Re: rkhunter report
I don't want to go too far forward, because I DO NOT want kde4 installed, EVER. I run gnome/lxde, and my wife runs kde3.. She is already mad because people email her with M$ powerpoint attachments, and we hear no sound from them... isn't that what youtube is for? I cannot understand why people will send 9Mb powerpoint attachments of a youtube video, instead of a LINK to the video!( but that is another thread for another day:) http://xkcd.com/763/ -- Dotan Cohen http://gibberish.co.il http://what-is-what.com -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/aanlktiktbc3itkzxk+nwpmkb7mcs1zxswf-shad6s...@mail.gmail.com
Re: rkhunter report
On Sat, 20 Nov 2010 08:08:02 -0500, Paul Cartwright wrote: I run rkhunter, and today I got this report: Warning: Application 'gpg', version '1.4.10', is out of date, and possibly a security risk. Warning: Application 'openssl', version '0.9.8n', is out of date, and possibly a security risk. Warning: Application 'sshd', version '5.5p1', is out of date, and possibly a security risk. I am running Lenny, up-2-date.. is this something I can do anything about? Nothing to worry about. rkhunter will give you such warnings for every aplication you have configured to be tracked and upstream had released a newer version. Current GPG is 1.4.11 (and yours is 1.4.10) Current openssl is 1.0.0.b (and yours is 0.9.8n) Current sshd is 5.6 (and yours is 5.5p1) But you know how Debian stable works for this: no newer versions are made available but just security patches until stable gets discontinued. Greetings, -- Camaleón -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/pan.2010.11.21.11.53...@gmail.com
Re: rkhunter report
On 11/20/2010 07:07 PM, Brian wrote: Slapper Worm: . . . . spreads on Linux machines by using a flaw discovered in August 2002 in OpenSSL libraries. (www.f-secure.com). And the flaw hasn't been fixed? don't have that one, good info though! You'll have to make your own mind up about the value of rkhunter. Go through what it claims to detect one by one. thanks, I'll do that. I noticed that I was 2 revs behind, so at least I got to update rkhunter to 1.3.8 :) I keep forgetting apps that aren't updated by apt.. I wish there was a universal tool to find all apps not installed by apt check for updates.. -- Paul Cartwright Registered Linux user # 367800 -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/4ce910cf.8060...@pcartwright.com
Re: rkhunter report
On 11/20/2010 06:34 PM, Boyd Stephen Smith Jr. wrote: I recommend it, but there aren't that many packages in it anyway so you are likely not missing anything. I added it back did an update, and I think it did find 1 or 2 apps to update.. nothing.. that I could see, that might be a security issue.. Volatile is meant for updates to packages whose usefulness naturally degrades as time passes, like virus scanners and spam filters. IIRC, occasionally IM software is even updated when proprietary protocols change. Basically stuff that loses functionality because of reasons outside of Debian's control. In some ways it overlaps with backports, since new upstream versions are allowed in some cases. It has been official much longer than backports, IIRC. yeah, like rkhunter. I was running 1.3.6 and 1.3.8 is the latest.. It isn't appropriate for fixing security flaws; that's what the security repository is for. It isn't for new upstream versions because the new version has additional features that the old version is lacking; that's what the backports repository is for. I don't want to go too far forward, because I DO NOT want kde4 installed, EVER. I run gnome/lxde, and my wife runs kde3.. She is already mad because people email her with M$ powerpoint attachments, and we hear no sound from them... isn't that what youtube is for? I cannot understand why people will send 9Mb powerpoint attachments of a youtube video, instead of a LINK to the video!( but that is another thread for another day:) thanks for the info! -- Paul Cartwright Registered Linux user # 367800 -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/4ce91209.3070...@pcartwright.com
Re: rkhunter report
Dne, 21. 11. 2010 13:35:21 je Paul Cartwright napisal(a): already mad because people email her with M$ powerpoint attachments, and we hear no sound from them... isn't that what youtube is for? I cannot understand why people will send 9Mb powerpoint attachments of a youtube video, instead of a LINK to the video!( but that is another thread for another day:) It's not about understanding, in that they usually don't do it for a reason but because they don't know better. The only way is gently educating them, pointing out that a simple link is better, and explaining *why* it's better. This, of course, is a never-ending task, because: a) there will always be new users to whom you'll have to explain it all over again; and b) some people simply *refuse* to memorize such stuff, even if forced at gunpoint. -- Cheerio, Klistvud http://bufferoverflow.tiddlyspot.com Certifiable Loonix User #481801 Please reply to the list, not to me. -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/1290344098.2929...@compax
