也许我过于谨慎了,但我最近收到了来自 rkhunter 的以下警告:
Warning: The file properties have changed:
File: /bin/dmesg
Current hash: e94b12f49e53695bf5161a445c00b3f97e37e9a8
Stored hash : 4cc922b102987beea5ec3e10f283b08cfd942658
Current file modification time: 1263983792 (20-Jan-2010 05:36:32)
Stored file modification time : 1252007551 (03-Sep-2009 15:52:31)
Warning: The file properties have changed:
File: /bin/kill
Current hash: 12f2d4e21474ccdb989c9ee4d4102917e51d8d7b
Stored hash : 8e14ca5dbdc158a833c2d861bf682e31aae24675
Current file modification time: 1263983792 (20-Jan-2010 05:36:32)
Stored file modification time : 1252007551 (03-Sep-2009 15:52:31)
Warning: The file properties have changed:
File: /bin/logger
Current hash: 08f2886e3ef1fa5adb34ed8b24477362206f85c6
Stored hash : c2bf21ac162bc7de5f6c0b787c304707127e5d96
Current file modification time: 1263983792 (20-Jan-2010 05:36:32)
Stored file modification time : 1252007551 (03-Sep-2009 15:52:31)
Warning: The file properties have changed:
File: /bin/login
Current hash: d05eb12a1184d3babcf3380674293974b8a2dcce
Stored hash : 4849447380595bbff3aacc1a1ac90e59f7289ca6
Current file modification time: 1263983792 (20-Jan-2010 05:36:32)
Stored file modification time : 1252007551 (03-Sep-2009 15:52:31)
Warning: The file properties have changed:
File: /bin/more
Current hash: e2bad443495de0c23be2f87f836f80eafa3ba330
Stored hash : afb55b42873a210a5cec07baa106faa3829cae41
Current file modification time: 1263983792 (20-Jan-2010 05:36:32)
Stored file modification time : 1252007551 (03-Sep-2009 15:52:31)
Warning: The file properties have changed:
File: /bin/mount
Current hash: cfda891d89dc57c94327bd62845f8ef13c42ff54
Stored hash : 32d8659bad80b43acc4e437510a88491c9c53294
Current file modification time: 1263983789 (20-Jan-2010 05:36:29)
Stored file modification time : 1252007547 (03-Sep-2009 15:52:27)
Warning: The file properties have changed:
File: /usr/bin/kill
Current hash: 12f2d4e21474ccdb989c9ee4d4102917e51d8d7b
Stored hash : 8e14ca5dbdc158a833c2d861bf682e31aae24675
Current file modification time: 1264059189 (21-Jan-2010 02:33:09)
Stored file modification time : 1256283752 (23-Oct-2009 03:42:32)
Warning: The file properties have changed:
File: /usr/bin/logger
Current hash: 08f2886e3ef1fa5adb34ed8b24477362206f85c6
Stored hash : c2bf21ac162bc7de5f6c0b787c304707127e5d96
Current file modification time: 1264059189 (21-Jan-2010 02:33:09)
Stored file modification time : 1256283752 (23-Oct-2009 03:42:32)
Warning: The file properties have changed:
File: /usr/bin/whereis
Current hash: 0d700404e6cfd49bc1ef39465a586706b3b9f008
Stored hash : 1552446e1285fd3d361e0198149e0a946ee7f28b
Current file modification time: 1263983792 (20-Jan-2010 05:36:32)
Stored file modification time : 1252007551 (03-Sep-2009 15:52:31)
Warning: The file properties have changed:
File: /sbin/nologin
Current hash: 01b82549a312108b655cca21993d2b24a56f3c7e
Stored hash : 61255119451e25eb27e6e9a4ca67219564896d4f
Current file modification time: 1263983792 (20-Jan-2010 05:36:33)
Stored file modification time : 1252007551 (03-Sep-2009 15:52:31)
Warning: The file properties have changed:
File: /usr/sbin/vipw
Current hash: da7bc573ef2c55f1f7e1a7ebb964dbf1187c2702
Stored hash : dc50bdcb381833d6e8e12cc7af81b37a0b3c4c8e
Current file modification time: 1263983792 (20-Jan-2010 05:36:32)
Stored file modification time : 1252007551 (03-Sep-2009 15:52:31)
通常,我检查 yum 日志以查看这些文件最近是否已更新,但我看不到它们有:
Jan 21 02:33:08 Updated: 30:bind-libs-9.3.6-4.P1.el5_4.2.x86_64
Jan 21 02:33:08 Updated: perl-Compress-Raw-Zlib-2.024-1.el5.rf.x86_64
Jan 21 02:33:08 Updated: perl-Compress-Raw-Bzip2-2.024-1.el5.rf.x86_64
Jan 21 02:33:09 Updated: 30:bind-9.3.6-4.P1.el5_4.2.x86_64
Jan 21 02:33:09 Updated: 1:cups-libs-1.3.7-11.el5_4.5.x86_64
Jan 21 02:33:11 Updated: util-linux-2.13-0.52.el5_4.1.x86_64
Jan 21 02:33:11 Updated: gzip-1.3.5-11.el5.centos.1.x86_64
Jan 21 02:33:11 Updated: perl-IO-Compress-2.024-1.el5.rf.noarch
Jan 21 02:33:16 Updated: 30:caching-nameserver-9.3.6-4.P1.el5_4.2.x86_64
Jan 21 02:33:18 Updated: kernel-headers-2.6.18-164.11.1.el5.x86_64
Jan 21 02:33:18 Updated: 1:cups-libs-1.3.7-11.el5_4.5.i386
查看日志文件时是否遗漏了什么?这些软件包之一会导致所有这些软件包的更新吗?也许是 util-linux?
我知道运行 rkhunter --propupd 将重置它扫描的基本文件信息,但我只想确保我不应该首先担心这些结果。被更改的软件包似乎可以用于黑客攻击。
最后运行不会显示任何可疑登录。