Hi Sujit, prelink -uma gives me this: [EMAIL PROTECTED] ~]# prelink -uma prelink: /usr/local/lib/libz.so.1.2.3 is not present in any config file directories, nor was specified on command line prelink: /etc/httpd/lib/libexpat.so.0.1.0 is not present in any config file directories, nor was specified on command line prelink: /etc/httpd/lib/libaprutil-0.so.0.9.7 is not present in any config file directories, nor was specified on command line prelink: /usr/local/lib/libpng12.so.0.1.2.8 is not present in any config file directories, nor was specified on command line prelink: /etc/httpd/lib/libapr-0.so.0.9.7 is not present in any config file directories, nor was specified on command line [EMAIL PROTECTED] ~]#
running rkhunter after that gives me clean OK's at all lines YES YES Thank u very much Sujit :) //Hans ----- Original Message ----- From: "Sujit Nair" <[EMAIL PROTECTED]> To: <[email protected]> Sent: Thursday, November 23, 2006 2:56 PM Subject: Re: [Rkhunter-users] Bad lines again > Hi Hand > > Do this, > > prelink -uma > > now run rkhunter again and paste output here. > > Sujit > On Wednesday 22 November 2006 22:15, Hans @ Tind.nl wrote: >> Hi Sujit, >> >> Thank u for your reply. >> Im not completely sure what u mean but the errors im getting are: >> >> * System tools >> Performing 'known good' check... >> /bin/cat [ BAD ] >> /bin/chmod [ BAD ] >> /bin/chown [ BAD ] >> /bin/date [ BAD ] >> /bin/dmesg [ BAD ] >> /bin/env [ BAD ] >> /bin/grep [ BAD ] >> /bin/kill [ BAD ] >> /bin/login [ BAD ] >> /bin/ls [ BAD ] >> /bin/more [ BAD ] >> /bin/mount [ BAD ] >> /bin/netstat [ OK ] >> /bin/ps [ BAD ] >> /bin/su [ OK ] >> /sbin/chkconfig [ BAD ] >> /sbin/depmod [ BAD ] >> /sbin/ifconfig [ OK ] >> /sbin/init [ BAD ] >> /sbin/insmod [ BAD ] >> /sbin/ip [ BAD ] >> /sbin/lsmod [ BAD ] >> /sbin/modinfo [ BAD ] >> /sbin/modprobe [ BAD ] >> /sbin/rmmod [ BAD ] >> /sbin/runlevel [ BAD ] >> /sbin/sulogin [ BAD ] >> /sbin/sysctl [ BAD ] >> /sbin/syslogd [ OK ] >> /usr/bin/chattr [ BAD ] >> /usr/bin/du [ BAD ] >> /usr/bin/file [ BAD ] >> /usr/bin/find [ BAD ] >> /usr/bin/head [ BAD ] >> /usr/bin/killall [ BAD ] >> /usr/bin/lsattr [ BAD ] >> /usr/bin/md5sum [ BAD ] >> /usr/bin/passwd [ BAD ] >> /usr/bin/pstree [ BAD ] >> /usr/bin/sha1sum [ BAD ] >> /usr/bin/slocate [ BAD ] >> /usr/bin/stat [ BAD ] >> /usr/bin/strings [ BAD ] >> /usr/bin/top [ BAD ] >> /usr/bin/users [ BAD ] >> /usr/bin/vmstat [ BAD ] >> /usr/bin/w [ BAD ] >> /usr/bin/watch [ BAD ] >> /usr/bin/wc [ BAD ] >> /usr/bin/wget [ OK ] >> /usr/bin/whereis [ BAD ] >> /usr/bin/who [ BAD ] >> /usr/bin/whoami [ BAD ] >> /usr/sbin/xinetd [ OK ] >> --------------------------------------------------------------------------- >>----- Rootkit Hunter has found some bad or unknown hashes. This can happen >> due to replaced >> binaries or updated packages (which give other hashes). Be sure your >> hashes >> are >> up-to-date (rkhunter --update). If you're in doubt about these hashes, >> contact >> us through the Rootkit Hunter mailinglist at >> [EMAIL PROTECTED] >> --------------------------------------------------------------------------- >>----- >> >> After this i tried the howto on this subject on Sourcefourge ( >> http://sourceforge.net/docman/display_doc.php?docid=35179&group_id=155034 >> ) >> and i tried this section : >> >> 1) If you are running SELinux then temporarily disable it by >> typing in 'setenforce 0'; >> Note: If you are unsure whther you are running SELinux or >> not, then type in 'sestatus'. >> A line containing 'Current mode: enforcing' indicates that >> you are running SELinux. If it says 'permissive', then you >> are not currently running SELinux, and can ignore the steps >> about SELinux. >> >> 2) Run the daily prelink update script - to do this type in >> '/etc/cron.daily/prelink'; >> >> 3) Run the hashupd.sh script to update your local hash values; >> >> 4) Run rkhunter; >> >> 5) If rkhunter still shows 'BAD' hash entries, then type in >> 'rm /etc/prelink.cache' and repeat the procedure from step 