Red Hat Bugzilla – Bug 183073
rkhunter says clean, but file sizes differ???
Last modified: 2007-11-30 17:11:25 EST
From Bugzilla Helper:
User-Agent: Opera/8.52 (X11; Linux i686; U; en)
Description of problem:
Hmm - rkhunter and chkrootkit say everything is clean, but most, not all, libraries and _binary_ files larger than
about 4096 bytes have a larger file size, and different file contents, compared to files from the corresponding rpm
For the "larger" files, 'strings /usr/bin/<somefile>' always gives a line '/Cx2' near the top of the output, and a
repeated line '/lib/ld-linux.so.2' near the bottom of the output from 'strings', compared to the same file from the rpm
package. Also, the output from 'strings' from the larger files looks vaguely like upper half and lower half hunks are
swapped, top to bottom, compared to the output for the same file from the rpm package.
Question: Is this something to do with the ext3 filesystem, or with the way rpm writes files to disk? Or has this box
maybe been rooted? by some rootkit nobody knows anything about?
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1.sudo rkhunter --checkall --rootdir <nfs-mounted other machine>
2.ls -l /usr/bin/<anything seemingly bigger than 4096 bytes>
3.rpm -vV <whatever>
Actual Results: For 1 - says everything is clean
For 2 - gives a file size larger than what comes out of the rpm package.
For 3 - usually says everything is fine, but did notice that "/usr/bin/passwd" had the wrong size, unless rpm - a
version of rpm clean from the rpm package - was run as root, in which case, rpm did not notice the size
Expected Results: One might expect rkhunter to notice that the file sizes are all too large?
Or rpm should notice? Or the rpm database has been buggered?
*** This bug has been marked as a duplicate of 183069 ***