ServerTune

Browse by category

Search    |    Advanced search

RKhunter report: The command '/usr/bin/ldd' has been replaced by a script

If your system is secure and clean, this is a false alarm. We believe that many Linux distributions (I checked this on CentOS v5) have:

/usr/bin/ldd
/usr/bin/whatis
/usr/bin/fgrep
/usr/bin/egrep

as shell scripts that merely call the grep ELF binary. Helps to maintain some level of script compatibility between different flavors of Linux. It is likely that rkhunter is simply expecting to see an ELF in those spots as opposed to shell scripts. The others are also plain text shell scripts on many distros so that is probably fine as well. One nice thing is that you can view up these scripts using your favorite Linux editor such as: vi, nano, or pico. That makes it easy to verify the contents for safety. Although it's certainly not out of the question, it's probably reasonably safe assumption that no self-respecting rootkit would install itself in such a visible manner. Once again, if your system is secure and clean, you can whitelist these scripts in rkhunter configuration file: /etc/rkhunter.conf under the following header:

# Allow the specified commands to be scripts.
	# One command per line (use multiple SCRIPTWHITELIST lines).
	#
	SCRIPTWHITELIST=/sbin/ldd
	SCRIPTWHITELIST=/sbin/whatis

To make sure that your files have been replaced, run this command at the prompt from a trusted and clean system to compare the MD5's of those scripts. That's about the best way to put your mind at ease. Now, if you see a strangely modified binary, we suggest you seek professional help to check on your server.

If you get these errors:

The file of known backdoor ports (backdoorports.dat) is missing or empty.
If it has been deleted, then you will need to run 'rkhunter --update'.
The file of unsecure application versions (programs_bad.dat) is missing or empty.

Do the following, run this command to update rkhunter DB:

Make sure missing files do exist. If not, you can create them, manually. Don't forget to set the correct permission and ownership on them.

Also, you can whitelist hidden directories such as: /etc/.java in the /etc/rkhunter.conf file

 
 
Add comment
 
Views: 1221
 
Votes: 0
 
Comments: 0
 

Other articles in this Category

RSS