Re: rkhunter report
Boyd Stephen Smith Jr. wrote: Paul Cartwright wrote: I have volatile commented out in my sources.list.. should I be using it? I recommend it, but there aren't that many packages in it anyway so you are likely not missing anything. I also recommend using volatile. Volatile is meant for updates to packages whose usefulness naturally degrades as time passes, like virus scanners and spam filters. ... Another example of a package in volatile is tzdata. Time zones change when Daylight Savings Time start and end by Act of Congress in the US (and by other legislative bodies outside) beyond the control of a stable release. This needs to be updated when it changes. So the package is in volatile such that it can be updated as needed. But the behavior provided is not changed from release to release. Bob signature.asc Description: Digital signature
Re: rkhunter report
On 11/21/2010 09:02 PM, Bob Proulx wrote: I also recommend using volatile. thanks! Volatile is meant for updates to packages whose usefulness naturally degrades as time passes, like virus scanners and spam filters. ... Another example of a package in volatile is tzdata. Time zones change when Daylight Savings Time start and end by Act of Congress in the US (and by other legislative bodies outside) beyond the control of a stable release. This needs to be updated when it changes. So the package is in volatile such that it can be updated as needed. But the behavior provided is not changed from release to release. I seem to recall that was one of the packages that got updated after I took out the comment from the volatile line.. ii tzdata 2010o-0lenny1 time zone and daylight-saving time data luckily my alarm clock has a DST button that puts the time back like it should.. But I still have have to manually STOP my Seth Thomas mantel clock:) old school, but I love it! -- Paul Cartwright Registered Linux user # 367800 -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/4ce9d1d6.5080...@pcartwright.com
rkhunter report
I run rkhunter, and today I got this report: Warning: Application 'gpg', version '1.4.10', is out of date, and possibly a security risk. Warning: Application 'openssl', version '0.9.8n', is out of date, and possibly a security risk. Warning: Application 'sshd', version '5.5p1', is out of date, and possibly a security risk. I am running Lenny, up-2-date.. is this something I can do anything about? -- Paul Cartwright Registered Linux user # 367800 -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/4ce7c832.7010...@pcartwright.com
Re: rkhunter report
In 4ce7c832.7010...@pcartwright.com, Paul Cartwright wrote: I run rkhunter, and today I got this report: Warning: Application 'gpg', version '1.4.10', is out of date, and possibly a security risk. Warning: Application 'openssl', version '0.9.8n', is out of date, and possibly a security risk. Warning: Application 'sshd', version '5.5p1', is out of date, and possibly a security risk. I am running Lenny, up-2-date.. is this something I can do anything about? Well, it would help if rkhunter was more specific. The Debian security team will sometimes take security fixes from newer releases and apply them to the packages in stable without bumping the version number reported by the software. I does look like gnupg and openssl have received some updates since the Lenny release, and openssl got some from the security team specifically. openssh-server hasn't been updated since the Lenny release, AFAIK. If there is a specific vulnerability you are concerned about, asking on debian-security for the status of a fix might be appropriate. As far as unknown threats go, there may be security flaws in the Lenny versions that are fixed upstream, but there may also be new flaws introduced upstream and are not in the Lenny versions. Debian policy is that no new upstream versions enter stable, so if you would be more comfortable with newer versions, you'll have to pull from backports, testing, unstable, or possibly even experimental. gnupg 1.4.11 is in experimental; openssl 0.9.8o is in testing and unstable; openssh-server 5.6p1 is in experimental. During a freeze (like now) some packages are uploaded to experimental instead of unstable not for any package(ing) specific reason, but to make fixing RC bugs in testing easier. After the freeze you should see these (or newer) versions uploaded to unstable within days. -- Boyd Stephen Smith Jr. ,= ,-_-. =. b...@iguanasuicide.net ((_/)o o(\_)) ICQ: 514984 YM/AIM: DaTwinkDaddy `-'(. .)`-' http://iguanasuicide.net/\_/ signature.asc Description: This is a digitally signed message part.