2. >> Note: Step 2 may now take some time to complete. >> >> 6) Re-enable SELinux, if you disabled it, by typing in >> 'setenforce 1'. Hopefully rkhunter will now work without >> any problems with hash values.Still RKH starts and i get BAD or >> unknown hashes.Hope u can help :)ThanksHans >> >> >> >> >> ----- Original Message ----- >> From: "Sujit Nair" <[EMAIL PROTECTED]> >> To: <[email protected]> >> Sent: Wednesday, November 22, 2006 5:19 PM >> Subject: Re: [Rkhunter-users] Bad lines again >> >> > Hi Hans, >> > >> > Can you post the exact errors you are getting. If it is about the >> > prelink >> > errors you can try the following : >> > >> > prelink -uma ( remove all prelink ) >> > >> > prelink -av ( prelink all libraries ) >> > >> > (If you are using libsafe you are bound to see some prelink errors that >> > can be >> > safely ignored ). >> > >> > Sujit >> > >> > On Wednesday 22 November 2006 15:08, Hans @ Tind.nl wrote: >> >> Hi , >> >> >> >> Ive been using RKH for a long time now but since i updated my CentOs >> >> to >> >> 4.4 >> >> ive been getting some strange errors. >> >> >> >> I downloaded version 1.29 from SF to update because the --update did >> >> not >> >> work. After installing ( over prev version ) the first run showed my >> >> os >> >> was >> >> not supported so i ran the hashupd.sh and did everything according the >> >> FAQ. >> >> hashupd gives me : >> >> [EMAIL PROTECTED] rkhunter]# sh hashupd.sh >> >> [WARN] Could not find usable directory for temp files. Default to >> >> /var/tmp. >> >> [INFO] Found release: "CentOS release 4.4 (Final)" >> >> [INFO] "CentOS release 4.4 (Final)" is seq nr 724 >> >> [INFO] updated hashes. >> >> [EMAIL PROTECTED] rkhunter]# >> >> >> >> After this when i do --checkall the OS not supported is gone but the >> >> BAD >> >> lines still come back. >> >> >> >> I tried to do the '/etc/cron.daily/prelink' but that gives me this >> >> error: [EMAIL PROTECTED] rkhunter]# /etc/cron.daily/prelink >> >> /etc/cron.daily/prelink: line 47: 3223 Aborted >> >> /usr/sbin/prelink -av $PRELINK_OPTS >>/var/log/prelink.log 2>&1 >> >> >> >> Can anyone point me in the right direction or tell me what im doing >> >> wrong? >> >> >> >> >> >> Thanks >> >> >> >> Hans >> > >> > ------------------------------------------------------------------------- >> > Take Surveys. Earn Cash. Influence the Future of IT >> > Join SourceForge.net's Techsay panel and you'll get the chance to share >> > your >> > opinions on IT & business topics through brief surveys - and earn cash >> > http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV >> > _______________________________________________ >> > Rkhunter-users mailing list >> > [email protected] >> > https://lists.sourceforge.net/lists/listinfo/rkhunter-users >> >> ------------------------------------------------------------------------- >> Take Surveys. Earn Cash. Influence the Future of IT >> Join SourceForge.net's Techsay panel and you'll get the chance to share >> your opinions on IT & business topics through brief surveys - and earn >> cash >> http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV >> _______________________________________________ >> Rkhunter-users mailing list >> [email protected] >> https://lists.sourceforge.net/lists/listinfo/rkhunter-users > > ------------------------------------------------------------------------- > Take Surveys. Earn Cash. Influence the Future of IT > Join SourceForge.net's Techsay panel and you'll get the chance to share > your > opinions on IT & business topics through brief surveys - and earn cash > http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV > _______________________________________________ > Rkhunter-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/rkhunter-users > ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT & business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV _______________________________________________ Rkhunter-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/rkhunter-users
