I am testing rkhunter on a Ubuntu server 16.04 in Virtualbox.
I received an email alert by rkhunter on the 11th of October, inviting me to "Please inspect this machine, because it may be infected".
So I made a scan with rkhunter and found the following result:
$ sudo rkhunter -c --rwo
Warning: The file properties have changed:
File: /usr/bin/curl
Current hash: f025f2f2dca226c921b2b09da78b220656c098652d41c8654dc4853ff3fd1e5a
Stored hash : cf846b7f3f11fc8af6cf79a2bbad3c8314eec72c1425b49bc9e34cf85a5090bb
Current inode: 661569 Stored inode: 661888
Current file modification time: 1507203916 (05-Oct-2017 13:45:16)
Stored file modification time : 1478126766 (02-Nov-2016 23:46:06)
So I decided to check the curl package:
$ dpkg -S curl
$ echo $?
0
As you can see nothing was reported.
I read a discussion at serverfault where it was suggested to check if the hash change was due to an automatic security update.
Checking /var/log/apt/history.log I noticed that there was an unattended-upgrade of curl starting in 2017-10-11.
I wonder: why rkhunter reports 05 October as the file modification date while the upgrade was made the 11 October?
