Start by querying the Red Hat package manager

rpm -ql coreutils | grep bin > files1

This gets a listing of all the executables in that rpm, dumping them into a file called files1.

Next, copy the file to a file called “file2”, open up file 2, and go through it, deleting every line that contained a file rkhunter had told you about (there were several executables in coreutils that didn’t get updated as a result of this bugfix).  At this point you have a file with all the files in the package, and a file with the all the files in the package that DIDN’T change. Next, run the following command:

diff file1file2 | grep \< | cut -d \< -f 2 > changedfiles

This command takes all the lines in file1 that aren’t in file2 and dumps them into a file called “changedfiles”.  Unfortunately, it results in a leading whitespace in each line, which can be manually removed since there probably aren’t that many lines.  The number of lines should be equal to the number of files that rkhunter warned you about.

Using this file, run the following bourne shell script to get a checksum of all the files into the file called “md5sums”:

#!/bin/sh

FILELIST=`cat changedfiles`;
for FILE in $FILELIST
do
md5sum $FILE » md5sums
done

Finally, compare the checksums and md5sums against RHN, made sure they were all good.

md5sum -c md5sums | grep -v OK

No news is good news at this point, it means that all the files matched, so go ahead and update rkhunter’s database with the current hash values.