Bug 183073 - rkhunter says clean, but file sizes differ???
rkhunter says clean, but file sizes differ???
Status: CLOSED DUPLICATE of bug 183069
Product: Fedora
Classification: Fedora
Component: rkhunter (Show other bugs)
4
i686 Linux
medium Severity medium
: ---
: ---
Assigned To: Greg Houlette
Fedora Extras Quality Assurance
: Security
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2006-02-25 19:13 EST by james
Modified: 2007-11-30 17:11 EST (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2006-02-25 23:38:26 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description james 2006-02-25 19:13:22 EST
From Bugzilla Helper:
User-Agent: Opera/8.52 (X11; Linux i686; U; en)

Description of problem:
Hmm - rkhunter and chkrootkit say everything is clean, but most, not all, libraries and _binary_ files larger than 
about 4096 bytes have a larger file size, and different file contents, compared to files from the corresponding rpm 
package.

For the "larger" files, 'strings /usr/bin/<somefile>' always gives a line '/Cx2' near the top of the output, and a 
repeated line '/lib/ld-linux.so.2' near the bottom of the output from 'strings', compared to the same file from the rpm 
package.  Also, the output from 'strings' from the larger files looks vaguely like upper half and lower half hunks are 
swapped, top to bottom, compared to the output for the same file from the rpm package.

Question: Is this something to do with the ext3 filesystem, or with the way rpm writes files to disk?  Or has this box 
maybe been rooted?  by some rootkit nobody knows anything about?



Version-Release number of selected component (if applicable):
rkhunter-1.1.9-1

How reproducible:
Always

Steps to Reproduce:
1.sudo rkhunter --checkall --rootdir <nfs-mounted other machine>
2.ls -l /usr/bin/<anything seemingly bigger than 4096 bytes>
3.rpm -vV <whatever>
  

Actual Results:  For 1 - says everything is clean
For 2 - gives a file size larger than what comes out of the rpm package.
For 3 - usually says everything is fine, but did notice that "/usr/bin/passwd" had the wrong size, unless rpm - a 
version of rpm clean from the rpm package - was run as root, in which case, rpm did not notice the size 
difference.

Expected Results:  One might expect rkhunter  to notice that the file sizes are all too large?
Or rpm should notice?  Or the rpm database has been buggered?

Additional info:
Comment 1 Dennis Gilmore 2006-02-25 23:38:26 EST

*** This bug has been marked as a duplicate of 183069 ***

Note You need to log in before you can comment on or make changes to this bug.