[opensuse] oS 13.1 : rkhunter warnings
Hello List - further, rkhunter mails to root : " Please inspect this machine, because it may be infected." ............................... rkhunter produces these warnings : ____________________ "Warning: Package manager verification has failed: File: /etc/rkhunter.conf The file hash value has changed The file size has changed The file modification time has changed" ............. - are there legitimate reasons why above changes have taken place . . . could this be a false alarm ? thanks -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Wed, Dec 04, 2013 at 12:13:05PM +0200, ellanios82 wrote:
Hello List
- further, rkhunter mails to root :
" Please inspect this machine, because it may be infected."
...............................
rkhunter produces these warnings : ____________________
"Warning: Package manager verification has failed: File: /etc/rkhunter.conf The file hash value has changed The file size has changed The file modification time has changed"
.............
- are there legitimate reasons why above changes have taken place . . . could this be a false alarm ?
If you edited this specific configuration file, it is not a problem. Ciao, Marcus -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 12/04/2013 02:44 PM, Marcus Meissner wrote:
On Wed, Dec 04, 2013 at 12:13:05PM +0200, ellanios82 wrote:
Hello List
- further, rkhunter mails to root :
" Please inspect this machine, because it may be infected."
...............................
rkhunter produces these warnings : ____________________
"Warning: Package manager verification has failed: File: /etc/rkhunter.conf The file hash value has changed The file size has changed The file modification time has changed"
.............
- are there legitimate reasons why above changes have taken place . . . could this be a false alarm ? If you edited this specific configuration file, it is not a problem.
Thank you Marcus : perhaps it is a problem : because 'midnight commander' shows date November 27 , as file-date [presumably when last altered ? .............. thank you -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 12/04/2013 02:44 PM, Marcus Meissner wrote:
On Wed, Dec 04, 2013 at 12:13:05PM +0200, ellanios82 wrote:
Hello List
- further, rkhunter mails to root :
" Please inspect this machine, because it may be infected."
...............................
rkhunter produces these warnings : ____________________
"Warning: Package manager verification has failed: File: /etc/rkhunter.conf The file hash value has changed The file size has changed The file modification time has changed"
.............
- are there legitimate reasons why above changes have taken place . . . could this be a false alarm ? If you edited this specific configuration file, it is not a problem.
Thank you Marcus : perhaps it is a problem : because 'midnight commander' shows date November 27 , as file-date [presumably when last altered ? ............ the full output i am getting is : " Warning: Package manager verification has failed: File: /etc/rkhunter.conf The file hash value has changed The file size has changed The file modification time has changed Warning: The SSH configuration option 'Protocol' has not been set. The default value may be '2,1', to allow the use of protocol version 1. Warning: Suspicious file types found in /dev: /dev/shm/com.google.Chrome.shmem.A2128B79EDC81A503E4CD6DE6DBE0741C3663744._service_shmem: data Warning: Hidden file found: /dev/.udev: symbolic link to `/run/udev' " ................... thank you -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
El 04/12/13 16:06, ellanios82 escribió:
the full output i am getting is :
" Warning: Package manager verification has failed: File: /etc/rkhunter.conf The file hash value has changed The file size has changed The file modification time has changed Warning: The SSH configuration option 'Protocol' has not been set. The default value may be '2,1', to allow the use of protocol version 1.
I see this thing Is even more retarded than I though.. there is no need to set Protoocol , defauts to 2.
Warning: Suspicious file types found in /dev:
/dev/shm/com.google.Chrome.shmem.A2128B79EDC81A503E4CD6DE6DBE0741C3663744._service_shmem:
the chrome browser is using POSIX shared memory objects..
data Warning: Hidden file found: /dev/.udev: symbolic link to `/run/udev' "
that is also expected. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 12/05/2013 04:23 AM, Cristian Rodríguez wrote:
El 04/12/13 16:06, ellanios82 escribió:
the full output i am getting is :
" Warning: Package manager verification has failed: File: /etc/rkhunter.conf The file hash value has changed The file size has changed The file modification time has changed Warning: The SSH configuration option 'Protocol' has not been set. The default value may be '2,1', to allow the use of protocol version 1.
I see this thing Is even more retarded than I though.. there is no need to set Protoocol , defauts to 2.
