From Bugzilla Helper:
User-Agent: Opera/8.52 (X11; Linux i686; U; en)

Description of problem:
Hmm - rkhunter and chkrootkit say everything is clean, but most, not all, libraries and _binary_ files larger than 
about 4096 bytes have a larger file size, and different file contents, compared to files from the corresponding rpm 
package.

For the "larger" files, 'strings /usr/bin/<somefile>' always gives a line '/Cx2' near the top of the output, and a 
repeated line '/lib/ld-linux.so.2' near the bottom of the output from 'strings', compared to the same file from the rpm 
package.  Also, the output from 'strings' from the larger files looks vaguely like upper half and lower half hunks are 
swapped, top to bottom, compared to the output for the same file from the rpm package.

Question: Is this something to do with the ext3 filesystem, or with the way rpm writes files to disk?  Or has this box 
maybe been rooted?  by some rootkit nobody knows anything about?



Version-Release number of selected component (if applicable):
rkhunter-1.1.9-1

How reproducible:
Always

Steps to Reproduce:
1.sudo rkhunter --checkall --rootdir <nfs-mounted other machine>
2.ls -l /usr/bin/<anything seemingly bigger than 4096 bytes>
3.rpm -vV <whatever>
  

Actual Results:  For 1 - says everything is clean
For 2 - gives a file size larger than what comes out of the rpm package.
For 3 - usually says everything is fine, but did notice that "/usr/bin/passwd" had the wrong size, unless rpm - a 
version of rpm clean from the rpm package - was run as root, in which case, rpm did not notice the size 
difference.

Expected Results:  One might expect rkhunter  to notice that the file sizes are all too large?
Or rpm should notice?  Or the rpm database has been buggered?

Additional info: