Red Hat Shenanigans
An “update” or “patch” in Linux is just a file that overwrites the old file, so it will have a different hash value than the old file. Rootkit Hunter will warn you about this, and it gets annoying!
The procedure for this sort of event is as follows:
- Look at the files that rkhunter tells us have changed, and try to figure out what package they’re in. We do this by using the —whatprovides flag in the rpm command. For the /bin/basename file, we would do:
[root@boxname ~]# rpm -q --whatprovides /bin/basename
coreutils-5.97-23.el5_4.1
We can see from the output that that file is part of the coreutils package. - Query the rpm database to find out when the coreutils package was last updated:
[root@boxname ~]# rpm -q --last coreutils
coreutils-5.97-23.el5_4.1 ... 04:36:11 AM PDT
We can see it was last updated at 4:36 AM this morning. - Now we need to know whether or not it was supposed to be updated. If we’ve received an RHN email saying that there’s a coreutils update available (it might even list the box by name), we can be pretty confident that the update is legit. If not, we log into RHN and check the Event History for this machine (click on the machine in the list you see under “Systems”, click the “Events” tab, and click the “History” tab under that.) If we see something like:
Errata Update: RHBA-2009:1511-1 - coreutils bug fix update scheduled by (Red Hat)
with a green check mark next to it, it’s clear that RHN successfully applied the update to the coreutils package at 7:36 AM eastern time. Since this matches the time in our query from step 2 (we’re off by a few seconds, but that’s probably okay), we can be pretty sure that the update is legit. If we REALLY want to be sure, we can search for the coreutils package on RHN, look at the file listing, check the md5sum listed for the /bin/basename file, and compare it to the md5sum of that file on the local box (remember rkhunter uses sha1sum, so we would need to manually generate the md5sum using the “md5sum” command). If they match, we know for sure we’re okay. - Once we’re sure the file(s) are legit, we update the hashes in the rkhunter database using
rkhunter --propupd.
Red Hat Shenanigans
An “update” or “patch” in Linux is just a file that overwrites the old file, so it will have a different hash value than the old file. Rootkit Hunter will warn you about this, and it gets annoying!
The procedure for this sort of event is as follows:
- Look at the files that rkhunter tells us have changed, and try to figure out what package they’re in. We do this by using the —whatprovides flag in the rpm command. For the /bin/basename file, we would do:
[root@boxname ~]# rpm -q --whatprovides /bin/basename
coreutils-5.97-23.el5_4.1
We can see from the output that that file is part of the coreutils package. - Query the rpm database to find out when the coreutils package was last updated:
[root@boxname ~]# rpm -q --last coreutils
coreutils-5.97-23.el5_4.1 ... 04:36:11 AM PDT
We can see it was last updated at 4:36 AM this morning. - Now we need to know whether or not it was supposed to be updated. If we’ve received an RHN email saying that there’s a coreutils update available (it might even list the box by name), we can be pretty confident that the update is legit. If not, we log into RHN and check the Event History for this machine (click on the machine in the list you see under “Systems”, click the “Events” tab, and click the “History” tab under that.) If we see something like:
Errata Update: RHBA-2009:1511-1 - coreutils bug fix update scheduled by (Red Hat)
with a green check mark next to it, it’s clear that RHN successfully applied the update to the coreutils package at 7:36 AM eastern time. Since this matches the time in our query from step 2 (we’re off by a few seconds, but that’s probably okay), we can be pretty sure that the update is legit. If we REALLY want to be sure, we can search for the coreutils package on RHN, look at the file listing, check the md5sum listed for the /bin/basename file, and compare it to the md5sum of that file on the local box (remember rkhunter uses sha1sum, so we would need to manually generate the md5sum using the “md5sum” command). If they match, we know for sure we’re okay. - Once we’re sure the file(s) are legit, we update the hashes in the rkhunter database using
rkhunter --propupd.
Posted 2 years ago & Filed under Red Hat, Linux, Root Kit Hunter, systems administration,