Warning: Suspicious file types found in /dev:
/dev/shm/com.google.Chrome.shmem.A2128B79EDC81A503E4CD6DE6DBE0741C3663744._service_shmem:
the chrome browser is using POSIX shared memory objects..
data Warning: Hidden file found: /dev/.udev: symbolic link to `/run/udev' "
that is also expected.
- Thank you, Cristian . . . Is it to be expected that : "File: /etc/rkhunter.conf The file hash value has changed The file size has changed The file modification time has changed " ............... rkhunter warns about these changes to rkhunter.conf each and every time . . . is that to be expected ? thanks -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Thu, Dec 05, 2013 at 09:41:35AM +0200, ellanios82 wrote:
On 12/05/2013 04:23 AM, Cristian Rodríguez wrote:
El 04/12/13 16:06, ellanios82 escribió:
the full output i am getting is :
" Warning: Package manager verification has failed: File: /etc/rkhunter.conf The file hash value has changed The file size has changed The file modification time has changed Warning: The SSH configuration option 'Protocol' has not been set. The default value may be '2,1', to allow the use of protocol version 1.
I see this thing Is even more retarded than I though.. there is no need to set Protoocol , defauts to 2.
Warning: Suspicious file types found in /dev:
/dev/shm/com.google.Chrome.shmem.A2128B79EDC81A503E4CD6DE6DBE0741C3663744._service_shmem:
the chrome browser is using POSIX shared memory objects..
data Warning: Hidden file found: /dev/.udev: symbolic link to `/run/udev' "
that is also expected.
- Thank you, Cristian
. . . Is it to be expected that :
"File: /etc/rkhunter.conf The file hash value has changed The file size has changed The file modification time has changed "
...............
rkhunter warns about these changes to rkhunter.conf each and every time . . .
is that to be expected ?
If you edited rkhunter.conf yourself, YES, it is expected. Ciao, Marcus -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 12/05/2013 10:27 AM, Marcus Meissner wrote:
On Thu, Dec 05, 2013 at 09:41:35AM +0200, ellanios82 wrote:
On 12/05/2013 04:23 AM, Cristian Rodríguez wrote:
El 04/12/13 16:06, ellanios82 escribió:
the full output i am getting is :
" Warning: Package manager verification has failed: File: /etc/rkhunter.conf The file hash value has changed The file size has changed The file modification time has changed Warning: The SSH configuration option 'Protocol' has not been set. The default value may be '2,1', to allow the use of protocol version 1. I see this thing Is even more retarded than I though.. there is no need to set Protoocol , defauts to 2.
Warning: Suspicious file types found in /dev:
/dev/shm/com.google.Chrome.shmem.A2128B79EDC81A503E4CD6DE6DBE0741C3663744._service_shmem: the chrome browser is using POSIX shared memory objects..
data Warning: Hidden file found: /dev/.udev: symbolic link to `/run/udev' " that is also expected.
- Thank you, Cristian
. . . Is it to be expected that :
"File: /etc/rkhunter.conf The file hash value has changed The file size has changed The file modification time has changed "
...............
rkhunter warns about these changes to rkhunter.conf each and every time . . .
is that to be expected ? If you edited rkhunter.conf yourself, YES, it is expected.
Thank you Marcus, - but NO : i have not edited, nor changed rkhunter.conf - yet each and every time i run rkhunter i receive output : "File: /etc/rkhunter.conf The file hash value has changed The file size has changed The file modification time has changed " ................. thanks -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Le 05/12/2013 10:05, ellanios82 a écrit :
- but NO : i have not edited, nor changed rkhunter.conf - yet each and every time i run rkhunter i receive output :
did you manually check these values? I mean was these files changed once or are they changed from a boot to the next? just my 2cts jdd -- http://www.dodin.org -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 12/05/2013 11:21 AM, jdd wrote:
Le 05/12/2013 10:05, ellanios82 a écrit :
- but NO : i have not edited, nor changed rkhunter.conf - yet each and every time i run rkhunter i receive output :
did you manually check these values? I mean was these files changed once or are they changed from a boot to the next?
