[blog.rayfoo] » Finnix http://blog.rayfoo.info Infosec, DFIR, tech geekery, thoughts and whatnot Wed, 25 Jan 2012 00:36:47 +0000 en hourly 1 Verifying rkhunter file warnings http://blog.rayfoo.info/2009/10/verifying-rkhunter-file-warnings http://blog.rayfoo.info/2009/10/verifying-rkhunter-file-warnings#comments Mon, 12 Oct 2009 06:46:26 +0000 ray http://blog.rayfoo.info/?p=250 I got this problem as my rkhunter installation detected changed files (due to updates), so I encountered this solution by steve as I was searching for a solution.

Of course, as there could be a root kit/trojan/malicious stuff running in your system as rkhunter's meant to detect, you should NOT fully trust anything running from the machine. But I had to rely on this solution temporarily until I can get it (rebooted and) checked out proper using a tool like Finnix.
Am reposting the script here for reference, but you can get the most recent copy of the script here .

#!/bin/bash
desc="
This script will verify whether files for which rkhunter has logged a
warning for is still valid. It does this by finding which debian package
it came out of, and downloads them, unpacks them, then checks
the checksums.

Run it by supplying a rkhunter log file as first argument
"

HASHER="sha256sum"

IFS="
"
function find_suspect_files
{
	echo "parsing $1 for suspect files" 1>&2
	grep -1 Warning "$1"| grep File | sed 's|.*File: ||'
}

function find_packages
{
	echo "finding packages" 1>&2
	for suspect_file in $1
	do
		package=$(dpkg -S $suspect_file|awk '{print $1}'|sed 's/.$//')
		echo "suspect file $suspect_file found in $package" 1>&2
		echo $package
	done

}

function make_aptitude_args
{
	echo "generating aptitude arguments" 1>&2
	for package in $1
	do
		version=$(dpkg -p $package | grep Version | awk '{print $2}')
		echo $package=$version
	done
}

function cleanup
{
	echo "cleaning up"
	popd
	rm -rf tmp
	exit $1
}

function setup
{
	echo "setting up"
	rm -rf tmp
	mkdir tmp
	pushd tmp
}

if [ $# -ne 1 ];
then
	echo "$desc"
	exit 1
fi

suspect_files=$(find_suspect_files "$1")

packages=$(find_packages "$suspect_files" | sort | uniq)

if [ -z "$packages" ];
then
	echo "***WARNING****"
	echo "No packages contain any of the suspect files!"
	cleanup 1
fi

aptitude_args=$(make_aptitude_args "$packages")

setup

echo "downloading packages"
aptitude download $aptitude_args 1>/dev/null
if [ $? -ne 0 ];
then
	echo "aptitude download failed!"
	echo "args=$aptitude_args"
	cleanup 1
fi

echo "unpacking"
for deb_file in *.deb
do
	ar -x $deb_file
	tar zxf data.tar.gz
	rm -rf data.tar.gz control.tar.gz
done

for suspect_file in $suspect_files
do
	if [ ! -f ".$suspect_file" ]
	then
		echo "***WARNING****"
		echo "For some reason .$suspect_file does not exis!"
		continue
	fi
	echo -n "verifying $suspect_file... "
	suspect_sum=$($HASHER $suspect_file | awk '{print $1}')
	clean_sum=$($HASHER ".$suspect_file" | awk '{print $1}')
	if [ $suspect_sum == $clean_sum ];
	then
		echo "OK"
	else
		echo
		echo "***WARNING****"
		echo "Checksum mistmatch for $suspect_file!!!"
		echo "Should be: $clean_sum"
		echo "Is: $suspect_sum"
	fi
done
cleanup

]]> http://blog.rayfoo.info/2009/10/verifying-rkhunter-file-warnings/feed 0