Debian Bug report logs - #544573
rkhunter complains about unhide-linux

version graph

Package: rkhunter; Maintainer for rkhunter is Debian Forensics <forensics-devel@lists.alioth.debian.org>; Source for rkhunter is src:rkhunter.

Reported by: James Zuelow <james_zuelow@ci.juneau.ak.us>

Date: Tue, 1 Sep 2009 16:51:01 UTC

Severity: normal

Merged with 562103

Found in version rkhunter/1.3.2-6

Done: Julien Valroff <julien@kirya.net>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Julien Valroff <julien@kirya.net>:
Bug#544573; Package rkhunter. (Tue, 01 Sep 2009 16:51:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to James Zuelow <james_zuelow@ci.juneau.ak.us>:
New Bug report received and forwarded. Copy sent to Julien Valroff <julien@kirya.net>. (Tue, 01 Sep 2009 16:51:04 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: James Zuelow <james_zuelow@ci.juneau.ak.us>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: rkhunter complains about unhide-linux
Date: Tue, 01 Sep 2009 08:29:14 -0800
Package: rkhunter
Version: 1.3.2-6
Severity: minor

When first installed, rkhunter scans will report this:

Warning: The file '/usr/sbin/unhide' exists on the system, but it is not present in the rkhunter.dat file.
Warning: The file '/usr/sbin/unhide-linux26' exists on the system, but it is not present in the rkhunter.dat file.

Since unhide-linux26 is installed automatically with rkhunter, 
it makes sense to me that it would be in rkhunter's database.

The solution is to uninstall rkhunter, and then re-install it.

I'm not familiar enough with deb packaging to suggest a fix, but it
seems to me that when rkhunter is installed it inventories the packages
that are already installed on the machine.  But it does not account for
packages that are installed in the same apt/aptitude command that is
installing rkhunter.  Just a WAG on my part.

Cheers!

-- System Information:
Debian Release: 5.0.2
  APT prefers stable
  APT policy: (500, 'stable')
Architecture: i386 (i686)

Kernel: Linux 2.6.26-2-686 (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages rkhunter depends on:
ii  binutils            2.18.1~cvs20080103-7 The GNU assembler, linker and bina
ii  debconf [debconf-2. 1.5.24               Debian configuration management sy
ii  file                4.26-1               Determines file type using "magic"
ii  net-tools           1.60-22              The NET-3 networking toolkit
ii  perl                5.10.0-19            Larry Wall's Practical Extraction 
ii  postfix [mail-trans 2.5.5-1.1            High-performance mail transport ag

Versions of packages rkhunter recommends:
ii  iproute                       20080725-2 networking and traffic control too
ii  libmd5-perl                   2.03-1     backwards-compatible wrapper for D
ii  unhide                        20080519-2 Forensic tool to find hidden proce
ii  wget                          1.11.4-2   retrieves files from the web

Versions of packages rkhunter suggests:
ii  bsd-mailx          8.1.2-0.20071201cvs-3 A simple mail user agent

-- debconf information:
  rkhunter/apt_autogen: false
  rkhunter/cron_daily_run:
  rkhunter/cron_db_update:




Information forwarded to debian-bugs-dist@lists.debian.org, Julien Valroff <julien@kirya.net>:
Bug#544573; Package rkhunter. (Thu, 29 Oct 2009 05:42:11 GMT) Full text and rfc822 format available.

Acknowledgement sent to Holger Levsen <holger@layer-acht.org>:
Extra info received and forwarded to list. Copy sent to Julien Valroff <julien@kirya.net>. (Thu, 29 Oct 2009 05:42:11 GMT) Full text and rfc822 format available.

Message #10 received at 544573@bugs.debian.org (full text, mbox):

From: Holger Levsen <holger@layer-acht.org>
To: 544573@bugs.debian.org
Subject: better workaround
Date: Wed, 28 Oct 2009 14:36:25 +0200
[Message part 1 (text/plain, inline)]
Hi,

AFAICS a better workaround is to run "rkhunter --propupd".


regards,
	Holger
[signature.asc (application/pgp-signature, inline)]

Added tag(s) confirmed. Request was from Julien Valroff <julien@kirya.net> to control@bugs.debian.org. (Fri, 30 Oct 2009 19:42:14 GMT) Full text and rfc822 format available.

Forcibly Merged 544573 562103. Request was from Julien Valroff <julien@kirya.net> to control@bugs.debian.org. (Tue, 22 Dec 2009 18:06:05 GMT) Full text and rfc822 format available.

Added tag(s) help. Request was from Julien Valroff <julien@kirya.net> to control@bugs.debian.org. (Fri, 01 Jan 2010 12:12:16 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#544573; Package rkhunter. (Sat, 20 Mar 2010 06:57:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Julien Valroff <julien@kirya.net>:
Extra info received and forwarded to list. (Sat, 20 Mar 2010 06:57:03 GMT) Full text and rfc822 format available.

Message #21 received at 544573@bugs.debian.org (full text, mbox):

From: Julien Valroff <julien@kirya.net>
To: James Zuelow <james_zuelow@ci.juneau.ak.us>, 544573@bugs.debian.org
Cc: control@bugs.debian.org
Subject: Re: Bug#544573: rkhunter complains about unhide-linux
Date: Sat, 20 Mar 2010 07:55:30 +0100
package rkhunter
tags 544573 - help - confirmed
thanks

Le mardi 01 septembre 2009 à 08:29 -0800, James Zuelow a écrit :
> Package: rkhunter
> Version: 1.3.2-6
> Severity: minor
> 
> When first installed, rkhunter scans will report this:
> 
> Warning: The file '/usr/sbin/unhide' exists on the system, but it is not present in the rkhunter.dat file.
> Warning: The file '/usr/sbin/unhide-linux26' exists on the system, but it is not present in the rkhunter.dat file.
> 
> Since unhide-linux26 is installed automatically with rkhunter, 
> it makes sense to me that it would be in rkhunter's database.
> 
> The solution is to uninstall rkhunter, and then re-install it.
> 
> I'm not familiar enough with deb packaging to suggest a fix, but it
> seems to me that when rkhunter is installed it inventories the packages
> that are already installed on the machine.  But it does not account for
> packages that are installed in the same apt/aptitude command that is
> installing rkhunter.  Just a WAG on my part.

