[bitfolk] rkhunter found changes in perl and curl - cause for concern?

Hi all, I was away on holiday for a while recently, during which time (on 21st June to be precise) rkhunter started sending me daily report emails like the one below, indicating that the perl and curl binaries on my Debian 6.0.7 webserver changed. As far as I'm aware, my system only gets updated when I manually perform it via apt-get, and I don't remember doing that in the week or few preceeding the alert, so this was a bit of a surprise. This report runs daily, yet the last update I can see in /var/log/dpkg.log for perl is 2013-03-23, and 2013-05-10 for curl. It all seems slightly suspicious, and yet I have not found any other evidence of the system being compromised. Network traffic remains low, which I would expect to increase if it was hijacked. Only thing I noticed is the OOM-killer kicking in a few times over the last few months, possibly due to an Apache leak, but frankly I think that's a bug somewhere rather than a symptom of a break-in, since it started happening much earlier. dpkg -s says that I have curl-7.21.0-2.1+squeeze3 and perl-5.10.1-17squeeze6, and debsums says everything's OK. # apt-cache policy curl curl: Installed: 7.21.0-2.1+squeeze3 Candidate: 7.21.0-2.1+squeeze4 Version table: 7.21.0-2.1+squeeze4 0 500 http://apt-cacher.lon.bitfolk.com/debian/security.debian.org/ squeeze/updates/main i386 Packages *** 7.21.0-2.1+squeeze3 0 100 /var/lib/dpkg/status 7.21.0-2.1+squeeze2 0 500 http://apt-cacher.lon.bitfolk.com/debian/ftp.uk.debian.org/debian/ squeeze/main i386 Packages # apt-cache policy perl perl: Installed: 5.10.1-17squeeze6 Candidate: 5.10.1-17squeeze6 Version table: *** 5.10.1-17squeeze6 0 500 http://apt-cacher.lon.bitfolk.com/debian/security.debian.org/ squeeze/updates/main i386 Packages 100 /var/lib/dpkg/status 5.10.1-17squeeze5 0 500 http://apt-cacher.lon.bitfolk.com/debian/ftp.uk.debian.org/debian/ squeeze/main i386 Packages The closest I can find via google is: http://www.linuxquestions.org/questions/linux-security-4/rkhunter-warnings-… but that doesn't seem to indicate a compromised system. I just updated to rkhunter 1.3.8 from squeeze backports and it found a few additional warnings, but all of them attributable to non-suspicious causes. Thoughts? I'm really loathe to re-install this system based on an extremely vague suspicion. Thanks! Adam ---------- Forwarded message ---------- From: root &lt;root(a)adamspiers.org&gt; Date: 20 July 2013 06:30 Subject: [rkhunter] coral.adamspiers.org - Daily report To: root(a)adamspiers.org Warning: The file properties have changed: File: /usr/bin/curl Current inode: 37410 Stored inode: 35028 Current file modification time: 1365866469 (13-Apr-2013 16:21:09) Stored file modification time : 1333198916 (31-Mar-2012 14:01:56) Warning: The file properties have changed: File: /usr/bin/perl Current hash: 400681f383f4a2b63d4615a8d7ad53<wbr>c2a685e3da Stored hash : be5055e1642bec794804ebf8668a15<wbr>54864d218b Current inode: 33794 Stored inode: 33812 Current file modification time: 1362591932 (06-Mar-2013 17:45:32) Stored file modification time : 1361046751 (16-Feb-2013 20:32:31) One or more warnings have been found while checking the system. Please check the log file (/var/log/rkhunter.log)