Rootkit? grep binary different from the one in the installed grep rmp

Mon Mar 20 18:51:48 UTC 2006

Hello,

FC3 server has a grep binary different from the one in the grep rmp.

Rootkit Hunter found this:
Info: prelinked files found
  Performing 'known good' check...
   /bin/egrep  [ BAD ]
   /bin/fgrep  [ BAD ]
   /bin/grep  [ BAD ]

Indeed a diff on installed /bin/grep and the grep included in the
installed rpm shows they are different:

# diff /bin/grep ./grep
Binary files /bin/grep and ./grep differ

# ./grep --version
grep (GNU grep) 2.5.1

# /bin/grep --version
grep (GNU grep) 2.5.1

Coincidentally i installed a new kernel and postfix just before the
rkhunter alarm:

Yum log:

Mar 14 11:30:24 Updated: rkhunter.noarch 1.2.8-1.fc3
Mar 17 11:30:43 Updated: kernel-doc.noarch 2.6.12-2.3.legacy_FC3
Mar 17 11:31:16 Installed: kernel.i686 2.6.12-2.3.legacy_FC3

Reboot was at Mar 18 18:06:39

Mar 18 18:11:25 Erased: sendmail
Mar 18 18:11:32 Erased: mutt
Mar 18 18:11:55 Erased: squirrelmail
Mar 18 18:12:23 Erased: fetchmail
Mar 18 18:12:24 Erased: redhat-lsb
Mar 18 18:12:26 Erased: mdadm
Mar 18 18:14:16 Installed: postfix.i386 2:2.1.5-5

Email received by root from Rootkit Hunter Scan:

Please inspect this machine, because it can be infected

...
--------------------- Start Rootkit Hunter Update ---------------------

Running rkhunter updater... Sun, 19 Mar 2006 04:03:22 +0000

Finished rkhunter updater.. Sun, 19 Mar 2006 04:03:23 +0000
Ready.

---------------------- Start Rootkit Hunter Scan ----------------------

   Checking for differences in user accounts... Found differences
   Info:
----------------------
< postfix:x:89:89::/var/spool/postfix:/sbin/nologin
----------------------
   Info: Some items have been added (items marked with '<')
   Checking for differences in user groups... Found differences
   Info:
----------------------
< mail:x:12:mail,postfix
> mail:x:12:mail
< postdrop:x:90:
< postfix:x:89:
----------------------
   Info: Some items have been added (items marked with '<')
...

MD5
MD5 compared: 92
Incorrect MD5 checksums: 0

File scan
Scanned files: 342
Possible infected files: 0

--------------------- Start Rootkit Hunter Update ---------------------

Running rkhunter updater... Mon, 20 Mar 2006 04:04:19 +0000

Finished rkhunter updater.. Mon, 20 Mar 2006 04:04:19 +0000
Ready.

---------------------- Start Rootkit Hunter Scan ----------------------

Info: prelinked files found
  Performing 'known good' check...
   /bin/egrep  [ BAD ]
   /bin/fgrep  [ BAD ]
   /bin/grep  [ BAD ]

How to further investigate it? I can't see a reason for the changed grep binary.

Regards, Clodoaldo Pinto