Talvez eu esteja sendo cauteloso demais, mas recentemente recebi os seguintes avisos do rkhunter:
Warning: The file properties have changed:
File: /bin/dmesg
Current hash: e94b12f49e53695bf5161a445c00b3f97e37e9a8
Stored hash : 4cc922b102987beea5ec3e10f283b08cfd942658
Current file modification time: 1263983792 (20-Jan-2010 05:36:32)
Stored file modification time : 1252007551 (03-Sep-2009 15:52:31)
Warning: The file properties have changed:
File: /bin/kill
Current hash: 12f2d4e21474ccdb989c9ee4d4102917e51d8d7b
Stored hash : 8e14ca5dbdc158a833c2d861bf682e31aae24675
Current file modification time: 1263983792 (20-Jan-2010 05:36:32)
Stored file modification time : 1252007551 (03-Sep-2009 15:52:31)
Warning: The file properties have changed:
File: /bin/logger
Current hash: 08f2886e3ef1fa5adb34ed8b24477362206f85c6
Stored hash : c2bf21ac162bc7de5f6c0b787c304707127e5d96
Current file modification time: 1263983792 (20-Jan-2010 05:36:32)
Stored file modification time : 1252007551 (03-Sep-2009 15:52:31)
Warning: The file properties have changed:
File: /bin/login
Current hash: d05eb12a1184d3babcf3380674293974b8a2dcce
Stored hash : 4849447380595bbff3aacc1a1ac90e59f7289ca6
Current file modification time: 1263983792 (20-Jan-2010 05:36:32)
Stored file modification time : 1252007551 (03-Sep-2009 15:52:31)
Warning: The file properties have changed:
File: /bin/more
Current hash: e2bad443495de0c23be2f87f836f80eafa3ba330
Stored hash : afb55b42873a210a5cec07baa106faa3829cae41
Current file modification time: 1263983792 (20-Jan-2010 05:36:32)
Stored file modification time : 1252007551 (03-Sep-2009 15:52:31)
Warning: The file properties have changed:
File: /bin/mount
Current hash: cfda891d89dc57c94327bd62845f8ef13c42ff54
Stored hash : 32d8659bad80b43acc4e437510a88491c9c53294
Current file modification time: 1263983789 (20-Jan-2010 05:36:29)
Stored file modification time : 1252007547 (03-Sep-2009 15:52:27)
Warning: The file properties have changed:
File: /usr/bin/kill
Current hash: 12f2d4e21474ccdb989c9ee4d4102917e51d8d7b
Stored hash : 8e14ca5dbdc158a833c2d861bf682e31aae24675
Current file modification time: 1264059189 (21-Jan-2010 02:33:09)
Stored file modification time : 1256283752 (23-Oct-2009 03:42:32)
Warning: The file properties have changed:
File: /usr/bin/logger
Current hash: 08f2886e3ef1fa5adb34ed8b24477362206f85c6
Stored hash : c2bf21ac162bc7de5f6c0b787c304707127e5d96
Current file modification time: 1264059189 (21-Jan-2010 02:33:09)
Stored file modification time : 1256283752 (23-Oct-2009 03:42:32)
Warning: The file properties have changed:
File: /usr/bin/whereis
Current hash: 0d700404e6cfd49bc1ef39465a586706b3b9f008
Stored hash : 1552446e1285fd3d361e0198149e0a946ee7f28b
Current file modification time: 1263983792 (20-Jan-2010 05:36:32)
Stored file modification time : 1252007551 (03-Sep-2009 15:52:31)
Warning: The file properties have changed:
File: /sbin/nologin
Current hash: 01b82549a312108b655cca21993d2b24a56f3c7e
Stored hash : 61255119451e25eb27e6e9a4ca67219564896d4f
Current file modification time: 1263983792 (20-Jan-2010 05:36:33)
Stored file modification time : 1252007551 (03-Sep-2009 15:52:31)
Warning: The file properties have changed:
File: /usr/sbin/vipw
Current hash: da7bc573ef2c55f1f7e1a7ebb964dbf1187c2702
Stored hash : dc50bdcb381833d6e8e12cc7af81b37a0b3c4c8e
Current file modification time: 1263983792 (20-Jan-2010 05:36:32)
Stored file modification time : 1252007551 (03-Sep-2009 15:52:31)
Normalmente, verifico os logs do yum para ver se esses arquivos foram atualizados recentemente, mas não vejo que tenham:
Jan 21 02:33:08 Updated: 30:bind-libs-9.3.6-4.P1.el5_4.2.x86_64
Jan 21 02:33:08 Updated: perl-Compress-Raw-Zlib-2.024-1.el5.rf.x86_64
Jan 21 02:33:08 Updated: perl-Compress-Raw-Bzip2-2.024-1.el5.rf.x86_64
Jan 21 02:33:09 Updated: 30:bind-9.3.6-4.P1.el5_4.2.x86_64
Jan 21 02:33:09 Updated: 1:cups-libs-1.3.7-11.el5_4.5.x86_64
Jan 21 02:33:11 Updated: util-linux-2.13-0.52.el5_4.1.x86_64
Jan 21 02:33:11 Updated: gzip-1.3.5-11.el5.centos.1.x86_64
Jan 21 02:33:11 Updated: perl-IO-Compress-2.024-1.el5.rf.noarch
Jan 21 02:33:16 Updated: 30:caching-nameserver-9.3.6-4.P1.el5_4.2.x86_64
Jan 21 02:33:18 Updated: kernel-headers-2.6.18-164.11.1.el5.x86_64
Jan 21 02:33:18 Updated: 1:cups-libs-1.3.7-11.el5_4.5.i386
Estou faltando alguma coisa quando olho o arquivo de log? Um desses pacotes resultaria na atualização de todos esses pacotes? Talvez util-linux?
Eu sei que executar rkhunter --propupd irá redefinir as informações do arquivo base que ele procura, mas só quero ter certeza de que não devo me preocupar com esses resultados primeiro. Os pacotes que foram alterados parecem poder ser utilizados em uma tentativa de hacking.
a última execução não mostra nenhum login suspeito.
Responder1
Acabei de usar o comando "yum fornece /path/binary" em uma caixa CentOS de 64 bits que tenho aqui e todos esses binários fazem parte do pacote util-linux. Que está listado em suas atualizações recentes.
Responder2
É possível que você tenha usado ''prelink'' em algum momento entre agora e 3 de setembro de 2009. Prelink tem um sinalizador MD5:
--md5
Isso é semelhante à opção --verify, exceto que em vez de gerar o conteúdo do binário ou da biblioteca antes que o pré-link para a saída padrão do resumo MD5 seja impresso. Consulte md5sum(1).
Verifique esses binários com isso; ele deverá corresponder ao valor registrado se for um pré-link que os altere.