Question

5

rkhunter: right way to handle warnings further?

rated 0 times [ 5] [ 0] / answers: 1 / hits: 7421 / 1 Year ago, sat, february 4, 2023, 6:19:27

I googled some and checked out two first links it found:

http://www.skullbox.net/rkhunter.php

http://www.techerator.com/2011/07/how-to-detect-rootkits-in-linux-with-rkhunter/

They don't mention what shall I do in case of such warnings:

Warning: The command '/bin/which' has been replaced by a script: /bin/which: POSIX shell script text executable

Warning: The command '/usr/sbin/adduser' has been replaced by a script: /usr/sbin/adduser: a /usr/bin/perl script text executable

Warning: The command '/usr/bin/ldd' has been replaced by a script: /usr/bin/ldd: Bourne-Again shell script text executable

Warning: The file properties have changed:

         File: /usr/bin/lynx

         Current hash: 95e81c36428c9d955e8915a7b551b1ffed2c3f28

         Stored hash : a46af7e4154a96d926a0f32790181eabf02c60a4

Q1: Is there more extended HowTos which explain how to deal with different kind warnings?

And the second question. Were my actions sufficient to resolve these warnings?

a) To find the package which contains the suspicious file, e.g. it is debianutils for the file /bin/which

~ > dpkg -S /bin/which

debianutils: /bin/which

b) To check the debianutils package checksums:

~ > debsums debianutils

/bin/run-parts                                                                OK

/bin/tempfile                                                                 OK

/bin/which                                                                    OK

/sbin/installkernel                                                           OK

/usr/bin/savelog                                                              OK

/usr/sbin/add-shell                                                           OK

/usr/sbin/remove-shell                                                        OK

/usr/share/man/man1/which.1.gz                                                OK

/usr/share/man/man1/tempfile.1.gz                                             OK

/usr/share/man/man8/savelog.8.gz                                              OK

/usr/share/man/man8/add-shell.8.gz                                            OK

/usr/share/man/man8/remove-shell.8.gz                                         OK

/usr/share/man/man8/run-parts.8.gz                                            OK

/usr/share/man/man8/installkernel.8.gz                                        OK

/usr/share/man/fr/man1/which.1.gz                                             OK

/usr/share/man/fr/man1/tempfile.1.gz                                          OK

/usr/share/man/fr/man8/remove-shell.8.gz                                      OK

/usr/share/man/fr/man8/run-parts.8.gz                                         OK

/usr/share/man/fr/man8/savelog.8.gz                                           OK

/usr/share/man/fr/man8/add-shell.8.gz                                         OK

/usr/share/man/fr/man8/installkernel.8.gz                                     OK

/usr/share/doc/debianutils/copyright                                          OK

/usr/share/doc/debianutils/changelog.gz                                       OK

/usr/share/doc/debianutils/README.shells.gz                                   OK

/usr/share/debianutils/shells                                                 OK

c) To relax about /bin/which as I see OK

/bin/which                                                                    OK

d) To put the file /bin/which to /etc/rkhunter.conf as SCRIPTWHITELIST="/bin/which"

e) For warnings as for the file /usr/bin/lynx I update checksum with rkhunter --propupd /usr/bin/lynx.cur

Q2: Do I resolve such warnings right way?

Answers

Only authorized users can answer the question. Please sign in first, or register a free account.

emuralm

Add To Favorites

Follow

Total Points: 290

Total Questions: 111

Total Answers: 117

Location: China

Member since Thu, Sep 1, 2022

2 Years ago

emuralm questions

1 Sed (or other command) replace character range with hex codes

Wed, May 11, 22, 02:57, 2 Years ago

1 Remove eoan/19.10 repository on to a focal/20.04 System

Thu, Dec 16, 21, 14:58, 2 Years ago

1 Disadvantages of using npm n for upgrading nodejs

Fri, Oct 8, 21, 20:40, 3 Years ago

1 Installing Python 3.8 alongside the base system installation

Wed, Aug 24, 22, 09:57, 2 Years ago

1 How to install latest stable dolphin file manager on Kubuntu via xdg-open(Discover)?

Fri, Mar 18, 22, 00:15, 2 Years ago

View All

answered 1 Year ago ticrew · Accepted Answer

Using debsums is a very clever idea with one major flaw: If something were to overwrite a root-owned file such as /bin/which, it could also rewrite /var/lib/dpkg/info/*.md5sums with an updated checksum. There is no chain of custody back to a Debian/Ubuntu signature, as far as I can see. Which is a real shame because that would be a really simple, really quick way to verify the authenticity of a live file.

Instead to truly verify a file, you need to download a fresh copy of that deb, extract the internal control.tar.gz and then look at its md5sums file to compare against a real md5sum /bin/which. It's a painful process.

What has most likely happened here is that you've had some system updates (a distribution upgrade even) and you haven't asked rkhunter to update its profiles. rkhunter needs to know what files should be like so any system updates are going to upset it.

Once you know something is safe, you can run sudo rkhunter --propupd /bin/which to update its reference of the file.

This is one of the problems with rkhunter. It needs deep integration into the deb process so that when trusted, signed packages are installed, rkhunter updates its references to files.

And no, I wouldn't whitelist things like this because this is exactly the sort of thing a rootkit would go after.