3

My last rkhunter scan reported a couple of warnings that deserve to be checked. Main reason for my suspect is that I wasn't on the machine at (03-Apr-2014 01:12:12) ->AM

I googled for understand what's the purpose of the 2 files I mentioned in question title, but I didn't find very helpful answers. Can anybody tell me what's the aim of those files, and maybe also why/when it would be modified by the system itself?

[10:17:11] Warning: The file properties have changed:
[10:17:11]          File: /usr/sbin/sshd
[10:17:11]          Current hash: 900e153506754ceb7b19f3a01a3ad5e36d43d958
[10:17:11]          Stored hash : 55a1a63a46d84eb9d0322f96bd9a61f070e90698
[10:17:11]          Current inode: 149998    Stored inode: 142248
[10:17:11]          Current file modification time: 1396480332 (03-Apr-2014 01:12:12)
[10:17:11]          Stored file modification time : 1360359087 (08-Feb-2013 22:31:27)

[10:17:34] Warning: The file properties have changed:
[10:17:34]          File: /usr/bin/ssh
[10:17:34]          Current hash: 60366d414c711a70f9e313f5ff26213ca513b565
[10:17:34]          Stored hash : 1b410fb0de841737f963e1ee011989f155f41259
[10:17:34]          Current inode: 150030    Stored inode: 142203
[10:17:34]          Current file modification time: 1396480332 (03-Apr-2014 01:12:12)
[10:17:34]          Stored file modification time : 1360359087 (08-Feb-2013 22:31:27)

the apt logs files making me worry, I censored couple of info. Apparently in the 03-Apr-2014 I didn't installed nothing.

Start-Date: 2014-04-01  15:49:18
Commandline:  ***********
Install:  ***********
End-Date: 2014-04-01  15:49:29

Start-Date: 2014-04-08  14:03:52
Commandline:  ***********
Install:  ***********
End-Date: 2014-04-08  14:04:04

By the way I think (hope) they are false positives [edit:not anymore]. Maybe files edited by some process of the system and normally not recorded in the .dat file of rkhunter because I didn't updated. I came here to find some confirmation or some more paranoia.

Rui F Ribeiro
  • 55,929
  • 26
  • 146
  • 227
lese
  • 2,716
  • 5
  • 19
  • 30
  • 1
    What does your apt log say about upgrades around that time? Do you automatically install security upgrades? – Chris Down Apr 18 '14 at 09:51
  • Thankyou for your hint. No i still don't use automatic updates. i edited the question for apt log files - im getting worry é,è – lese Apr 18 '14 at 10:23
  • If the ssh and sshd binaries changed by themselves, and you are sure you didn't do it, that seems very suspicious. What kind of server is this? – jw013 Apr 18 '14 at 16:25

2 Answers2

1

The hash of the program should NOT change if you did not update your SSH. Also, it shows you the time when the file was modified (03-Apr-2014), so if you did not update openssh packages, it is not a false positive.

ek9
  • 2,875
  • 3
  • 18
  • 27
  • do you think that uninstall openssh purging configuration files, and reinstalling it, could help in anyway to fix what is been made? – lese Apr 18 '14 at 12:26
  • Configuration files will have nothing to do with this. It's only 2 binary files that got changed, so only reinstalling the old version of the package will do. Modification date/time will be when the package was packaged, not installed. – ek9 Apr 18 '14 at 14:24
  • ok thanks, and when the process of packaging the package usually happens? i guess right after an upgrade or a fresh install, but not hours later, right? – lese Apr 18 '14 at 14:45
  • 1
    when "packaging" I mean when Debian packages it before releasing to repositories. But I am not sure on that, you need to test it yourself. – ek9 Apr 18 '14 at 19:46
1

Google brouth me here. I guess I was also hacked. Same message from rkhunter. Here are some ways to analyze a little further.

To be sure, you can check the md5sum with

sudo cat /var/lib/dpkg/info/openssh-client.md5sums
md5sum /usr/bin/ssh

Another way is

dpkg --verify openssh-server

empty is ok, you have problems if you see ??5?????? /usr/sbin/sshd

You can also install debsums which makes it easier to check

sudo apt-get install debsums
sudo debsums | grep -v OK

This was my list. I think it's still using local sums. Would be more secure if it can be done with an official debian mirror. Does somebody know how to do this?

debsums: missing file /usr/include/openssl/x509_vfy.h (from libssl-dev:amd64 package)
debsums: missing file /usr/include/openssl/x509v3.h (from libssl-dev:amd64 package)
/usr/bin/scp                                                              FAILED
/usr/bin/sftp                                                             FAILED
/usr/bin/ssh                                                              FAILED
/usr/bin/ssh-add                                                          FAILED
/usr/bin/ssh-agent                                                        FAILED
/usr/bin/ssh-keygen                                                       FAILED
/usr/bin/ssh-keyscan                                                      FAILED
/usr/sbin/sshd                                                            FAILED
/usr/bin/rkhunter                                                         FAILED
varta
  • 123
  • 5