The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Rootkit Hunter Question

Discussion in 'General Discussion' started by mickalo, Jan 13, 2007.

  1. mickalo

    mickalo Well-Known Member

    Joined:
    Apr 16, 2002
    Messages:
    765
    Likes Received:
    2
    Trophy Points:
    18
    Location:
    N.W. Iowa
    Hello,

    we run the rookit hunter daily on our machine, and today we got this report:
    Code:
    /usr/sbin/prelink: /bin/more: at least one of file's dependencies has changed since prelinking
    
     /bin/more  [ BAD ]
    
    is this something to be concerned about, haven't seen this one before. We did run the "rookit --update" also, but got the same report afterwards.

    Update:
    Found the problem from the FAQ's had to do with the prelink out of sync, which fixed it.


    TIA,
    Mickalo
     
    #1 mickalo, Jan 13, 2007
    Last edited: Jan 13, 2007
  2. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    It's quite common, especially on a new OS install or a major OS update. For anyone else who finds the thread, this will usually fix it:

    prelink -ua
     
  3. mickalo

    mickalo Well-Known Member

    Joined:
    Apr 16, 2002
    Messages:
    765
    Likes Received:
    2
    Trophy Points:
    18
    Location:
    N.W. Iowa
    this is all that's needed to be done ??

    Mickalo
     
  4. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    Yup, that's it :)
     
  5. mickalo

    mickalo Well-Known Member

    Joined:
    Apr 16, 2002
    Messages:
    765
    Likes Received:
    2
    Trophy Points:
    18
    Location:
    N.W. Iowa
    is that the same as running /etc/cron.daily/prelink as recommended by the RootKit Hunter people ?? they also have small utility script that also runs called "hashupd.sh"
    that is suppose to "fix local MD5 hash values" that the rootkit hunter uses, that's if your fimilar with this rootkit hunter utility.

    Mickalo
     
  6. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    No, prelink -ua will remove the prelinks. The daily job will update existing ones and create new ones for those that have been removed. However that sometimes gets out of sync (AIUI) and removing the prelinks gets you back to a clean state.
     
  7. mickalo

    mickalo Well-Known Member

    Joined:
    Apr 16, 2002
    Messages:
    765
    Likes Received:
    2
    Trophy Points:
    18
    Location:
    N.W. Iowa
    Ok that make sense now.

    Thx's again,
    Mickalo
     

Share This Page