12Oct/090
Verifying rkhunter file warnings
I got this problem as my rkhunter installation detected changed files (due to updates), so I encountered this solution by steve as I was searching for a solution.
Of course, as there could be a root kit/trojan/malicious stuff running in your system as rkhunter's meant to detect, you should NOT fully trust anything running from the machine. But I had to rely on this solution temporarily until I can get it (rebooted and) checked out proper using a tool like Finnix.
Am reposting the script here for reference, but you can get the most recent copy of the script here .
#!/bin/bash
desc="
This script will verify whether files for which rkhunter has logged a
warning for is still valid. It does this by finding which debian package
it came out of, and downloads them, unpacks them, then checks
the checksums.
Run it by supplying a rkhunter log file as first argument
"
HASHER="sha256sum"
IFS="
"
function find_suspect_files
{
echo "parsing $1 for suspect files" 1>&2
grep -1 Warning "$1"| grep File | sed 's|.*File: ||'
}
function find_packages
{
echo "finding packages" 1>&2
for suspect_file in $1
do
package=$(dpkg -S $suspect_file|awk '{print $1}'|sed 's/.$//')
echo "suspect file $suspect_file found in $package" 1>&2
echo $package
done
}
function make_aptitude_args
{
echo "generating aptitude arguments" 1>&2
for package in $1
do
version=$(dpkg -p $package | grep Version | awk '{print $2}')
echo $package=$version
done
}
function cleanup
{
echo "cleaning up"
popd
rm -rf tmp
exit $1
}
function setup
{
echo "setting up"
rm -rf tmp
mkdir tmp
pushd tmp
}
if [ $# -ne 1 ];
then
echo "$desc"
exit 1
fi
suspect_files=$(find_suspect_files "$1")
packages=$(find_packages "$suspect_files" | sort | uniq)
if [ -z "$packages" ];
then
echo "***WARNING****"
echo "No packages contain any of the suspect files!"
cleanup 1
fi
aptitude_args=$(make_aptitude_args "$packages")
setup
echo "downloading packages"
aptitude download $aptitude_args 1>/dev/null
if [ $? -ne 0 ];
then
echo "aptitude download failed!"
echo "args=$aptitude_args"
cleanup 1
fi
echo "unpacking"
for deb_file in *.deb
do
ar -x $deb_file
tar zxf data.tar.gz
rm -rf data.tar.gz control.tar.gz
done
for suspect_file in $suspect_files
do
if [ ! -f ".$suspect_file" ]
then
echo "***WARNING****"
echo "For some reason .$suspect_file does not exis!"
continue
fi
echo -n "verifying $suspect_file... "
suspect_sum=$($HASHER $suspect_file | awk '{print $1}')
clean_sum=$($HASHER ".$suspect_file" | awk '{print $1}')
if [ $suspect_sum == $clean_sum ];
then
echo "OK"
else
echo
echo "***WARNING****"
echo "Checksum mistmatch for $suspect_file!!!"
echo "Should be: $clean_sum"
echo "Is: $suspect_sum"
fi
done
cleanup
