Warning at RootKit Hunter 1.3 Output

isputra

Well-Known Member
May 3, 2003
575
0
166
Mbelitar
Hi,

Yesterday i have done upgraded RKHunter from 1.2.9 to 1.3.0. Today i have receive RootKit Hunter Output Daily Run from cron and full of warning as you can see below :

--------------------------------
Warning: Checking for preload file [ Warning ]
Warning: Found library preload file: /etc/ld.so.preload
Warning: The command '/usr/bin/groups' has been replaced by a script: /usr/bin/groups: Bourne shell script text executable
Warning: The command '/usr/bin/ldd' has been replaced by a script: /usr/bin/ldd: Bourne shell script text executable
Warning: The command '/usr/bin/whatis' has been replaced by a script: /usr/bin/whatis: Bourne shell script text executable
Warning: The command '/sbin/ifdown' has been replaced by a script: /sbin/ifdown: Bourne-Again shell script text executable
Warning: The command '/sbin/ifup' has been replaced by a script: /sbin/ifup: Bourne-Again shell script text executable
Warning: Hidden file found: /usr/share/man/man1/..1.gz: gzip compressed data, from Unix, max compression
-------------------------------------

Seach on this forum and found nothing about above warning. Anyone, can explain to me what is the meaning of above warning and how to avoid the warning.

Or is this just false warning again from RKHunter like happen at the earlier version before ?

Thanks.
 

DaveUsedToWorkHere

Well-Known Member
Dec 28, 2001
689
1
318
It is noting that these files do not match previous versions and are executable. You'll want to verify the contents of those files. You can do a diff on the files from that system a homogeneous system if you have one.
 

betoranaldi

Well-Known Member
Dec 5, 2007
105
0
66
Sorry to dig up an old thread, but I got the same exact warnings on the same bin files.

Code:
Warning: The command '/usr/bin/groups' has been replaced by a script: /usr/bin/groups: Bourne shell script text executable
Warning: The command '/usr/bin/ldd' has been replaced by a script: /usr/bin/ldd: Bourne shell script text executable
Warning: The command '/usr/bin/whatis' has been replaced by a script: /usr/bin/whatis: Bourne shell script text executable
Warning: The command '/sbin/ifdown' has been replaced by a script: /sbin/ifdown: Bourne-Again shell script text executable
Warning: The command '/sbin/ifup' has been replaced by a script: /sbin/ifup: Bourne-Again shell script text executable
Warning: No output found from the lsmod command or the /proc/modules file:
        /proc/modules output: 
        lsmod output: 
Warning: Hidden file found: /usr/share/man/man1/..1.gz: gzip compressed data, from Unix, max compression

One or more warnings have been found while checking the system.
Please check the log file (/var/log/rkhunter.log)
I don't have an additional system to compare the files to.

Is there anyway I can tell that they are ok? Is there a way I can overwrite them with known, good versions?
 
Last edited:

nichiyume

Member
Nov 18, 2004
18
0
151
Phoenix, Az
Was this your first time running rkhunter in a while? they could have been updated by yum updating a package. I've seen those, however if an attacker gained elevated privileges needed to modify those files, you would have bigger and likely more visual problems.

You can uncomment:
ALLOWHIDDENFILE=/usr/share/man/man1/..1.gz
from /etc/rkhunter.conf because it is quite common to get that error.

You could find out which package those binaries are from and re-install it.

If you are worried about being rooted, look at ps auxf | less and see if there is something different than before. A good time to research what should be there.