VPS
Main PagecPanel and DirectAdmin LicensingServer Management PlansVirtual Private ServersDedicated Servers
Control Panel Licensing
ServerTune ResellersResellersSpecial PromotionsServerTune SpecialsHomeAbout ServerTuneContact usTechnical SupportKB
ServerTune Main Page
Space
Space
Our most popular products: Issues, Tips, and Solutions

Protect your server with Mod Security rules written specifically for your system. more info ...
Space
Search:    Advanced search
Browse by category:
:: KB Home / Operating Systems / Security / RKhunter report: The command '/usr/bin/ldd' has been replaced by a script
RKhunter report: The command '/usr/bin/ldd' has been replaced by a script
Printer Friendly
Printer friendly
email to a friend
Email to friend
Add comment Add comment
Views: 646
Votes: 0
Comments: 0
Posted: 02 Feb, 2008
by: Support T.
* * * * *
Updated: 02 Feb, 2008
by: Support T.

If your system is secure and clean, this is a false alarm. We believe that many Linux distributions (I checked this on CentOS v5) have:

    /usr/bin/ldd
    /usr/bin/whatis
    /usr/bin/fgrep
    /usr/bin/egrep

 

as shell scripts that merely call the grep ELF binary. Helps to maintain some level of script compatibility between different flavors of Linux. It is likely that rkhunter is simply expecting to see an ELF in those spots as opposed to shell scripts. The others are also plain text shell scripts on many distros so that is probably fine as well. One nice thing is that you can view up these scripts using your favorite Linux editor such as: vi, nano, or pico. That makes it easy to verify the contents for safety. Although it's certainly not out of the question, it's probably reasonably safe assumption that no self-respecting rootkit would install itself in such a visible manner. Once again, if your system is secure and clean, you can whitelist these scripts in rkhunter configuration file: /etc/rkhunter.conf under the following header: 
# Allow the specified commands to be scripts.
	# One command per line (use multiple SCRIPTWHITELIST lines).
	#
	SCRIPTWHITELIST=/sbin/ldd
	SCRIPTWHITELIST=/sbin/whatis

 

To make sure that your files have been replaced, run this command at the prompt from a trusted and clean system to compare the MD5's of those scripts. That's about the best way to put your mind at ease. Now, if you see a strangely modified binary, we suggest you seek professional help to check on your server .

  • /usr/bin/md5sum /usr/bin/FILE_IN_QUESTION

 

If you get these errors:
    The file of known backdoor ports (backdoorports.dat) is missing or empty.
    If it has been deleted, then you will need to run 'rkhunter --update'.
    The file of unsecure application versions (programs_bad.dat) is missing or empty.
Do the following, run this command to update rkhunter DB:
  • /usr/local/bin/rkhunter --update

Make sure missing files do exist. If not, you can create them, manually. Don't forget to set the correct permission and ownership on them.

Also, you can whitelist hidden directories such as: /etc/.java in the /etc/rkhunter.conf file
Other articles in this Category
document Understanding Attack Techniques
document The Concept of Security
document What Causes High Server Load?
document Security Tips
document Mod Security Rules and SPAM
document Limit the resources for a specific user
document Denial of Services (DoS) Detrimental to Businesses
document Protect Your Company Against DDoS Attacks
document Malecious Random JavaScript Rootkit
document Protect your server against IFRAME JS injection code with "ServerTune IFrame Shield" Plan
document Latest findings about the Random JavaScript Rootkit
document Linux kernels v2.6.17+ vmsplice()Root Exploit
document Horde v3.1.6 and earlier is NOT secure
document IFRAME injection code :: infected Web sites and suggestions
document Warning :: A new wave of domain scam/spam
document Your client or your PC might be a zombie in a Botnet


RSS
Last update: August, 2008 ••• Copyright (c) 2004-2008 ServerTune Inc.