20 Jul
2013
20 Jul
'13
5:13 p.m.
Hi all,
I was away on holiday for a while recently, during which time (on 21st
June to be precise) rkhunter started sending me daily report emails
like the one below, indicating that the perl and curl binaries on my
Debian 6.0.7 webserver changed. As far as I'm aware, my system only
gets updated when I manually perform it via apt-get, and I don't
remember doing that in the week or few preceeding the alert, so this
was a bit of a surprise. This report runs daily, yet the last update
I can see in /var/log/dpkg.log for perl is 2013-03-23, and 2013-05-10
for curl. It all seems slightly suspicious, and yet I have not found
any other evidence of the system being compromised. Network traffic
remains low, which I would expect to increase if it was hijacked.
Only thing I noticed is the OOM-killer kicking in a few times over the
last few months, possibly due to an Apache leak, but frankly I think
that's a bug somewhere rather than a symptom of a break-in, since it
started happening much earlier.
dpkg -s says that I have curl-7.21.0-2.1+squeeze3 and
perl-5.10.1-17squeeze6, and debsums says everything's OK.
# apt-cache policy curl
curl:
Installed: 7.21.0-2.1+squeeze3
Candidate: 7.21.0-2.1+squeeze4
Version table:
7.21.0-2.1+squeeze4 0
500 http://apt-cacher.lon.bitfolk.com/debian/security.debian.org/
squeeze/updates/main i386 Packages
*** 7.21.0-2.1+squeeze3 0
100 /var/lib/dpkg/status
7.21.0-2.1+squeeze2 0
500 http://apt-cacher.lon.bitfolk.com/debian/ftp.uk.debian.org/debian/
squeeze/main i386 Packages
# apt-cache policy perl
perl:
Installed: 5.10.1-17squeeze6
Candidate: 5.10.1-17squeeze6
Version table:
*** 5.10.1-17squeeze6 0
500 http://apt-cacher.lon.bitfolk.com/debian/security.debian.org/
squeeze/updates/main i386 Packages
100 /var/lib/dpkg/status
5.10.1-17squeeze5 0
500 http://apt-cacher.lon.bitfolk.com/debian/ftp.uk.debian.org/debian/
squeeze/main i386 Packages
The closest I can find via google is:
http://www.linuxquestions.org/questions/linux-security-4/rkhunter-warnings-…
but that doesn't seem to indicate a compromised system.
I just updated to rkhunter 1.3.8 from squeeze backports and it found a
few additional warnings, but all of them attributable to
non-suspicious causes.
Thoughts? I'm really loathe to re-install this system based on an
extremely vague suspicion.
Thanks!
Adam
---------- Forwarded message ----------
From: root <root(a)adamspiers.org>
Date: 20 July 2013 06:30
Subject: [rkhunter] coral.adamspiers.org - Daily report
To: root(a)adamspiers.org
Warning: The file properties have changed:
File: /usr/bin/curl
Current inode: 37410 Stored inode: 35028
Current file modification time: 1365866469 (13-Apr-2013 16:21:09)
Stored file modification time : 1333198916 (31-Mar-2012 14:01:56)
Warning: The file properties have changed:
File: /usr/bin/perl
Current hash: 400681f383f4a2b63d4615a8d7ad53<wbr>c2a685e3da
Stored hash : be5055e1642bec794804ebf8668a15<wbr>54864d218b
Current inode: 33794 Stored inode: 33812
Current file modification time: 1362591932 (06-Mar-2013 17:45:32)
Stored file modification time : 1361046751 (16-Feb-2013 20:32:31)
One or more warnings have been found while checking the system.
Please check the log file (/var/log/rkhunter.log)
21 Jul
21 Jul
7:22 p.m.
New subject: rkhunter found changes in perl and curl - cause for concern?