Re: rkhunter report
On 11/20/2010 03:14 PM, Boyd Stephen Smith Jr. wrote: Warning: Application 'gpg', version '1.4.10', is out of date, and possibly a security risk. Warning: Application 'openssl', version '0.9.8n', is out of date, and possibly a security risk. Warning: Application 'sshd', version '5.5p1', is out of date, and possibly a security risk. I does look like gnupg and openssl have received some updates since the Lenny release, and openssl got some from the security team specifically. openssh-server hasn't been updated since the Lenny release, AFAIK. If there is a specific vulnerability you are concerned about, asking on debian-security for the status of a fix might be appropriate. As far as unknown threats go, there may be security flaws in the Lenny versions that are fixed upstream, but there may also be new flaws introduced upstream and are not in the Lenny versions. I am not so much concerned about about vulnerability as I am rkhunter giving me a warning about up-2-date apps.. openssl might concern me, because I use ssl.. same with ssh.. since MOST of what I do is behind my router, I am not very public internet facing.. I just don't like getting messages that tell me something is NOT uptodate, when I am ALWAYS up to date.. -- Paul Cartwright Registered Linux user # 367800 -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/4ce82f6e.3030...@pcartwright.com
Re: rkhunter report
In 4ce82f6e.3030...@pcartwright.com, Paul Cartwright wrote: On 11/20/2010 03:14 PM, Boyd Stephen Smith Jr. wrote: Warning: Application 'gpg', version '1.4.10', is out of date, and possibly a security risk. Warning: Application 'openssl', version '0.9.8n', is out of date, and possibly a security risk. Warning: Application 'sshd', version '5.5p1', is out of date, and possibly a security risk. If there is a specific vulnerability you are concerned about, asking on debian-security for the status of a fix might be appropriate. I am not so much concerned about about vulnerability as I am rkhunter giving me a warning about up-2-date apps.. File a bug against rkhunter, then. I just don't like getting messages that tell me something is NOT uptodate, when I am ALWAYS up to date.. Many people don't consider Debian stable up-to-date even with packages from security.debian.org and volatile.debian.org in use. It is possible that the development / release team of rkhunter contains some of those people. -- Boyd Stephen Smith Jr. ,= ,-_-. =. b...@iguanasuicide.net ((_/)o o(\_)) ICQ: 514984 YM/AIM: DaTwinkDaddy `-'(. .)`-' http://iguanasuicide.net/\_/ signature.asc Description: This is a digitally signed message part.
