Hello, FC3 server has a grep binary different from the one in the grep rmp. Rootkit Hunter found this: Info: prelinked files found Performing 'known good' check... /bin/egrep [ BAD ] /bin/fgrep [ BAD ] /bin/grep [ BAD ] Indeed a diff on installed /bin/grep and the grep included in the installed rpm shows they are different: # diff /bin/grep ./grep Binary files /bin/grep and ./grep differ # ./grep --version grep (GNU grep) 2.5.1 # /bin/grep --version grep (GNU grep) 2.5.1 Coincidentally i installed a new kernel and postfix just before the rkhunter alarm: Yum log: Mar 14 11:30:24 Updated: rkhunter.noarch 1.2.8-1.fc3 Mar 17 11:30:43 Updated: kernel-doc.noarch 2.6.12-2.3.legacy_FC3 Mar 17 11:31:16 Installed: kernel.i686 2.6.12-2.3.legacy_FC3 Reboot was at Mar 18 18:06:39 Mar 18 18:11:25 Erased: sendmail Mar 18 18:11:32 Erased: mutt Mar 18 18:11:55 Erased: squirrelmail Mar 18 18:12:23 Erased: fetchmail Mar 18 18:12:24 Erased: redhat-lsb Mar 18 18:12:26 Erased: mdadm Mar 18 18:14:16 Installed: postfix.i386 2:2.1.5-5 Email received by root from Rootkit Hunter Scan: Please inspect this machine, because it can be infected ... --------------------- Start Rootkit Hunter Update --------------------- Running rkhunter updater... Sun, 19 Mar 2006 04:03:22 +0000 Finished rkhunter updater.. Sun, 19 Mar 2006 04:03:23 +0000 Ready. ---------------------- Start Rootkit Hunter Scan ---------------------- Checking for differences in user accounts... Found differences Info: ---------------------- < postfix:x:89:89::/var/spool/postfix:/sbin/nologin ---------------------- Info: Some items have been added (items marked with '<') Checking for differences in user groups... Found differences Info: ---------------------- < mail:x:12:mail,postfix > mail:x:12:mail < postdrop:x:90: < postfix:x:89: ---------------------- Info: Some items have been added (items marked with '<') ... MD5 MD5 compared: 92 Incorrect MD5 checksums: 0 File scan Scanned files: 342 Possible infected files: 0 --------------------- Start Rootkit Hunter Update --------------------- Running rkhunter updater... Mon, 20 Mar 2006 04:04:19 +0000 Finished rkhunter updater.. Mon, 20 Mar 2006 04:04:19 +0000 Ready. ---------------------- Start Rootkit Hunter Scan ---------------------- Info: prelinked files found Performing 'known good' check... /bin/egrep [ BAD ] /bin/fgrep [ BAD ] /bin/grep [ BAD ] How to further investigate it? I can't see a reason for the changed grep binary. Regards, Clodoaldo Pinto
