Rkhunter reporting bad hashes for most banaries.

[smoked1]

This box has not been up very long and I have taken some pretty good security measures so I don't think it has been hacked. I hope that they just have not updated their hashes or something. I just installed rkhunter and it tells me this:

Performing 'known good' check...
/bin/cat [ BAD ]
/bin/chmod [ BAD ]
/bin/chown [ BAD ]
/bin/date [ BAD ]
/bin/dmesg [ BAD ]
/bin/env [ BAD ]
/bin/grep [ BAD ]
/bin/kill [ BAD ]
/bin/login [ BAD ]
/bin/ls [ BAD ]
/bin/more [ BAD ]
/bin/mount [ BAD ]
/bin/netstat [ OK ]
/bin/ps [ BAD ]
/bin/su [ OK ]
/sbin/chkconfig [ BAD ]
/sbin/depmod [ BAD ]
/sbin/ifconfig [ OK ]
/sbin/init [ BAD ]
/sbin/insmod [ BAD ]
/sbin/ip [ BAD ]
/sbin/lsmod [ BAD ]
/sbin/modinfo [ BAD ]
/sbin/modprobe [ BAD ]
/sbin/rmmod [ BAD ]
/sbin/runlevel [ BAD ]
/sbin/sulogin [ BAD ]
/sbin/sysctl [ BAD ]
/sbin/syslogd [ OK ]
/usr/bin/chattr [ BAD ]
/usr/bin/du [ BAD ]
/usr/bin/file [ OK ]
/usr/bin/find [ BAD ]
/usr/bin/head [ BAD ]
/usr/bin/killall [ BAD ]
/usr/bin/lsattr [ BAD ]
/usr/bin/md5sum [ BAD ]
/usr/bin/passwd [ BAD ]
/usr/bin/pstree [ BAD ]
/usr/bin/sha1sum [ BAD ]
/usr/bin/slocate [ BAD ]
/usr/bin/stat [ BAD ]
/usr/bin/strings [ BAD ]
/usr/bin/top [ BAD ]
/usr/bin/users [ BAD ]
/usr/bin/vmstat [ BAD ]
/usr/bin/w [ BAD ]
/usr/bin/watch [ BAD ]
/usr/bin/wc [ BAD ]
/usr/bin/wget [ OK ]
/usr/bin/whereis [ BAD ]
/usr/bin/who [ BAD ]
/usr/bin/whoami [ BAD ]
/usr/sbin/xinetd [ OK ]

 

[jackc]

same problem with all my servers.

 

[whitehat]

This link should answer your question - read the entire solution to question 4.4 (halfway down the page) from http://sourceforge.net/docman/display_doc.php?docid=35179&group_id=155034

There is a file/script (hashupd) that you will need to download. It's on their download page. Read the directions from the link above, run it, and after that you should be fine.

A snippet from rkhunter FAQ 4.4 here:

4.4) I use prelinking, but after performing some updates, all, or
some, binaries are 'BAD' when running the MD5 hash check.
What can I do?

The first thing would be to verify that the update is the cause
of the reported 'BAD' files. Checking the system log files
should indicate what has been updated.

If the update is the cause, then it is most likely that the
prelinking database has become out of step with the rkhunter
local MD5 hash values. To correct this will require rebuilding
the prelinking database and the rkhunter local hash values.
Prelinking is used by the system to optimize the use of binary
files and libraries..........

The rest of the answer is on their page.

Hope that helps.

 

[smoked1]

Tried it and still no love man.

 

[rohit]

Hi,

Did you find a solution for this. I installed RkHunter and it is giving error on Bad Hashes

/bin/cat [ BAD ]
/bin/chmod [ BAD ]
/bin/chown [ BAD ]
/bin/date [ BAD ]
/bin/dmesg [ BAD ]
/bin/env [ BAD ]
/bin/grep [ OK ]
/bin/kill [ BAD ]
/bin/login [ BAD ]
/bin/ls [ BAD ]
/bin/more [ BAD ]
/bin/mount [ BAD ]
/bin/netstat [ OK ]
/bin/ps [ OK ]
/bin/su [ BAD ]
/sbin/chkconfig [ OK ]
/sbin/depmod [ OK ]
/sbin/ifconfig [ OK ]
/sbin/init [ OK ]
/sbin/insmod [ OK ]
/sbin/ip [ OK ]
/sbin/modinfo [ OK ]
/sbin/runlevel [ OK ]
/sbin/sulogin [ OK ]
/sbin/sysctl [ OK ]
/sbin/syslogd [ OK ]
/usr/bin/chattr [ OK ]
/usr/bin/du [ BAD ]
/usr/bin/file [ OK ]
/usr/bin/find [ OK ]
/usr/bin/head [ BAD ]
/usr/bin/kill [ BAD ]
/usr/bin/killall [ OK ]
/usr/bin/lsattr [ OK ]
/usr/bin/md5sum [ BAD ]
/usr/bin/passwd [ OK ]
/usr/bin/pstree [ OK ]
/usr/bin/sha1sum [ BAD ]
/usr/bin/slocate [ OK ]
/usr/bin/stat [ BAD ]
/usr/bin/strings [ OK ]
/usr/bin/top [ OK ]
/usr/bin/users [ BAD ]
/usr/bin/vmstat [ OK ]
/usr/bin/w [ OK ]
/usr/bin/watch [ OK ]
/usr/bin/wc [ BAD ]
/usr/bin/wget [ OK ]
/usr/bin/whereis [ BAD ]
/usr/bin/who [ BAD ]
/usr/bin/whoami [ BAD ]
/usr/sbin/xinetd [ OK ]

Is it something really BAD for the box? Where does RKHUnter gets the hashes.

Most of them are linked to coreutils-4.5.3-28.1 and util-linux-2.11y-31.18

I found that /usr/local/rkhunter/lib/rkhunter/db/defaulthashes.dat contains the hash values for a specific distribution e.g for RedHat Enterprise the OS ID is 722.

Do we know that from where rkhunter gets the values for these hashes?

The version number of Redhat on the box is 2.4.21-47.ELsmp

You think the reason I am getting these errors is because of the New Released Version of Redhat Enterprise Edition


On the another server where I am running coreutils-4.5.3-28, I dont see any errors from rkhunter.

Any help would be really appreciated.

 

[Duboux]

Just for the books:

Check out: http://directadmin.com/forum/showthread.php?t=18667#13