41d8cd98f00b204e9800998ecf8427e
, but is not in database
[21:20:15] End of whitelist compare
[21:20:15] Checking /bin/chown against hashes in database (87229374ff3e4bcba96ee
7c90bc8e95b
ee1d6ebb32d6beebfb356641ce2ce29e) failed
[21:20:15] RPM info: your package 'coreutils-5.0-34.1'
[21:20:15] RPM info: packages in database:
coreutils-5.0-34.1
[21:20:15] ---
[21:20:15] 118:/bin/chown:d41d8cd98f00b204e9800998ecf8427e:-:-:coreutils-5.0-34.
1
and a lot like this
is that mean my server is hacked ???
My kernel 2.4.22-1.2199.nptl
with cpanel
please help me
-
09-01-2006, 08:26 AM #2Web Hosting Evangelist
- Join Date
- Oct 2004
- Location
- India
- Posts
- 509
Looks a scarry one. Which distro is this ? Michael of rootkit.nl earlier have confirmed that redhat 9 has some known problem as that reports incorrect md5sums.
ESC :wq!
-
09-01-2006, 10:06 AM #3Problem Solver
- Join Date
- Mar 2003
- Location
- California USA
- Posts
- 13,681
Pretty normal if your prelinking got broken. run this and rerun rkhunter:
/usr/sbin/prelink -avmRSteven Ciaburri | Industry's Best Server Management - Rack911.com
Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com
Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance
-
09-01-2006, 10:07 AM #4Problem Solver
- Join Date
- Mar 2003
- Location
- California USA
- Posts
- 13,681
FYI:
My kernel 2.4.22-1.2199.nptlSteven Ciaburri | Industry's Best Server Management - Rack911.com
Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com
Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance
-
09-03-2006, 06:17 AM #5Quality Web Hosting Matters
- Join Date
- Mar 2006
- Location
- Servers
- Posts
- 1,590
Steven is : 2.4.21-40.ELsmp and 2.4.21-47.ELsmp exploitables ?
Thanks.█ QHoster.com - Web Hosting with DDoS Protection | Shared & Reseller in Europe/North America
█ Linux/Windows RDP VPS 13 Locations : UK, US (5 states), Mexico, Canada, Bulgaria, Lithuania,
█ Italy, France, Germany,Netherlands, Switzerland, Rissia, Singapore | OpenVPN/PPTP Enabled
█ INSTANT | PayPal, Skrill, Payza, Bitcoin, WebMoney, Perfect Money, Ukash, CashU, paysafecard
-
09-03-2006, 11:55 AM #6Problem Solver
- Join Date
- Mar 2003
- Location
- California USA
- Posts
- 13,681
2.4.21-40.ELsmp = yes
Steven Ciaburri | Industry's Best Server Management - Rack911.com
Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com
Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance