Debian Bug report logs - #607224
rkhunter complains about files from the unhide package

version graph

Package: rkhunter; Maintainer for rkhunter is Debian Forensics <forensics-devel@lists.alioth.debian.org>; Source for rkhunter is src:rkhunter.

Reported by: Steinar Bang <sb@dod.no>

Date: Wed, 15 Dec 2010 21:03:05 UTC

Severity: normal

Tags: confirmed

Found in version rkhunter/1.3.2-6

Done: Julien Valroff <julien@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Julien Valroff <julien@kirya.net>:
Bug#607224; Package rkhunter. (Wed, 15 Dec 2010 21:03:08 GMT) Full text and rfc822 format available.

Acknowledgement sent to Steinar Bang <sb@dod.no>:
New Bug report received and forwarded. Copy sent to Julien Valroff <julien@kirya.net>. (Wed, 15 Dec 2010 21:03:08 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Steinar Bang <sb@dod.no>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: rkhunter complains about files from the unhide package
Date: Wed, 15 Dec 2010 21:01:29 +0000
Package: rkhunter
Version: 1.3.2-6
Severity: normal

rkhunter keeps sending out emails with the following text:

Warning: The file '/usr/sbin/unhide' exists on the system, but it is
not present in the rkhunter.dat file.
Warning: The file '/usr/sbin/unhide-linux26' exists on the system, but
it is not present in the rkhunter.dat file.

These files are installed by the unhide-20100201-1 package
 http://packages.debian.org/squeeze/unhide

Unhide is a tool to find processes and ports hidden by rootkits, and
thus in the same line of business as rkhunter.

-- System Information:
Debian Release: 5.0.7
  APT prefers stable
  APT policy: (500, 'stable')
Architecture: i386 (i686)

Kernel: Linux 2.6.32.26-kvm-i386-20101122 (SMP w/1 CPU core)
Locale: LANG=en_GB, LC_CTYPE=en_GB (charmap=ISO-8859-1)
Shell: /bin/sh linked to /bin/bash

Versions of packages rkhunter depends on:
ii  binutils            2.18.1~cvs20080103-7 The GNU assembler, linker and bina
ii  debconf [debconf-2. 1.5.24               Debian configuration management sy
ii  exim4-daemon-heavy  4.69-9+lenny1        Exim MTA (v4) daemon with extended
ii  file                4.26-1               Determines file type using "magic"
ii  net-tools           1.60-22              The NET-3 networking toolkit
ii  perl                5.10.0-19lenny2      Larry Wall's Practical Extraction 

Versions of packages rkhunter recommends:
ii  iproute                  20080725-2      networking and traffic control too
ii  libmd5-perl              2.03-1          backwards-compatible wrapper for D
ii  unhide                   20080519-2      Forensic tool to find hidden proce
ii  wget                     1.11.4-2+lenny2 retrieves files from the web

Versions of packages rkhunter suggests:
ii  bsd-mailx          8.1.2-0.20071201cvs-3 A simple mail user agent

-- debconf information:
  rkhunter/apt_autogen: false
  rkhunter/cron_daily_run:
  rkhunter/cron_db_update:




Information forwarded to debian-bugs-dist@lists.debian.org, Julien Valroff <julien@kirya.net>:
Bug#607224; Package rkhunter. (Thu, 16 Dec 2010 21:00:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Julien Valroff <julien@debian.org>:
Extra info received and forwarded to list. Copy sent to Julien Valroff <julien@kirya.net>. (Thu, 16 Dec 2010 21:00:03 GMT) Full text and rfc822 format available.

Message #10 received at 607224@bugs.debian.org (full text, mbox):

From: Julien Valroff <julien@debian.org>
To: Steinar Bang <sb@dod.no>, 607224@bugs.debian.org
Subject: Re: Bug#607224: rkhunter complains about files from the unhide package
Date: Thu, 16 Dec 2010 21:56:47 +0100
Hi,

Le mercredi 15 déc. 2010 à 21:01:29 (+0000), Steinar Bang a écrit :
> rkhunter keeps sending out emails with the following text:
> 
> Warning: The file '/usr/sbin/unhide' exists on the system, but it is
> not present in the rkhunter.dat file.
> Warning: The file '/usr/sbin/unhide-linux26' exists on the system, but
> it is not present in the rkhunter.dat file.

This is a known problem which has already been reported, but thanks for
reminding me I should really do something.

Actually, the problem comes from the fact rkhunter recommends unhide, and if
both packages are installed at the same time, unhide isn't yet unpackacked
when rkhunter creates its metadata database.

As a quick workaround, you can simply run 'rkhunter --propupd', just make
sure your system is clean before doing that.

