CentOS - Oct 2006 - Problem rkhunter v. 1.2.8 - CENTOS 4

Dear Friends,

I am using CENTOS 4.3 - kernel 2.6.9-42.0.2.EL with rkhunter version 
1.2.8, but the rkhunter program  show me problem on file /bin/kill.

I compare files /bin/kill with other CENTOS 4 and it has same size.

====================== SHOE LOG ==========================

Rootkit Hunter 1.2.8 is running
Mon, 30 Oct 2006 12:56:44 -0200
Determining OS... Ready


Checking binaries
* Selftests
      Strings (command)                                        [ OK ]


* System tools
Info: prelinked files found
   Performing 'known good' check...
    /bin/cat                                                   [ OK ]
    /bin/chmod                                                 [ OK ]
    /bin/chown                                                 [ OK ]
    /bin/date                                                  [ OK ]
    /bin/dmesg                                                 [ OK ]
    /bin/env                                                   [ OK ]
    /bin/grep                                                  [ OK ]
    /bin/kill                                                  [ BAD ]
    /bin/login                                                 [ OK ]
    /bin/ls                                                    [ OK ]
    /bin/more                                                  [ OK ]
    /bin/mount                                                 [ OK ]
    /bin/netstat                                               [ OK ]
    /bin/ps                                                    [ OK ]
    /bin/su                                                    [ OK ]


==========================================================

I guess problem is rkhunter.

Thanks for help.

Adriano Frare

> I am using CENTOS 4.3 - kernel 2.6.9-42.0.2.EL with rkhunter version
> 1.2.8, but the rkhunter program  show me problem on file /bin/kill.
>
> I compare files /bin/kill with other CENTOS 4 and it has same size.
> I guess problem is rkhunter.
Yes and no. Your issue is likely caused by prelink, which alters
binaries to load more quickly. This runs as part of a daily cron by
default, so files can and in all likelihood will change over time. You
should consider either adjusting rkhunter, or telling prelink to not
mess with certain file directories.

-- 
During times of universal deceit, telling the truth becomes a revolutionary act.
George Orwell

> I am using CENTOS 4.3 - kernel 2.6.9-42.0.2.EL with rkhunter version 
> 1.2.8, but the rkhunter program  show me problem on file /bin/kill.
I had the same issue and asked on the rkhunter mailing list.  RKhunter is 
currently under new ownership and they are starting to fix issues like this. 
v1.2.9 is out now and in the mean time you can manually use hashupd.sh from the 
website [1] to update the rkhunter has database.

Oh and RKhunter uses prelink for the hash check so the hash should be constant 
when libraries are updated :-)

Dan

[1] New RKhunter home http://rkhunter.sourceforge.net/