Rkhunter reports file properties have changed

Question

I am running a fully updated LTS copy of Ubuntu server. Today I ran rkhunter (as I do from time to time). This is the output I got:

 Warning: The file properties have changed:
[15:52:25]          File: /bin/ps
[15:52:25]          Current hash: f22991ec93ae966c856d367f42fc3d8a484bd827
[15:52:25]          Stored hash : 1892268bf195ac118076b1b0f53e7a637eb6fbb3
[15:52:25]          Current inode: 142902    Stored inode: 130894
[15:52:25]          Current file modification time: 1324307913 (19-Dec-2011 07:18:33)
[15:52:25]          Stored file modification time : 1260992081 (16-Dec-2009 11:34:41)



 Warning: The file properties have changed:
[15:52:33]          File: /usr/bin/ldd
[15:52:33]          Current hash: f1e2ca5aa3a28994e2cebb64c993a72b7d97b28c
[15:52:33]          Stored hash : 295d9cedb121a5e431a39a6d201ecd7ce5640497
[15:52:33]          Current inode: 2236210    Stored inode: 2234359
[15:52:33]          Current size: 5280    Stored size: 5279
[15:52:33]          Current file modification time: 1331165514 (07-Mar-2012 16:11:54)
[15:52:33]          Stored file modification time : 1295653965 (21-Jan-2011 15:52:45)



 Warning: The file properties have changed:
[15:52:37]          File: /usr/bin/pgrep
[15:52:37]          Current hash: 3eada9a96760f3e2c9111cfe32901d1432813c1d
[15:52:37]          Stored hash : ce265d0db9964b173fe5036f703a9b8d66e55df3
[15:52:37]          Current inode: 2229646    Stored inode: 2224867
[15:52:37]          Current file modification time: 1324307913 (19-Dec-2011 07:18:33)
[15:52:37]          Stored file modification time : 1260992081 (16-Dec-2009 11:34:41)




Warning: The file properties have changed:
[15:52:41]          File: /usr/bin/top
[15:52:41]          Current hash: 6be13737d8b0950cea2f1ae3a46d4af713dbe971
[15:52:41]          Stored hash : c7b495ecef3982eeb6f08a511861b1a1ae8775e6
[15:52:41]          Current inode: 2229629    Stored inode: 2224862
[15:52:41]          Current file modification time: 1324307913 (19-Dec-2011 07:18:33)
[15:52:41]          Stored file modification time : 1260992081 (16-Dec-2009 11:34:41)



Warning: The file properties have changed:
[15:52:53]          File: /usr/sbin/cron
[15:52:53]          Current hash: e783ca973f970aa8a4bf5edc670e690b33914c3d
[15:52:53]          Stored hash : 4718257a8060736b9058aed025c992f02a74a5a7
[15:52:53]          Current inode: 2224719    Stored inode: 2228839
[15:52:54]          Current file modification time: 1330965568 (05-Mar-2012 08:39:28)

There were also a few other I left out. Has my server been rooted? I am running fail2ban and do monitor failed ssh logins. nothing has come up. Could someone compare these hashes to their copy of Ubuntu Server (lts)? Please tell me these are false positives.....

Edit:

This is a list of all the files with odd md5s:

kill
ps
ldd
pgrep
top
vmstat
w
watch
w.procps  
sysctl
cron

This doesn't look so good. I am going to create a vm with the same distro and update it, then run rkhunter again. If I was hacked, how on earth did they get in? SSH is on a nonstandard port, I'm running fail2ban and check the logs daily. I am running apache, but there is nothing www-data has write access to. I'm confused.

score 5 · Accepted Answer · answered Mar 22 '12 at 04:00

From the timestamps it looks like you updated several programs built Dec-19th about 7:30.
Modification timestamps should be the build timestamps. It depends on how they get moved into place. Some programs are linked to through /etc/alternatives, and the symbolic links will have the timestamp of the install.This could be an automatic security update.

Check Check your /var/log/apt/history.log file from then. It is likely compressed and rotated, but can be read with zless. If you use aptitude to do your updates, check its log/var/log/aptitude.log`. Many packages have md5sums that can be used to verify that the files they contain haven't been modified. It is safest to run statically linked tools from a read-only media which contains the comparison checksums. However, if you don't think the md5 toolchain is compromised you can use the local files.

Programs like rkhunter usually require a switch to enable updating their database of checksums. You may want to run the program before running updates, and then again after the updates with the switch to capture the changed hash codes.

This was just a normal update after all. history.log listed many of the programs in question. To double check that they were fine, I created a vm with a fresh install of the distro. After a full system update I ran checksums of the files in question and compared with my actual server. The check sums all matched. You were right about rkhunter not updating its checksums. rkhunter --propupd fixed the warnings completely. Thanks for the help :) — CountMurphy, Mar 22 '12 at 16:54

score 1 · Answer 2 · answered Oct 14 '20 at 22:02

1

you need to run

sudo rkhunter --update --propupd

after any manual or automatic upgrade. I took it from here :

I took it from here and worked perfectly for me.

All the best!

answered Oct 14 '20 at 22:02

Mauro

111
1

score 1 · Answer 3 · answered Mar 21 '12 at 23:12

1

Well, if your system was compromised then you couldn't trust your logs anyway.

If you haven't run rkhunter since 2009 and you have updated your system, then these might be false positives. Otherwise it's time to take a good look at your backups.

answered Mar 21 '12 at 23:12

Lucas Kauffman

16,818
9
57
92

I update the system on a daily basis. I last ran rkhunter about a month ago maybe? Dang it... – CountMurphy Mar 21 '12 at 23:14
restore a backup, update it, see if the behavior is the same, if not... I think you will need to get a few energy drinks. – Lucas Kauffman Mar 21 '12 at 23:17
I'll let you know what happens later tonight then. – CountMurphy Mar 22 '12 at 00:25

Rkhunter reports file properties have changed

3 Answers3

Linked