Re: rkhunter report
On 11/20/2010 03:59 PM, Boyd Stephen Smith Jr. wrote: File a bug against rkhunter, then. that is a thought.. I just don't like getting messages that tell me something is NOT uptodate, when I am ALWAYS up to date.. Many people don't consider Debian stable up-to-date even with packages from security.debian.org and volatile.debian.org in use. It is possible that the development / release team of rkhunter contains some of those people. -- I have volatile commented out in my sources.list.. should I be using it? sources.list: deb http://ftp.us.debian.org/debian/ lenny main contrib non-free deb http://ftp.de.debian.org/debian lenny main deb-src http://ftp.us.debian.org/debian/ lenny main contrib non-free deb http://security.us.debian.org/ lenny/updates main contrib non-free deb http://tovid.sourceforge.net/download/debian lenny contrib deb-src http://tovid.sourceforge.net/download/debian lenny contrib deb http://deb.opera.com/opera/ lenny non-free deb http://download.skype.com/linux/repos/debian/ stable non-free # End of suggested Stable repos ### ### EXTERNAL SOURCES ### # for avasys for Epson printing deb http://www.da-cha.jp/debian/dists/etch ./ #backports go here: deb http://www.backports.org/debian lenny-backports main contrib non-free deb http://ftp.debian.org/debian lenny main contrib non-free deb http://www.debian-multimedia.org lenny main # added linuxfoundation-openprinting for HPLIP deb http://www.openprinting.org/download/printdriver/debian/ lsb3.2 main deb http://ftp.us.debian.org/debian/ lenny-proposed-updates contrib non-free main deb-src http://ftp.us.debian.org/debian/ lenny-proposed-updates contrib non-free main deb http://security.debian.org/ lenny/updates contrib non-free main deb-src http://security.debian.org/ lenny/updates contrib non-free main ##spotify deb http://repository.spotify.com stable non-free -- Paul Cartwright Registered Linux user # 367800 -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/4ce83a40.5030...@pcartwright.com
Re: rkhunter report
Paul Cartwright [2010.11.20 1528 -0500]: On 11/20/2010 03:14 PM, Boyd Stephen Smith Jr. wrote: Warning: Application 'gpg', version '1.4.10', is out of date, and possibly a security risk. Warning: Application 'openssl', version '0.9.8n', is out of date, and possibly a security risk. Warning: Application 'sshd', version '5.5p1', is out of date, and possibly a security risk. I does look like gnupg and openssl have received some updates since the Lenny release, and openssl got some from the security team specifically. openssh-server hasn't been updated since the Lenny release, AFAIK. If there is a specific vulnerability you are concerned about, asking on debian-security for the status of a fix might be appropriate. As far as unknown threats go, there may be security flaws in the Lenny versions that are fixed upstream, but there may also be new flaws introduced upstream and are not in the Lenny versions. I am not so much concerned about about vulnerability as I am rkhunter giving me a warning about up-2-date apps.. openssl might concern me, because I use ssl.. same with ssh.. since MOST of what I do is behind my router, I am not very public internet facing.. I just don't like getting messages that tell me something is NOT uptodate, when I am ALWAYS up to date.. If I recall correctly from a previous thread on this list, rkhunter simply tests whether you have the most recent version of these applications installed and warns you if you don't. I simply ignored these warnings when I got them. If I understand the documentation of rkhunter (which is very sparse) correctly, you can eliminate these warnings by adding ATTRWHITELIST=path to gpg and the same for anything else you get these warnings for to /etc/rkhunter.conf. Again, if I understand correctly, this will also turn off other attribute checks for these programs, including uid/gid, etc. Since these may be useful checks to detect malicious modifications on your system, you may not want to do this. Cheers, Norbert -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20101120205740.gd3...@cs.dal.ca
Re: rkhunter report
On Sat 20 Nov 2010 at 15:28:30 -0500, Paul Cartwright wrote: I just don't like getting messages that tell me something is NOT uptodate, when I am ALWAYS up to date.. Well, don't run applications which output spurious warnings as a matter of course. Purging rkhunter will do wonders for your blood pressure without endangering your system. -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20101120204657.ge20...@desktop
