也许我很谨慎,但是我最近收到了来自rkhunter的警告:
Warning: The file properties have changed: File: /bin/dmesg Current hash: e94b12f49e53695bf5161a445c00b3f97e37e9a8 Stored hash : 4cc922b102987beea5ec3e10f283b08cfd942658 Current file modification time: 1263983792 (20-Jan-2010 05:36:32) Stored file modification time : 1252007551 (03-Sep-2009 15:52:31) Warning: The file properties have changed: File: /bin/kill Current hash: 12f2d4e21474ccdb989c9ee4d4102917e51d8d7b Stored hash : 8e14ca5dbdc158a833c2d861bf682e31aae24675 Current file modification time: 1263983792 (20-Jan-2010 05:36:32) Stored file modification time : 1252007551 (03-Sep-2009 15:52:31) Warning: The file properties have changed: File: /bin/logger Current hash: 08f2886e3ef1fa5adb34ed8b24477362206f85c6 Stored hash : c2bf21ac162bc7de5f6c0b787c304707127e5d96 Current file modification time: 1263983792 (20-Jan-2010 05:36:32) Stored file modification time : 1252007551 (03-Sep-2009 15:52:31) Warning: The file properties have changed: File: /bin/login Current hash: d05eb12a1184d3babcf3380674293974b8a2dcce Stored hash : 4849447380595bbff3aacc1a1ac90e59f7289ca6 Current file modification time: 1263983792 (20-Jan-2010 05:36:32) Stored file modification time : 1252007551 (03-Sep-2009 15:52:31) Warning: The file properties have changed: File: /bin/more Current hash: e2bad443495de0c23be2f87f836f80eafa3ba330 Stored hash : afb55b42873a210a5cec07baa106faa3829cae41 Current file modification time: 1263983792 (20-Jan-2010 05:36:32) Stored file modification time : 1252007551 (03-Sep-2009 15:52:31) Warning: The file properties have changed: File: /bin/mount Current hash: cfda891d89dc57c94327bd62845f8ef13c42ff54 Stored hash : 32d8659bad80b43acc4e437510a88491c9c53294 Current file modification time: 1263983789 (20-Jan-2010 05:36:29) Stored file modification time : 1252007547 (03-Sep-2009 15:52:27) Warning: The file properties have changed: File: /usr/bin/kill Current hash: 12f2d4e21474ccdb989c9ee4d4102917e51d8d7b Stored hash : 8e14ca5dbdc158a833c2d861bf682e31aae24675 Current file modification time: 1264059189 (21-Jan-2010 02:33:09) Stored file modification time : 1256283752 (23-Oct-2009 03:42:32) Warning: The file properties have changed: File: /usr/bin/logger Current hash: 08f2886e3ef1fa5adb34ed8b24477362206f85c6 Stored hash : c2bf21ac162bc7de5f6c0b787c304707127e5d96 Current file modification time: 1264059189 (21-Jan-2010 02:33:09) Stored file modification time : 1256283752 (23-Oct-2009 03:42:32) Warning: The file properties have changed: File: /usr/bin/whereis Current hash: 0d700404e6cfd49bc1ef39465a586706b3b9f008 Stored hash : 1552446e1285fd3d361e0198149e0a946ee7f28b Current file modification time: 1263983792 (20-Jan-2010 05:36:32) Stored file modification time : 1252007551 (03-Sep-2009 15:52:31) Warning: The file properties have changed: File: /sbin/nologin Current hash: 01b82549a312108b655cca21993d2b24a56f3c7e Stored hash : 61255119451e25eb27e6e9a4ca67219564896d4f Current file modification time: 1263983792 (20-Jan-2010 05:36:33) Stored file modification time : 1252007551 (03-Sep-2009 15:52:31) Warning: The file properties have changed: File: /usr/sbin/vipw Current hash: da7bc573ef2c55f1f7e1a7ebb964dbf1187c2702 Stored hash : dc50bdcb381833d6e8e12cc7af81b37a0b3c4c8e Current file modification time: 1263983792 (20-Jan-2010 05:36:32) Stored file modification time : 1252007551 (03-Sep-2009 15:52:31) 通常情况下,我检查yum日志,看看这些文件是否最近被更新,但我没有看到他们有:
Jan 21 02:33:08 Updated: 30:bind-libs-9.3.6-4.P1.el5_4.2.x86_64 Jan 21 02:33:08 Updated: perl-Compress-Raw-Zlib-2.024-1.el5.rf.x86_64 Jan 21 02:33:08 Updated: perl-Compress-Raw-Bzip2-2.024-1.el5.rf.x86_64 Jan 21 02:33:09 Updated: 30:bind-9.3.6-4.P1.el5_4.2.x86_64 Jan 21 02:33:09 Updated: 1:cups-libs-1.3.7-11.el5_4.5.x86_64 Jan 21 02:33:11 Updated: util-linux-2.13-0.52.el5_4.1.x86_64 Jan 21 02:33:11 Updated: gzip-1.3.5-11.el5.centos.1.x86_64 Jan 21 02:33:11 Updated: perl-IO-Compress-2.024-1.el5.rf.noarch Jan 21 02:33:16 Updated: 30:caching-nameserver-9.3.6-4.P1.el5_4.2.x86_64 Jan 21 02:33:18 Updated: kernel-headers-2.6.18-164.11.1.el5.x86_64 Jan 21 02:33:18 Updated: 1:cups-libs-1.3.7-11.el5_4.5.i386
当我查看日志文件时是否缺less某些东西? 其中一个软件包是否会导致所有这些软件包的更新? 也许util-linux?
我知道运行rkhunter –propupd会重置它扫描的基本文件信息,但我只是想确保我不应该首先担心这些结果。 被改变的软件包似乎可以用于黑客攻击。
最后运行不显示任何可疑login。
我只是在64位CentOS上使用了“yum provides / path / binary”这个命令,所有这些二进制文件都是util-linux软件包的一部分。 最近更新中列出了哪些内容。
从现在到2009年9月3日之间的某个时间点,是否有可能使用了“预先链接”?Prelink有一个MD5标志:
--md5
这与–verify选项类似,除了在链接到标准输出MD5摘要之前输出二进制文件或库的内容。 参见md5sum(1)。
检查那些二进制文件,它应该匹配你的logging值,如果它是prelink导致他们改变。