RootKit Problem

**Etheral** · 06-25-2004 08:34 AM

i was scanning my server with RKhunter... it found this:

/usr/sbin/prelink: /bin/egrep: at least one of file's dependencies has changed since prelinking
/usr/sbin/prelink: /bin/egrep: at least one of file's dependencies has changed since prelinking
/bin/egrep [ BAD ]
/usr/sbin/prelink: /bin/fgrep: at least one of file's dependencies has changed since prelinking
/usr/sbin/prelink: /bin/fgrep: at least one of file's dependencies has changed since prelinking
/bin/fgrep [ BAD ]
/usr/sbin/prelink: /bin/grep: at least one of file's dependencies has changed since prelinking
/usr/sbin/prelink: /bin/grep: at least one of file's dependencies has changed since prelinking
/bin/grep [ BAD ]

How do i fix that.

**Etheral** · 06-25-2004 04:07 PM

MD5
MD5 compared: 80
Incorrect MD5 checksums: 3

is the total output, i dont think checksums can be hacks tho. so are you shure about the hack?

**chirpy** · 06-25-2004 05:22 PM

Might not be a hacking issue - Are you running Fedora by any chance?

**Etheral** · 06-26-2004 10:36 AM

Fedora Core 2

**Etheral** · 06-26-2004 10:37 AM

Hehe, wasnt a hacker issue, ive fixed it. wasnt a big deal.

**chirpy** · 06-26-2004 11:37 AM

Did you remove prelink from CRON and reboot, by any chance

**Etheral** · 06-26-2004 09:33 PM

**dalem** · 09-03-2004 12:38 PM

well what was the fix dont keep us in the dark

**chirpy** · 09-03-2004 12:42 PM

I already said what the fix was:

remove prefix from CRON and reboot

**dalem** · 09-03-2004 01:47 PM

you did not answer just smiled

thanks but not my problem

**abusedreality** · 10-17-2004 03:48 PM

What prefer are you refering to?,

I get that error when running....

/usr/local/bin/rkhunter -c --cronjob

**chirpy** · 10-17-2004 05:02 PM

The information is already in my post. You need to find the prelink cron job (IIRC, it's in /etc/cron.daily) then delete it and reboot your server.

**ctbhost** · 01-23-2005 11:35 AM

i have the same problem

i may be thick but what do you mean by

You need to find the prefix cron jon (IIRC, it's in /etc/cron.daily) and remove it, then reboot your server.

i have gone to /etc/cron.daily - what am i looking for and what do i need to do ??

there is a file called prelink do i remove this file ??

**chirpy** · 01-23-2005 12:25 PM

Yes, my post should have said "prelink", I'll correct it.

**eglwolf** · 06-01-2005 10:27 AM

You need to find the prefix cron jon (IIRC, it's in /etc/cron.daily) and remove it, then reboot your server.

Jonathon I have done this and I still get this when I run rootkit:

/usr/sbin/prelink: /lib/tls/libc-2.3.3.so has dependency cycle
/usr/sbin/prelink: /bin/cat: at least one of file's dependencies has changed since prelinking
Line:
[ BAD ]
/usr/sbin/prelink: /lib/tls/libc-2.3.3.so has dependency cycle
/usr/sbin/prelink: /bin/chmod: at least one of file's dependencies has changed since prelinking
Line: [ BAD ]
[ BAD ]
/usr/sbin/prelink: /lib/tls/libc-2.3.3.so has dependency cycle
/usr/sbin/prelink: /bin/chown: at least one of file's dependencies has changed since prelinking
Line: [ BAD ]
[ BAD ]

So now what?

LinkBack

Thread Tools

RootKit Problem

rootkit hunter

Possible rootkit: Xzibit Rootkit ????

Rootkit Hunter 1.2.8 update Problem

Rootkit Hunter 1.1.5

Help With Possibile Rootkit