Re: rkhunter report
On Sat, Nov 20, 2010 at 08:46:57PM +, Brian wrote: Well, don't run applications which output spurious warnings as a matter of course. Purging rkhunter will do wonders for your blood pressure without endangering your system. I agree. -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20101120214652.ga23...@shellium.org
Re: rkhunter report
On 11/20/2010 03:46 PM, Brian wrote: Well, don't run applications which output spurious warnings as a matter of course. Purging rkhunter will do wonders for your blood pressure without endangering your system. are you saying rkhunter is not worth running? -- Paul Cartwright Registered Linux user # 367800 -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/4ce842c3.2040...@pcartwright.com
Re: rkhunter report
In 4ce83a40.5030...@pcartwright.com, Paul Cartwright wrote: On 11/20/2010 03:59 PM, Boyd Stephen Smith Jr. wrote: Many people don't consider Debian stable up-to-date even with packages from security.debian.org and volatile.debian.org in use. It is possible that the development / release team of rkhunter contains some of those people. I have volatile commented out in my sources.list.. should I be using it? I recommend it, but there aren't that many packages in it anyway so you are likely not missing anything. Volatile is meant for updates to packages whose usefulness naturally degrades as time passes, like virus scanners and spam filters. IIRC, occasionally IM software is even updated when proprietary protocols change. Basically stuff that loses functionality because of reasons outside of Debian's control. In some ways it overlaps with backports, since new upstream versions are allowed in some cases. It has been official much longer than backports, IIRC. It isn't appropriate for fixing security flaws; that's what the security repository is for. It isn't for new upstream versions because the new version has additional features that the old version is lacking; that's what the backports repository is for. -- Boyd Stephen Smith Jr. ,= ,-_-. =. b...@iguanasuicide.net ((_/)o o(\_)) ICQ: 514984 YM/AIM: DaTwinkDaddy `-'(. .)`-' http://iguanasuicide.net/\_/ signature.asc Description: This is a digitally signed message part.
Re: rkhunter report
On Sat 20 Nov 2010 at 16:50:59 -0500, Paul Cartwright wrote: are you saying rkhunter is not worth running? Chosen at random. beX2, portacelo and devil rootkits: Distinguished by there being no evidence for their existence. A doctor telling me to avoid contracting beX2, portacelo or devil disease would get raised eyebrows in the same situation. Slapper Worm: . . . . spreads on Linux machines by using a flaw discovered in August 2002 in OpenSSL libraries. (www.f-secure.com). And the flaw hasn't been fixed? You'll have to make your own mind up about the value of rkhunter. Go through what it claims to detect one by one. -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20101121000702.gf20...@desktop
Re: rkhunter report. Como interpreta-lo?
Verifique se você fez alguma alteração recente no pacote que contém os arquivos citados (talvez via apt/aptitude upgrade). Fabiano. 2008/11/9 Marcelo Laia [EMAIL PROTECTED] Tenho recebido relatorios do rkhunter como segue: Warning: The file properties have changed: File: /bin/egrep Current hash: 8ce634e37e97917e5ab82f2570e0cf21b926ebb2 Stored hash : c39118a2bbeebeb22cd67f0907b8455d2da5fc06 Current inode: 293334Stored inode: 293195 Current size: 92276Stored size: 92436 Current file modification time: 1220202404 Stored file modification time : 1204239085 Warning: The file properties have changed: File: /bin/fgrep Current hash: 49fa068f38c23396280c9031bd49709a8d2159ad Stored hash : be5c2b7c374c4a42fb35b58871fedeb8ec5dcf30 Current inode: 293343Stored inode: 293196 Current size: 55344Stored size: 52880 Current file modification time: 1220202404 Stored file modification time : 1204239085 etc Todos Warning e com os mesmos dizeres: troca de hash. Devo me preocupar com isso? O que fazer? Obrigado -- Marcelo Luiz de Laia Jaboticabal - SP - Brazil Please avoid sending me Word or PowerPoint attachments. See: http://www.gnu.org/philosophy/no-word-attachments.html http://www.gnu.org/philosophy/no-word-attachments.pt-br.html -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- Fabiano Pires LPIC-2 http://pragasdigitais.blogspot.com/ Livrando você da escória da Internet!
rkhunter report. Como interpreta-lo?
