Help - Search - Members - Calendar
Full Version: Rkhunter says chkconfig is bad
The Planet Forums > Security > General Security > UNIX Security
ackilles
Apr 14 2006, 11:11 PM
Is this a problem with Rkhunter having issues with RHE3 or do you think my system is compromised?


Rootkit Hunter 1.2.8 is running

Determining OS... Ready


Checking binaries
* Selftests
Strings (command) [ OK ]


* System tools
Performing 'known good' check...
/bin/cat [ OK ]
/bin/chmod [ OK ]
/bin/chown [ OK ]
/bin/dmesg [ OK ]
/bin/egrep [ OK ]
/bin/env [ OK ]
/bin/fgrep [ OK ]
/bin/grep [ OK ]
/bin/kill [ OK ]
/bin/login [ OK ]
/bin/ls [ OK ]
/bin/mount [ OK ]
/bin/netstat [ OK ]
/bin/ps [ OK ]
/bin/su [ OK ]
/sbin/chkconfig [ BAD ]
/sbin/depmod [ OK ]
/sbin/ifconfig [ OK ]
/sbin/init [ OK ]
/sbin/insmod [ OK ]
/sbin/modinfo [ OK ]
/sbin/runlevel [ OK ]
/sbin/sysctl [ OK ]
/sbin/syslogd [ OK ]
/usr/bin/file [ OK ]
/usr/bin/find [ OK ]
/usr/bin/groups [ OK ]
/usr/bin/kill [ OK ]
/usr/bin/killall [ OK ]
/usr/bin/lsattr [ OK ]
/usr/bin/pstree [ OK ]
/usr/bin/sha1sum [ OK ]
/usr/bin/stat [ OK ]
/usr/bin/users [ OK ]
/usr/bin/w [ OK ]
/usr/bin/watch [ OK ]
/usr/bin/who [ OK ]
/usr/bin/whoami [ OK ]
--------------------------------------------------------------------------------
Rootkit Hunter found some bad or unknown hashes. This can be happen due replaced
binaries or updated packages (which give other hashes). Be sure your hashes are
fully updated (rkhunter --update). If you're in doubt about these hashes, contact
the author (fill in the contact form).
--------------------------------------------------------------------------------
Blue|Fusion
Apr 15 2006, 07:53 AM
First, to ensure it's not a false positive, update your whole system with up2date -u (and update the necessary packages in the skiplist with up2date -uf package). Second, run rkhunter --update to get the latest databases. Then run rkhunter again and if you still get the same output, look into the /sbin/chkconfig as possibly compromised.
gbock
Apr 16 2006, 06:56 AM
Before updating you may want to check the file against the rpm database.

[gbock gbock]$ rpm -qf `which chkconfig`
chkconfig-1.3.13.3-0.3
[gbock gbock]$ rpm -V chkconfig
[gbock gbock]$


If something had changed:

[gbock gbock]$ sudo mv /sbin/chkconfig{,.save}
[gbock gbock]$ sudo cp /sbin/pidof /sbin/chkconfig
[gbock gbock]$ rpm -V chkconfig
S.5....T /sbin/chkconfig
[gbock gbock]$

I would also save this file for examination before simply trying to update it.
Blue|Fusion
Apr 16 2006, 03:08 PM
Upon running RKHunter on several of my RHEL3 boxes, all showed chkconfig as bad, so I'm assuming a recent update or a lack of updates in rkhunter's database is the culprit.
ackilles
Apr 16 2006, 03:15 PM
Ya that's what I was thinking, thanks for the help!
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.
Invision Power Board © 2001-2009 Invision Power Services, Inc.