RHEL 5.4 + rkhunter 1.3.6 误报列表

作者: reistlin
来源: http://www.reistlin.com/blog/171
更新时间: 2011.02
版权声明: 原创文章.转载请保留作者信息和原文完整.谢绝任何方式的摘要

默认安装 RHEL（Red Hat Enterprise Linux Server release 5.4 (Tikanga)），运行 [rkhunter]（Rootkit Hunter 1.3.6），误报列表。

测试环境：

Red Hat Enterprise Linux Server release 5.4 (Tikanga)

[root@reistlin.com]# uname -a
Linux VM-RHEL-02 2.6.18-164.el5 #1 SMP Tue Aug 18 15:51:54 EDT 2009 i686 i686 i386 GNU/Linux
 
[root@reistlin.com]# cat /etc/redhat-release 
Red Hat Enterprise Linux Server release 5.4 (Tikanga)

Rootkit Hunter 1.3.6

[root@reistlin.com]# ./rkhunter  -V
Rootkit Hunter 1.3.6
 
Currently under active development by the Rootkit Hunter project team.
Please review your rkhunter.conf before using.
Please review the documentation before posting bug reports or questions.
To report bugs, obtain updates, or provide patches or comments, please go to:
http://rkhunter.sourceforge.net

检查结果：

System checks summary
=====================
 
File properties checks...
Required commands check failed
Files checked: 136
Suspect files: 6
 
Rootkit checks...
Rootkits checked : 253
Possible rootkits: 0
 
Applications checks...
Applications checked: 4
Suspect applications: 2
 
The system checks took: 8 minutes and 56 seconds
 
Info: End date is Mon Feb 21 11:24:08 CST 2011

误报文件：

/usr/bin/GET                                      [ Warning ]
Warning: The command ''/usr/bin/GET'' has been replaced by a script: /usr/bin/GET: perl script text executable
 
/usr/bin/groups                                   [ Warning ]
Warning: The command ''/usr/bin/groups'' has been replaced by a script: /usr/bin/groups: Bourne shell script text executable
 
/usr/bin/ldd                                      [ Warning ]
Warning: The command ''/usr/bin/ldd'' has been replaced by a script: /usr/bin/ldd: Bourne shell script text executable
 
/usr/bin/whatis                                   [ Warning ]
Warning: The command ''/usr/bin/whatis'' has been replaced by a script: /usr/bin/whatis: Bourne shell script text executable
 
/sbin/ifdown                                      [ Warning ]
Warning: The command ''/sbin/ifdown'' has been replaced by a script: /sbin/ifdown: Bourne-Again shell script text executable
 
/sbin/ifup                                        [ Warning ]
Warning: The command ''/sbin/ifup'' has been replaced by a script: /sbin/ifup: Bourne-Again shell script text executable

文件 MD5 值：

1f3f50b4551dc76eb5568952016005fc  /usr/bin/GET
b37f687b322e9fe7b0ee50408dde8770  /usr/bin/groups
690703166113ae9e73bed53463399bd7  /usr/bin/ldd
677ba807a76f2bbb7cbfcca34e8e4612  /usr/bin/whatis
a9d0955b2e5a60e28e43d59af96f3f73  /sbin/ifdown
2cff944b03ce2a0122e2b902d2cd681a  /sbin/ifup