While I was able to reproduce this issue, I am now unable (be it with
automatic file properties update or not).

Would you please check that this is ok for you as well using the latest
version in unstable?

Cheers,
Julien





Removed tag(s) help. Request was from Julien Valroff <julien@kirya.net> to control@bugs.debian.org. (Sat, 20 Mar 2010 06:57:04 GMT) Full text and rfc822 format available.

Removed tag(s) confirmed. Request was from Julien Valroff <julien@kirya.net> to control@bugs.debian.org. (Sat, 20 Mar 2010 06:57:06 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Julien Valroff <julien@kirya.net>:
Bug#544573; Package rkhunter. (Mon, 22 Mar 2010 19:12:06 GMT) Full text and rfc822 format available.

Acknowledgement sent to James Zuelow <James_Zuelow@ci.juneau.ak.us>:
Extra info received and forwarded to list. Copy sent to Julien Valroff <julien@kirya.net>. (Mon, 22 Mar 2010 19:12:06 GMT) Full text and rfc822 format available.

Message #30 received at 544573@bugs.debian.org (full text, mbox):

From: James Zuelow <James_Zuelow@ci.juneau.ak.us>
To: 'Julien Valroff' <julien@kirya.net>, "544573@bugs.debian.org" <544573@bugs.debian.org>
Cc: "control@bugs.debian.org" <control@bugs.debian.org>
Subject: RE: Bug#544573: rkhunter complains about unhide-linux
Date: Mon, 22 Mar 2010 11:02:27 -0800
[Message part 1 (text/plain, inline)]
> -----Original Message-----
> From: Julien Valroff [mailto:julien@kirya.net] 
> Sent: Friday, 19 March, 2010 22:56
> To: James Zuelow; 544573@bugs.debian.org
> Cc: control@bugs.debian.org
> Subject: Re: Bug#544573: rkhunter complains about unhide-linux
> 

> 
> While I was able to reproduce this issue, I am now unable (be it with
> automatic file properties update or not).
> 
> Would you please check that this is ok for you as well using 
> the latest
> version in unstable?
> 
> Cheers,
> Julien
> 
Hi Julien,

It looks like the unstable version is the same as testing.  I set up a new installation of Squeeze (i386) in Virtualbox choosing just the standard system.  After the 1st reboot I installed rkhunter and ran a scan with rkhunter -c.  I did **not** see any complaints about unhide-linux, either during install or after running a scan. 

(Although the squeeze version does give false positives about the Xzibit rootkit when it find the string "hdparm" in various places.)

Cheers,

James
[rkhunter.log (application/octet-stream, attachment)]

Reply sent to Julien Valroff <julien@kirya.net>:
You have taken responsibility. (Mon, 22 Mar 2010 19:27:06 GMT) Full text and rfc822 format available.

Notification sent to James Zuelow <james_zuelow@ci.juneau.ak.us>:
Bug acknowledged by developer. (Mon, 22 Mar 2010 19:27:06 GMT) Full text and rfc822 format available.

Message #35 received at 544573-done@bugs.debian.org (full text, mbox):

From: Julien Valroff <julien@kirya.net>
To: James Zuelow <James_Zuelow@ci.juneau.ak.us>, 544573-done@bugs.debian.org
Subject: Re: Bug#544573: rkhunter complains about unhide-linux
Date: Mon, 22 Mar 2010 20:24:03 +0100
Le lundi 22 mars 2010 à 11:02 -0800, James Zuelow a écrit :
> > -----Original Message-----
> > From: Julien Valroff [mailto:julien@kirya.net] 
> > Sent: Friday, 19 March, 2010 22:56
> > To: James Zuelow; 544573@bugs.debian.org
> > Cc: control@bugs.debian.org
> > Subject: Re: Bug#544573: rkhunter complains about unhide-linux
> > 
> 
> > 
> > While I was able to reproduce this issue, I am now unable (be it with
> > automatic file properties update or not).
> > 
> > Would you please check that this is ok for you as well using 
> > the latest
> > version in unstable?
> > 
> > Cheers,
> > Julien
> > 
> Hi Julien,
> 
> It looks like the unstable version is the same as testing.  I set up a
> new installation of Squeeze (i386) in Virtualbox choosing just the
> standard system.  After the 1st reboot I installed rkhunter and ran a
> scan with rkhunter -c.  I did **not** see any complaints about
> unhide-linux, either during install or after running a scan. 

Thanks for confirming my previous tests. I hence close this bug.

> (Although the squeeze version does give false positives about the
> Xzibit rootkit when it find the string "hdparm" in various places.)

Yes, that is "normal" (see README.Debian for more explanations).

Cheers,
Julien





Reply sent to Julien Valroff <julien@kirya.net>:
You have taken responsibility. (Mon, 22 Mar 2010 19:27:07 GMT) Full text and rfc822 format available.

Notification sent to Xypron <xypron.debian@gmx.de>:
Bug acknowledged by developer. (Mon, 22 Mar 2010 19:27:07 GMT) Full text and rfc822 format available.

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Tue, 20 Apr 2010 07:30:55 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Apr 23 11:22:27 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.