Tenho recebido relatorios do rkhunter como segue: Warning: The file properties have changed: File: /bin/egrep Current hash: 8ce634e37e97917e5ab82f2570e0cf21b926ebb2 Stored hash : c39118a2bbeebeb22cd67f0907b8455d2da5fc06 Current inode: 293334Stored inode: 293195 Current size: 92276Stored size: 92436 Current file modification time: 1220202404 Stored file modification time : 1204239085 Warning: The file properties have changed: File: /bin/fgrep Current hash: 49fa068f38c23396280c9031bd49709a8d2159ad Stored hash : be5c2b7c374c4a42fb35b58871fedeb8ec5dcf30 Current inode: 293343Stored inode: 293196 Current size: 55344Stored size: 52880 Current file modification time: 1220202404 Stored file modification time : 1204239085 etc Todos Warning e com os mesmos dizeres: troca de hash. Devo me preocupar com isso? O que fazer? Obrigado -- Marcelo Luiz de Laia Jaboticabal - SP - Brazil Please avoid sending me Word or PowerPoint attachments. See: http://www.gnu.org/philosophy/no-word-attachments.html http://www.gnu.org/philosophy/no-word-attachments.pt-br.html -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
rkhunter report issues?
Does this mean anything? Warning: The file properties have changed: File: /bin/login Current hash: 9092a50dbbf0b16b095a1ee22e9bfb2a9e0f9a21 Stored hash : b333555dccebeca07909fdc9c53160f5e399d4f6 Current inode: 2068498Stored inode: 2071401 Current size: 35236Stored size: 35268 Current file modification time: 1217093050 Stored file modification time : 1207180658 Warning: The file properties have changed: File: /bin/mktemp Current hash: cb8928cb9aba84186d11744596a75dfd2bd420bc Stored hash : ac19f5e6d493de185416217febced0a32a13fa9d Current inode: 2068445Stored inode: 2070399 Current size: 6672Stored size: 6824 Current file modification time: 1218814174 Stored file modification time : 1202665904 Warning: The file properties have changed: File: /bin/su Current hash: 7fb5d1b369ffa2b22f89e51adf2dee61e5b0fb58 Stored hash : 3c1672c591311d42dc48439d7cf0791e54d1af28 Current inode: 2068500Stored inode: 2071402 Current file modification time: 1217093050 Stored file modification time : 1207180658 I'm not sure what to look at, or if there is even a problem: # ls -l /bin/su -rwsr-xr-x 1 root root 27108 2008-07-26 13:24 /bin/su # uname -a Linux paulandcilla 2.6.25-2-686 #1 SMP Fri Jul 18 17:46:56 UTC 2008 i686 GNU/Linux # -- Paul Cartwright Registered Linux user # 367800 Registered Ubuntu User #12459 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: rkhunter report issues?
On 2008-08-26 15:07, Paul Cartwright wrote: Does this mean anything? Warning: The file properties have changed: File: /bin/login Current hash: 9092a50dbbf0b16b095a1ee22e9bfb2a9e0f9a21 Stored hash : b333555dccebeca07909fdc9c53160f5e399d4f6 Current inode: 2068498Stored inode: 2071401 Current size: 35236Stored size: 35268 Current file modification time: 1217093050 Stored file modification time : 1207180658 [snip] IIUC, this means that those files have been changed since the last time you ran 'rkhunter --propupd'. This could have either been a hacker or it was you, eg. via installing a (security) update. It's up to 'inform' rkhunter on any system files that get updated. Hint: on lenny, my 'login' was last updated on 2008-08-15. I'm not sure what to look at, or if there is even a problem: # ls -l /bin/su -rwsr-xr-x 1 root root 27108 2008-07-26 13:24 /bin/su If this file has been changed by YOU it is ok, if it has been changed by someone else... probably not. HTH, Johannes signature.asc Description: OpenPGP digital signature