Post Reply 
 
Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Suspicious file flagged by rkhunter
03-16-2018, 04:50 PM
Post: #1
Suspicious file flagged by rkhunter
Last night I noticed a delay of about a second between my keyboard or mouse input and the corresponding GUI response, switching input focus to a hidden window, for example. So this morning I ran rkhunter as superuser.

rkhunter gave me one warning:

Code:
[10:01:26] Running Rootkit Hunter version 1.4.0 on neptune1
[10:01:26]
[10:01:26] Info: Start date is Fri Mar 16 10:01:26 EDT 2018
[10:01:26]
[10:01:26] Checking configuration file and command-line options...
[10:01:26] Info: Detected operating system is 'Linux'
[10:01:26] Info: Found O/S name: Neptune
[10:01:26] Info: Command line is /usr/bin/rkhunter --check
[10:01:26] Info: Environment shell is /bin/bash; rkhunter is using dash
[10:01:26] Info: Using configuration file '/etc/rkhunter.conf'
[10:01:26] Info: Installation directory is '/usr'
[10:01:26] Info: Using language 'en'
.
.
.
[10:01:42]   /bin/cp                                         [ OK ]
[10:01:42]   /bin/date                                       [ OK ]
[10:01:42]   /bin/df                                         [ OK ]
[10:01:43]   /bin/dmesg                                      [ OK ]
[10:01:43]   /bin/echo                                       [ OK ]
[10:01:43]   /bin/ed                                         [ Warning ]
[10:01:43] Warning: The file '/bin/ed' exists on the system, but it is not present in the rkhunter.dat file.
[10:01:43]   /bin/egrep                                      [ OK ]
[10:01:43] Info: Found file '/bin/egrep': it is whitelisted for the 'script replacement' check.
[10:01:43]   /bin/fgrep                                      [ OK ]
[10:01:43] Info: Found file '/bin/fgrep': it is whitelisted for the 'script replacement' check.
[10:01:43]   /bin/fuser                                      [ OK ]
[10:01:43]   /bin/grep          
.
.
.
Displaying the file that it warned me about, as user, showed:

Code:
$ls -Fdltr /bin/ed
-rwxr-xr-x 1 root root 47616 May 29  2012 /bin/ed*


The star suffix means it is executable. This looks suspicious because I did not install this operating system (Neptune 4.5 KDE Plasma 5.8.7 kernel 4.9.30 wheezy) until the summer of 2017.
However, other shell utilities also have old dates:
Code:
$ ls -Fdltr /bin/grep
-rwxr-xr-x 1 root root 175488 May 13  2012 /bin/grep*
$ ls -Fdltr  /bin/cat
-rwxr-xr-x 1 root root 56064 May 28  2015 /bin/cat*
Should I shred the flagged file (/bin/ed) since I never use this editor?
Or does some part of Neptune call it? Do I need to update rkhunter.dat ? Should I just ignore this warning?
Find all posts by this user
Quote this message in a reply
03-16-2018, 06:55 PM (This post was last modified: 03-16-2018 06:57 PM by leszek.)
Post: #2
RE: Suspicious file flagged by rkhunter
Quote:Or does some part of Neptune call it? Do I need to update rkhunter.dat ? Should I just ignore this warning?
Just throw this obviously useless application away (rkhunter). If you don't download stuff from shady websites you should not fear or even care about running this application.
Also this app not for the first time shows false positives.
Ed is an editor and core to the system. I guess some script might need and use it. But of course you can remove the ed package and see if there is anything depending on it.
By default we don't ship ed on our system.
Visit this user's website Find all posts by this user
Quote this message in a reply
Post Reply 


Forum Jump:


User(s) browsing this thread: 1 Guest(s)