rkhunter says: Incorrect MD5 checksums

**macern** · 02-15-2007, 12:18 PM

Hello

I got my VPS little over a week ago, and one of the first things I installed was latest version of rkhunter.

Every scan since this says that I have 4 files with Incorrect MD5 checksums:

/bin/kill
/sbin/insmod
/sbin/lsmod
/sbin/modprobe

Support say this is because it's a VPS?

I have had a VPS with another company for almost 2 years running FC2 and rkhunter, never any "Incorrect MD5 checksums".
Before I got a VPS here, I tried another VPS with another company, with much the same specs as Jaguar with CentOS 4.4
There I also installed rkhunter and did not have any errors like this.

Any one else get the same errors on their VPS?

**Vin DSL** · 02-15-2007, 04:43 PM

Sounds like a cPanel/WHM thing to me...

Were you running them at your last ASP?

**macern** · 02-16-2007, 03:51 AM

Originally Posted by Vin DSL

Sounds like a cPanel/WHM thing to me...

Were you running them at your last ASP?

Can you please ask using different words?
You write ASP, I think Active Server Page or something like that which I'm not using

But I'm also a little concerned that support "just" made conclusion that this is a "VPS thing" without even checking anything.
I get mail if anyone logs in to SSH on my VPS, and no login was made when I opened ticket about this.

**Vin DSL** · 02-16-2007, 04:20 AM

Originally Posted by macern

Can you please ask using different words?
You write ASP, I think Active Server Page or something like that which I'm not using

Sorry about that...

I tend to use ISP (Internet Service Provider) when I'm talking about my ADSL carrier, and ASP (Application Service Provider) when I'm talking about web hosts.

I was guessing that this problem might have something to do with the cPanel/WHM software. You said rkhunter was working at your previous web host.

I was wondering if you were running cPanel/WHM at your previous VPS web host...

**macern** · 02-16-2007, 06:55 AM

Yes I have been running same version of WHM/cPanel on 3 different VPS from 3 different companies.

Only difference was hardware, and FC2 on one and CentOS 4.4 on two.
The other VPS running CentOS, same version as Jaguar, did not have any errors reported by rkhunter.

**JPC-Masood** · 02-16-2007, 08:42 AM

You may like to follow up with rkhunter developers for more information about the false positives.

**macern** · 02-16-2007, 10:01 AM

Originally Posted by masood

You may like to follow up with rkhunter developers for more information about the false positives.

Since support did nothing to check to see if this are false positives or not, I do not know if these are "false positives" as you say, so how can you say these are false, are you just assuming it?

I do not at this time have the "know how" on how to check if these are false positives or not"

**JPC-Masood** · 02-16-2007, 10:33 AM

Please pm with your ticket # and I can look into it.

**JPC-Masood** · 02-16-2007, 02:55 PM

Thank you for the pm and giving me the opportunity to look into it with more details.

I checked the md5 hash against the binaries distributed by CentOS and it matches with the file you have on the vps for

/bin/kill

So obviously rkhunter database is outdated for that.

And all these three

/sbin/insmod
/sbin/lsmod
/sbin/modprobe

are part of virtuozzo package and not of OS provided binaries so they should NOT match. I have updated the KB.

LinkBack

Thread Tools

Display

rkhunter says: Incorrect MD5 checksums

Bookmarks

Bookmarks

Posting Permissions