just my 2cts
_________ - what i did was to look at " ls -la " like : ls -la /etc/rkhunter.conf -rw-r----- 1 root root 40962 Nov 27 23:37 /etc/rkhunter.conf ............. this shows November 27 as last time file changed, yet each time i run rkhunter same warning appears : File: /etc/rkhunter.conf The file hash value has changed The file size has changed The file modification time has changed .................. thank you -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Le 05/12/2013 10:29, ellanios82 a écrit :
- what i did was to look at " ls -la " like :
ls -la /etc/rkhunter.conf -rw-r----- 1 root root 40962 Nov 27 23:37 /etc/rkhunter.conf
.............
this shows November 27 as last time file changed, yet each time i run rkhunter same warning appears :
yes, so the warning is always for the same unique problem. pretty normal. it should be easy to look in the file and see what is the change (comparing it to the one in the rpm). it looks normal that a config file be adapted to your config. But Y guess that rkhunter have a way to accept new files? may be a small bug (change to a file without re recording it)? jdd -- http://www.dodin.org -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 12/05/2013 12:07 PM, jdd wrote:
Le 05/12/2013 10:29, ellanios82 a écrit :
- what i did was to look at " ls -la " like :
ls -la /etc/rkhunter.conf -rw-r----- 1 root root 40962 Nov 27 23:37 /etc/rkhunter.conf
.............
this shows November 27 as last time file changed, yet each time i run rkhunter same warning appears :
yes, so the warning is always for the same unique problem. pretty normal.
it should be easy to look in the file and see what is the change (comparing it to the one in the rpm).
it looks normal that a config file be adapted to your config. But Y guess that rkhunter have a way to accept new files?
may be a small bug (change to a file without re recording it)?
many thanks - Marcus has kindly sent me the Original rkhunter.conf which i have compared with my installed rkhunter.conf - there were 2 small differences referring : Mail on Warning = root Allow SSH root user = no ............ - i am re-installing Marcus' original rkhunter.conf Thank you, all, very much -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Le 05/12/2013 11:26, ellanios82 a écrit :
- there were 2 small differences referring :
Mail on Warning = root Allow SSH root user = no
seems normal
............
- i am re-installing Marcus' original rkhunter.conf
will work only is exactly the same as your original, but this change don't seems to be harmfull. it's still not normal that rkhunter keep warn. to stop it, use "rkhunter --propupd" this update the database of rkhunter with the actual values (according to the man page) jdd -- http://www.dodin.org -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 12/05/2013 12:52 PM, jdd wrote:
Le 05/12/2013 11:26, ellanios82 a écrit :
- there were 2 small differences referring :
Mail on Warning = root Allow SSH root user = no
seems normal
............
- i am re-installing Marcus' original rkhunter.conf
will work only is exactly the same as your original, but this change don't seems to be harmfull.
it's still not normal that rkhunter keep warn. to stop it, use "rkhunter --propupd"
this update the database of rkhunter with the actual values (according to the man page)
- odd : . . . i had indeed run "rkhunter --propupd" ............... thanks -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Le 05/12/2013 13:43, ellanios82 a écrit :
- odd : . . . i had indeed run "rkhunter --propupd"
did you try adding the file name? if it keeps complaining, it could be worth a bug report jdd -- http://www.dodin.org -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 12/05/2013 02:49 PM, jdd wrote:
Le 05/12/2013 13:43, ellanios82 a écrit :
- odd : . . . i had indeed run "rkhunter --propupd"
did you try adding the file name?
if it keeps complaining, it could be worth a bug report
jdd
- indeed, even after executing : # rkhunter --propupd rkhunter.conf - i still continue to receive report : "Warning: Package manager verification has failed: File: /etc/rkhunter.conf The file modification time has changed " ................. . . . whereas the file modification time has NOT changed - perhaps a bug ? thanks -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Le 05/12/2013 16:27, ellanios82 a écrit :
- perhaps a bug ?
thanks
depending of how much you have freetime, you can open a bu report in bugzilla, as an example https://bugzilla.novell.com/show_bug.cgi?id=795073 is a report for the other bug I have seen here, may be from you you can also ask on the rkhunter mailing list (link in the bug report) thanks jdd NB: I can help, but do not use rkhunter so can't make the bug report myself -- http://www.dodin.org -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
participants (4)
-
Cristian Rodríguez -
ellanios82 -
jdd -
Marcus Meissner