I think a possible solution might be to add a trigger, but I will need time
as I would like to make something more general which would allow me to
improve the way the database is updated (see other bug reports on this
subject).

Cheers,
Julien

-- 
  ,''`.  Julien Valroff ~ <julien@kirya.net> ~ <julien@debian.org>
 : :' :  Debian Developer & Free software contributor
 `. `'   http://www.kirya.net/
   `-    4096R/ E1D8 5796 8214 4687 E416  948C 859F EF67 258E 26B1




Added tag(s) confirmed. Request was from Julien Valroff <julien@debian.org> to control@bugs.debian.org. (Thu, 16 Dec 2010 21:03:02 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Forensics <forensics-devel@lists.alioth.debian.org>:
Bug#607224; Package rkhunter. (Sun, 03 Jul 2011 22:21:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to "Kingsley G. Morse Jr." <kingsley@loaner.com>:
Extra info received and forwarded to list. Copy sent to Debian Forensics <forensics-devel@lists.alioth.debian.org>. (Sun, 03 Jul 2011 22:21:03 GMT) Full text and rfc822 format available.

Message #17 received at 607224@bugs.debian.org (full text, mbox):

From: "Kingsley G. Morse Jr." <kingsley@loaner.com>
To: 607224@bugs.debian.org
Subject: Warning: The command '/usr/bin/unhide.rb' has been replaced by a script: /usr/bin/unhide.rb: a /usr/bin/ruby -w script text executable
Date: Sun, 3 Jul 2011 14:51:33 -0700
Hi Julien,

Thank you for maintaining rkhunter.

Rootkit protection is good.

The main reason I'm writing is that I happened to
notice that version 1.3.8-6 reported a warning
similar to the bug reported in 607224.

Maybe my email will help you improve rkhunter.

Here's how I got the warning:

    1.) Install rkhunter
        
        $ aptitude install rkhunter

    2.) run 

            $ rkhunter --propupd

    3.) run

            $ rkhunter -c -sk --vl

    4.) Look in 

            /var/log/rkhunter.log

        and see

            [14:21:03] Warning: The command '/usr/bin/unhide.rb' has been replaced by a script: /usr/bin/unhide.rb: a /usr/bin/ruby -w script text executable


I looked in /usr/bin/unhide.rb.

It looks OK to me.

It's part of the package named "unhide.rb".

I'm worried that rkhunter may have reported a
false positive, but I'll trust your judgement.

Thanks,
Kingsley






Reply sent to Julien Valroff <julien@debian.org>:
You have taken responsibility. (Mon, 04 Jul 2011 04:03:13 GMT) Full text and rfc822 format available.

Notification sent to Steinar Bang <sb@dod.no>:
Bug acknowledged by developer. (Mon, 04 Jul 2011 04:03:13 GMT) Full text and rfc822 format available.

Message #22 received at 607224-done@bugs.debian.org (full text, mbox):

From: Julien Valroff <julien@debian.org>
To: "Kingsley G. Morse Jr." <kingsley@loaner.com>, 607224-done@bugs.debian.org
Subject: Re: Bug#607224: Warning: The command '/usr/bin/unhide.rb' has been replaced by a script: /usr/bin/unhide.rb: a /usr/bin/ruby -w script text executable
Date: Mon, 4 Jul 2011 06:02:32 +0200
Hi,

Le dimanche 03 juil. 2011 à 23:51:33 (+0200 CEST), Kingsley G. Morse Jr. a écrit :
> Hi Julien,
> 
> Thank you for maintaining rkhunter.
> 
> Rootkit protection is good.
> 
> The main reason I'm writing is that I happened to
> notice that version 1.3.8-6 reported a warning
> similar to the bug reported in 607224.
[...]
>             [14:21:03] Warning: The command '/usr/bin/unhide.rb' has been replaced by a script: /usr/bin/unhide.rb: a /usr/bin/ruby -w script text executable
> 

This warning is totally unrelated to the issue described in #607224 (which
can now be closed as triggers have been introduced in unhide for that
purpose).

As for your warning, rkhunter simply informs you the unhide.rb executable
located in /usr/bin/ is a ruby script. It is perfectly normal in that case
and you can whitelist it in rkhunter.conf{,.local}.

Cheers,
Julien

-- 
  .''`.   Julien Valroff ~ <julien@kirya.net> ~ <julien@debian.org>    
 : :'  :  Debian Developer & Free software contributor
 `. `'`   http://www.kirya.net/
   `-     4096R/ E1D8 5796 8214 4687 E416  948C 859F EF67 258E 26B1




Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Mon, 01 Aug 2011 07:34:23 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Mon Apr 21 00:17:24 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.