rkhunter: Warning: The file properties have changed

I’ve got a script running on a regular basis and executing rkhunter. After I finally got to installing all security updates on our new server, I started getting emails saying:

From: root
Subject: [rkhunter] Warnings found for …
Date: …
To: …

Please inspect this machine, because it may be infected.
And I found the following in /var/log/rkhunter.log: 

Warning: The file properties have changed:
File: /usr/bin/ldd
Current inode: xxx Stored inode: xxx
Current file modification time: xxx
Stored file modification time : xxx
(as well as for a few other files).
Now I didn’t really check in details which files were all changed by these security updates, so I had to check…

# dpkg -S /usr/bin/ldd
libc-bin: /usr/bin/ldd
OK, so ldd is the package: libc-bin
Now checking whether it was updated on that day

# grep libc-bin /var/log/dpkg.log | grep 2012-04-20
2012-04-20 21:08:43 upgrade libc-bin 2.11.3-2 2.11.3-3
2012-04-20 21:08:43 status half-configured libc-bin 2.11.3-2
2012-04-20 21:08:43 status unpacked libc-bin 2.11.3-2
2012-04-20 21:08:43 status half-installed libc-bin 2.11.3-2
2012-04-20 21:08:44 status half-installed libc-bin 2.11.3-2
2012-04-20 21:08:44 status half-installed libc-bin 2.11.3-2
2012-04-20 21:08:44 status unpacked libc-bin 2.11.3-3
2012-04-20 21:08:44 status unpacked libc-bin 2.11.3-3
2012-04-20 21:08:44 configure libc-bin 2.11.3-3 2.11.3-3
2012-04-20 21:08:44 status unpacked libc-bin 2.11.3-3
2012-04-20 21:08:44 status unpacked libc-bin 2.11.3-3
2012-04-20 21:08:44 status unpacked libc-bin 2.11.3-3
2012-04-20 21:08:45 status unpacked libc-bin 2.11.3-3
2012-04-20 21:08:45 status half-configured libc-bin 2.11.3-3
2012-04-20 21:08:45 status installed libc-bin 2.11.3-3
Yes, it was ! So everything is fine. I just need to let rkhunter know, that it should update its data regarding the files it monitors:

rkhunter –propupd
And the warnings were gone !

Leave a Reply

Your email address will not be published. Required fields are marked *