Worried about having been hacked

James Allsopp jamesaallsopp at googlemail.com
Wed Jul 8 11:08:20 UTC 2009 

Hi,
I've checked all the files you asked me to. The following is the files
from the yum whatprovides followed by that grepped on /var/log/

chkconfig-1.3.38-1.i386
Mar 26 00:53:01 Updated: chkconfig-1.3.38-1.i386
rpm-4.6.1-1.fc10.i386
Jun 10 08:34:24 Updated: rpm-4.6.1-1.fc10.i386
passwd-0.75-2.fc9.i386
never been updated.
perl-5.10.0-68.fc10.i386
Apr 22 16:54:07 Updated: 4:perl-5.10.0-68.fc10.i386


This machine was installed about August 2008. The /usr/bin/passwd is
shown in red, which I think indicates a broken symbolic link?

[root at 87-194-141-15 ~]# which chkconfig
/sbin/chkconfig
[root at 87-194-141-15 ~]# ls -l /sbin/chkconfig
-rwxr-xr-x 1 root root 28000 2008-10-29 15:35 /sbin/chkconfig

[root at 87-194-141-15 ~]# which passwd
/usr/bin/passwd
[root at 87-194-141-15 ~]# ls -l /usr/bin/passwd
-rwsr-xr-x 1 root root 25700 2008-04-08 14:48 /usr/bin/passwd

[root at 87-194-141-15 ~]# which rpm
/bin/rpm
[root at 87-194-141-15 ~]# ls -l /bin/rpm
-rwxr-xr-x 1 root root 23240 2009-05-18 12:26 /bin/rpm

[root at 87-194-141-15 ~]# which perl
/usr/bin/perl
[root at 87-194-141-15 ~]# ls -l /usr/bin/perl
-rwxr-xr-x 2 root root 8140 2009-04-14 12:26 /usr/bin/perl



None of these files seems new, but could they have been altered? This is
the first time I've seen this in rkhunter.
Jim




Frank Murphy wrote:
> On 08/07/09 10:59, James Allsopp wrote:
>> Hi,
>> I've checked this out and that was happening, but I've just had this
>> reported by rkhunter;
>>
>>
> <snip>
> 
>> Warning: Package manager verification has failed:
>>          File: /sbin/chkconfig
>>          Try running the command 'prelink /sbin/chkconfig' to resolve
>> dependency errors.
>>          The file hash value has changed
>>          The file size has changed
>>
>> I'm not entirely sure what these errors mean though, have these files
>> been trojan'ed.
>>
> 
> Have you updated?
> If yes, that's where you get the change.
> Check those updates against your yum logs.
> It your not sure what update to check against:
> yum whatprovides */sbin/chkconfig
> 
> For above.
> 
> Regards,
> 
> Frank
>

More information about the fedora-list mailing list