1

I run RKHunter on Ubuntu as well as as automated system / package updates. Last night I started receiving RKHunter warnings as listed below and whilst it's obviously easy for me to just do:

rkhunter --propupd

That could potentially mask someone having hacked my server and put a new version of sudo in place (which I wouldn't like). I tried to find the new MD5 hash on Google but I'm not able to so could someone tell me what the correct procedure is to either:

1) Conclude that this update is fine and I can run rkhunter --propupd OR 2) Determine that someone has hacked my server and I should get really worried!

Thanks in advance

Warning: The file properties have changed: 
     File: /usr/bin/sudo
     Current hash: 1dcc3aa8a670d39ec8b6ee8881c7f58dc5b8dbd7
     Stored hash : f7a8cc9c75c4550cf3f98f9ffb45853faf02dfde
     Current inode: 8923256    Stored inode: 8916208
     Current file modification time: 1361998758 (27-Feb-2013 20:59:18)
     Stored file modification time : 1337145923 (16-May-2012 06:25:23)

One or more warnings have been found while checking the system.
Please check the log file (/var/log/rkhunter.log)
user385762
  • 135
  • 3

1 Answers1

0

You should probably have a look at the log of the Apt/Aptitude installs, and see if the program was updated at the same time that you started to receive the warnings from rkhunter.

NickW
  • 10,183
  • 1
  • 18
  • 26
  • Thanks - I looked at the logs already and they confirm that the file was updated (which I knew already because RKHunter told me :-)). That doesn't confirm though that the new file was "legal" and that's the bit I'm trying to confirm – user385762 Mar 06 '13 at 15:46
  • Hmm, so you're trying to find confirmations of the validity of the files that apt(whatever) obtains? https://help.ubuntu.com/community/SecureApt – NickW Mar 06 '13 at 15:51