Description of problem: The daily runs of rkhunter produce this strange warning: Warning: The command '/usr/bin/rkhunter' has been replaced and is not a script: /usr/bin/rkhunter: POSIX shell script, ASCII text executable, with very long lines This looks bogus to me: - it *is* a script (output contradicts itself) - afaict it wasn't modified: # sha1sum /usr/bin/rkhunter 2d8832de4ca600e529ed8cdc3927273bb7ae21c9 /usr/bin/rkhunter # rpm -V rkhunter 5S.T..... /var/lib/rkhunter/db/mirrors.dat 5S.T..... /var/lib/rkhunter/db/programs_bad.dat # LC_ALL=C rpm -qi rkhunter Name : rkhunter Version : 1.3.8 Release : 6.fc15 Architecture: noarch Install Date: Mon Jul 4 15:56:26 2011 Group : Applications/System Size : 751288 License : GPLv2+ Signature : RSA/SHA256, Thu Jun 23 16:31:38 2011, Key ID b4ebf579069c8460 Source RPM : rkhunter-1.3.8-6.fc15.src.rpm Build Date : Tue Jun 21 23:54:28 2011 Build Host : x86-01.phx2.fedoraproject.org Relocations : (not relocatable) Packager : Fedora Project Vendor : Fedora Project URL : http://rkhunter.sourceforge.net/ Summary : A host-based tool to scan for rootkits, backdoors and local exploits Description : Rootkit Hunter (RKH) is an easy-to-use tool which checks computers running UNIX (clones) for the presence of rootkits and other unwanted tools.
There was a report of this on an upstream list, but unfortunately without much detail. When did you start seeing these messages? Can you see any updates around that time (check /var/log/yum.log) that might be related? In particular the 'file' command. You have run a 'rkhunter --propupd' right?
(In reply to comment #1) > There was a report of this on an upstream list, but unfortunately without much > detail. > > When did you start seeing these messages? > Can you see any updates around that time (check /var/log/yum.log) that might be > related? > In particular the 'file' command. I think I saw this message from the very beginning (installed rkhunter just a couple of days ago). > You have run a 'rkhunter --propupd' right? No, I did not. Running it now seems to suppress that warning. Imho that doesn't make this ticket useless though. The rkhunter RPM seems to come with wrong information (or wrong implicit assumptions) about the /usr/bin/rkhunter file. While in general it is true that only the admin knows the state of the machine and propupd should not be run automatically, the rkhunter RPM should at least know its own files. Looking at the code, there seems to be some special case handling for the rkhunter script itself, in /usr/bin/rkhunter:10068, needing to be fixed.
# with file.x86_64 0:5.05-3.fc15: $ file /usr/bin/rkhunter /usr/bin/rkhunter: POSIX shell script text executable # with file.x86_64 0:5.07-4.fc15: $ file /usr/bin/rkhunter /usr/bin/rkhunter: POSIX shell script, ASCII text executable, with very long lines
rkhunter-1.3.8-7.fc15 has been submitted as an update for Fedora 15. https://admin.fedoraproject.org/updates/rkhunter-1.3.8-7.fc15
rkhunter-1.3.8-8.fc15 has been submitted as an update for Fedora 15. https://admin.fedoraproject.org/updates/rkhunter-1.3.8-8.fc15
Package rkhunter-1.3.8-8.fc15: * should fix your issue, * was pushed to the Fedora 15 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing rkhunter-1.3.8-8.fc15' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/rkhunter-1.3.8-8.fc15 then log in and leave karma (feedback).
rkhunter-1.3.8-8.fc15 has been pushed to the Fedora 15 stable repository. If problems still persist, please make note of it in this bug report.