[SOLVED] rkhunter warns about different hash

alex.theoto · 2015-07-15 18:44:43

Hello. I hope I post it on the right section.

My system works fine.
I ran rkhunter to check my system and saw some warnings about different current-stored hash in many /usr/bin/ files.
Like:

[21:08:26]   /usr/bin/sha1sum                                [ Warning ]
[21:08:26] Warning: The file properties have changed:
[21:08:26]          File: /usr/bin/sha1sum
[21:08:26]          Current hash: 54e35efa1d55d8ca68396040988ffed066fa7c4e
[21:08:26]          Stored hash : 51d54c52e7167a1018042ab690a203a2a3b3a200
[21:08:26]          Current size: 35520    Stored size: 35584
[21:08:26]          Current file modification time: 1436129995 (05-Jul-2015 23:59:55)
[21:08:26]          Stored file modification time : 1405799257 (19-Jul-2014 22:47:37)
[21:08:27]   /usr/bin/sha224sum                              [ Warning ]
[21:08:27] Warning: The file properties have changed:
[21:08:27]          File: /usr/bin/sha224sum
[21:08:27]          Current hash: c6735ea19256079f9a72c83ebae4f9af2f02cbca
[21:08:27]          Stored hash : 658c0ed32b93d597a60eae7038537f9887143dd1
[21:08:27]          Current size: 39648    Stored size: 39712
[21:08:27]          Current file modification time: 1436129995 (05-Jul-2015 23:59:55)
[21:08:27]          Stored file modification time : 1405799257 (19-Jul-2014 22:47:37)
[21:08:27]   /usr/bin/sha256sum                              [ Warning ]
[21:08:27] Warning: The file properties have changed:
[21:08:27]          File: /usr/bin/sha256sum
[21:08:27]          Current hash: f82f2258f1240b3b7d55d4f677221df1e1e96139
[21:08:27]          Stored hash : cc3bd5e5689358ac2a8c9a49e15a2b42a4d67eb1
[21:08:28]          Current size: 39648    Stored size: 39712
[21:08:28]          Current file modification time: 1436129995 (05-Jul-2015 23:59:55)
[21:08:28]          Stored file modification time : 1405799257 (19-Jul-2014 22:47:37)
[21:08:28]   /usr/bin/sha384sum                              [ Warning ]
[21:08:28] Warning: The file properties have changed:
[21:08:28]          File: /usr/bin/sha384sum
[21:08:28]          Current hash: 356c070fa013f63699950d45d6679e2a5ba4e7c5
[21:08:28]          Stored hash : 58987e03cc844ee7349048a14f6147f4ffff484e
[21:08:28]          Current size: 39648    Stored size: 39712
[21:08:28]          Current file modification time: 1436129995 (05-Jul-2015 23:59:55)
[21:08:28]          Stored file modification time : 1405799257 (19-Jul-2014 22:47:37)

and many other files...

Is it dangerous?

Last edited by alex.theoto (2015-07-16 05:16:58)

alex.theoto · 2015-07-16 05:16:28

After reading how rkhunter works, I think they are false warnings.
The system is installed months ago and rkhunter a day ago.
I have to update their database with --propupd flag.
Since I use updates only from arch repo, these warnings are from package's updates which changed /usr/bin files.

I'll set this post as solved.

Arch Linux

#1 2015-07-15 18:44:43

[SOLVED] rkhunter warns about different hash

#2 2015-07-16 05:16:28

Re: [SOLVED] rkhunter warns about different hash

Board footer