RHEL 5.4 + rkhunter 1.3.6 误报列表
作者: reistlin
来源: http://www.reistlin.com/blog/171
更新时间: 2011.02
版权声明: 原创文章.转载请保留作者信息和原文完整.谢绝任何方式的摘要
默认安装 RHEL(Red Hat Enterprise Linux Server release 5.4 (Tikanga)),运行 [rkhunter](Rootkit Hunter 1.3.6),误报列表。
测试环境:
Red Hat Enterprise Linux Server release 5.4 (Tikanga)
[root@reistlin.com]# uname -a Linux VM-RHEL-02 2.6.18-164.el5 #1 SMP Tue Aug 18 15:51:54 EDT 2009 i686 i686 i386 GNU/Linux [root@reistlin.com]# cat /etc/redhat-release Red Hat Enterprise Linux Server release 5.4 (Tikanga)
Rootkit Hunter 1.3.6
[root@reistlin.com]# ./rkhunter -V Rootkit Hunter 1.3.6 Currently under active development by the Rootkit Hunter project team. Please review your rkhunter.conf before using. Please review the documentation before posting bug reports or questions. To report bugs, obtain updates, or provide patches or comments, please go to: http://rkhunter.sourceforge.net
检查结果:
System checks summary ===================== File properties checks... Required commands check failed Files checked: 136 Suspect files: 6 Rootkit checks... Rootkits checked : 253 Possible rootkits: 0 Applications checks... Applications checked: 4 Suspect applications: 2 The system checks took: 8 minutes and 56 seconds Info: End date is Mon Feb 21 11:24:08 CST 2011
误报文件:
/usr/bin/GET [ Warning ] Warning: The command ''/usr/bin/GET'' has been replaced by a script: /usr/bin/GET: perl script text executable /usr/bin/groups [ Warning ] Warning: The command ''/usr/bin/groups'' has been replaced by a script: /usr/bin/groups: Bourne shell script text executable /usr/bin/ldd [ Warning ] Warning: The command ''/usr/bin/ldd'' has been replaced by a script: /usr/bin/ldd: Bourne shell script text executable /usr/bin/whatis [ Warning ] Warning: The command ''/usr/bin/whatis'' has been replaced by a script: /usr/bin/whatis: Bourne shell script text executable /sbin/ifdown [ Warning ] Warning: The command ''/sbin/ifdown'' has been replaced by a script: /sbin/ifdown: Bourne-Again shell script text executable /sbin/ifup [ Warning ] Warning: The command ''/sbin/ifup'' has been replaced by a script: /sbin/ifup: Bourne-Again shell script text executable
文件 MD5 值:
1f3f50b4551dc76eb5568952016005fc /usr/bin/GET b37f687b322e9fe7b0ee50408dde8770 /usr/bin/groups 690703166113ae9e73bed53463399bd7 /usr/bin/ldd 677ba807a76f2bbb7cbfcca34e8e4612 /usr/bin/whatis a9d0955b2e5a60e28e43d59af96f3f73 /sbin/ifdown 2cff944b03ce2a0122e2b902d2cd681a /sbin/ifup