Hi Adam,
On Sat, Jul 20, 2013 at 06:13:01PM +0100, Adam Spiers wrote:
I was away on holiday for a while recently, during
which time (on 21st
June to be precise) rkhunter started sending me daily report emails
like the one below, indicating that the perl and curl binaries on my
Debian 6.0.7 webserver changed. As far as I'm aware, my system only
[…]
dpkg -s says that I have curl-7.21.0-2.1+squeeze3 and
perl-5.10.1-17squeeze6, and debsums says everything's OK.
If debsums is okay with it then you could report it as a bug on the
rkhunter package?
Warning: The file properties have changed:
File: /usr/bin/perl
Current hash: 400681f383f4a2b63d4615a8d7ad53<wbr>c2a685e3da
Stored hash : be5055e1642bec794804ebf8668a15<wbr>54864d218b
Current inode: 33794 Stored inode: 33812
Current file modification time: 1362591932 (06-Mar-2013 17:45:32)
Stored file modification time : 1361046751 (16-Feb-2013 20:32:31)
On a squeeze system I have access to with that package version:
$ shasum /usr/bin/perl
400681f383f4a2b63d4615a8d7ad53c2a685e3da /usr/bin/perl
So that matches. Also debsums matches for me, which means the md5sum
also matches.
$ md5sum /usr/bin/perl
80ca00a4ba32c5dd89b89681ebc22f20 /usr/bin/perl
Won't the apt log confirm that you upgraded the relevant packages
and put your mind at rest?
Cheers,
Andy
--
http://bitfolk.com/ -- No-nonsense VPS hosting
The optimum programming team size is 1.
Has
Jurassic Park taught us nothing? — pfilandr
22 Jul
22 Jul
12:08 a.m.
New subject: rkhunter found changes in perl and curl - cause for concern?
On Sun, Jul 21, 2013 at 07:22:22PM +0000, Andy Smith wrote:
That's good news (at least, assuming my md5sum / shasum haven't been
compromised).
Hi Adam,
On Sat, Jul 20, 2013 at 06:13:01PM +0100, Adam Spiers wrote:
rkhunter isn't at fault for reporting a change in the files it
monitors. That's expected every time the packages owning those files
get upgraded.
I was away on holiday for a while recently,
during which time (on 21st
June to be precise) rkhunter started sending me daily report emails
like the one below, indicating that the perl and curl binaries on my
Debian 6.0.7 webserver changed. As far as I'm aware, my system only
[…]
dpkg -s says that I have curl-7.21.0-2.1+squeeze3
and
perl-5.10.1-17squeeze6, and debsums says everything's OK.
If debsums is okay with it then you could report it as a bug on the
rkhunter package? Warning: The
file properties have changed:
File: /usr/bin/perl
Current hash: 400681f383f4a2b63d4615a8d7ad53<wbr>c2a685e3da
Stored hash : be5055e1642bec794804ebf8668a15<wbr>54864d218b
Current inode: 33794 Stored inode: 33812
Current file modification time: 1362591932 (06-Mar-2013 17:45:32)
Stored file modification time : 1361046751 (16-Feb-2013 20:32:31)
On a squeeze system I have access to with that package version:
$ shasum /usr/bin/perl
400681f383f4a2b63d4615a8d7ad53c2a685e3da /usr/bin/perl
So that matches. Also debsums matches for me, which means the md5sum
also matches.
$ md5sum /usr/bin/perl
80ca00a4ba32c5dd89b89681ebc22f20 /usr/bin/perl Won't the apt log confirm that you upgraded the
relevant packages
and put your mind at rest?
Alas no - that's the very first thing I checked, and the absence of
any upgrade information in the logs within the right time period is
precisely what's worrying me. However, I only just noticed that the
hash only changed for perl; curl's hash didn't change, only its inode
and mtime, so it's possible that something other than dpkg/apt is the
culprit. I guess I'm probably OK; just wish I could pin it down for
sure :-/
Thanks!
4170
days inactive
4172
days old
2 comments
2 participants
participants (2)
-
Adam Spiers -
Andy Smith