[bitfolk] rkhunter found changes in perl and curl - cause fo…

Top Page

Reply to this message
Author: Adam Spiers
To: Bitfolk users list
Subject: [bitfolk] rkhunter found changes in perl and curl - cause for concern?
Hi all,

I was away on holiday for a while recently, during which time (on 21st
June to be precise) rkhunter started sending me daily report emails
like the one below, indicating that the perl and curl binaries on my
Debian 6.0.7 webserver changed. As far as I'm aware, my system only
gets updated when I manually perform it via apt-get, and I don't
remember doing that in the week or few preceeding the alert, so this
was a bit of a surprise. This report runs daily, yet the last update
I can see in /var/log/dpkg.log for perl is 2013-03-23, and 2013-05-10
for curl. It all seems slightly suspicious, and yet I have not found
any other evidence of the system being compromised. Network traffic
remains low, which I would expect to increase if it was hijacked.
Only thing I noticed is the OOM-killer kicking in a few times over the
last few months, possibly due to an Apache leak, but frankly I think
that's a bug somewhere rather than a symptom of a break-in, since it
started happening much earlier.

dpkg -s says that I have curl-7.21.0-2.1+squeeze3 and
perl-5.10.1-17squeeze6, and debsums says everything's OK.

# apt-cache policy curl
  Installed: 7.21.0-2.1+squeeze3
  Candidate: 7.21.0-2.1+squeeze4
  Version table:
     7.21.0-2.1+squeeze4 0
        500 http://apt-cacher.lon.bitfolk.com/debian/security.debian.org/
squeeze/updates/main i386 Packages
 *** 7.21.0-2.1+squeeze3 0
        100 /var/lib/dpkg/status
     7.21.0-2.1+squeeze2 0
        500 http://apt-cacher.lon.bitfolk.com/debian/ftp.uk.debian.org/debian/
squeeze/main i386 Packages
# apt-cache policy perl
  Installed: 5.10.1-17squeeze6
  Candidate: 5.10.1-17squeeze6
  Version table:
 *** 5.10.1-17squeeze6 0
        500 http://apt-cacher.lon.bitfolk.com/debian/security.debian.org/
squeeze/updates/main i386 Packages
        100 /var/lib/dpkg/status
     5.10.1-17squeeze5 0
        500 http://apt-cacher.lon.bitfolk.com/debian/ftp.uk.debian.org/debian/
squeeze/main i386 Packages

The closest I can find via google is:


but that doesn't seem to indicate a compromised system.

I just updated to rkhunter 1.3.8 from squeeze backports and it found a
few additional warnings, but all of them attributable to
non-suspicious causes.

Thoughts? I'm really loathe to re-install this system based on an
extremely vague suspicion.


---------- Forwarded message ----------
From: root <root@???>
Date: 20 July 2013 06:30
Subject: [rkhunter] coral.adamspiers.org - Daily report
To: root@???

Warning: The file properties have changed:
         File: /usr/bin/curl
         Current inode: 37410    Stored inode: 35028
         Current file modification time: 1365866469 (13-Apr-2013 16:21:09)
         Stored file modification time : 1333198916 (31-Mar-2012 14:01:56)

Warning: The file properties have changed:
         File: /usr/bin/perl
         Current hash: 400681f383f4a2b63d4615a8d7ad53<wbr>c2a685e3da
         Stored hash : be5055e1642bec794804ebf8668a15<wbr>54864d218b
         Current inode: 33794    Stored inode: 33812
         Current file modification time: 1362591932 (06-Mar-2013 17:45:32)
         Stored file modification time : 1361046751 (16-Feb-2013 20:32:31)

One or more warnings have been found while checking the system.
Please check the log file (/var/log/rkhunter.log)