Rkhunter: File Properties Have Changed

This How To Fix Rkhunter: File Properties Have Changed will help you to get fixed or under control this warning. In this particular example, the warning is in relation to the curl package. The solution might applies to other packages too.

Rkhunter: The file properties have changed

Rkhunter: The file properties have changed

Index Of How To Fix Rkhunter: File Properties Have Changed

Background

Recently I have a received a new Rkhunter notification. Fixing it is actually quite simple, but I thought it maybe a good help to you too, hence I decided to write this how to. The environment used is Linux (4.19.0-21-amd64 #1 SMP Debian 4.19.249-2 (2022-06-30) x86_64). 

Warning: The file properties have changed:
        File: /usr/bin/curl
        Current hash: f8f928a7c0230c61e6e8c00f4594a42e8de44476ceef37d095a223668765e09f
        Stored hash : c8612c63638287bd61ce28csedfdf3476a7716ae522fe7f04zjsdowkd816a4a878
        Current inode: 2406    Stored inode: 4190
        Current file modification time: 1682100497 (21-Apr-2023 20:08:17)
        Stored file modification time : 1677223501 (24-Feb-2023 08:25:01)

 

How To Fix Rkhunter: File Properties Have Changed

Double Check

Rkhunter is actually a great security software, as it would detect if for example cyber criminals make changes on your system. Same time, it could turn into alerts if automated software updates take place. The reason is, Rkhunter will observe that the hash value of a particular file changes due to an update. This turns into an alert. Therefore, let’s first check whether the alert above was caused by a software update. This you can do if you execute:

more /var/log/apt/history.log

The command will tell you the contend of the history file. In this case it was:

Start-Date: 2023-04-22  04:17:48
Commandline: /usr/bin/apt-get -o quiet=1 dist-upgrade -y -o APT::Get::Show-Upgraded=true
Upgrade: libcurl4:amd64 (7.64.0-4+deb10u5, 7.64.0-4+deb10u6), curl:amd64 (7.64.0-4+deb10u5, 7.64.0-4+deb10u6), libcurl3-gnutls:amd64 (7.64.0-4+deb10u5,
 7.64.0-4+deb10u6)
End-Date: 2023-04-22  04:17:49

As you can see in this file, an unattended upgrade was started. This upgrade (on the third line) included curl. Looking back at the Rkhunter warning (see chapter Background) we also see, that the alert is for curl. I would call this a full match – jackpot!

Basically, curl was updated by the automated software update. Rkhunter found out, that something with curl changed (the hash value do not match anymore). Therefore, Rkhunter notifies you about this issue.

If you have not found a software update being the root cause of changes, than you need to investigate further:

  • Have you made changes? Check if you can catch up / remember with changes that you or your colleagues made
  • Check other log files to find out whether changes were made

If you cannot explain the Rkhunter warning, than you should take action instead of ignoring it as indeed such a situation could be caused by cyber criminals doing some stuff on your system that you do not like.

Fix The Warning

To get rid of this error message, we need to update the Rkhunter database. This will turn into Rkhunter updating the hash values and by this not providing you with error messages again – unless other updates occur 😉

Execute the below command to update Rkhunter:

sudo rkhunter --update --propupd

Executing the command will turn into a result like this:

[ Rootkit Hunter version 1.4.6 ]
File updated: searched for 181 files, found 144

Checking rkhunter data files...
  Checking file mirrors.dat                                  [ No update ]
  Checking file programs_bad.dat                             [ No update ]
  Checking file backdoorports.dat                            [ No update ]
  Checking file suspscan.dat                                 [ No update ]
  Checking file i18n/cn                                      [ Skipped ]
  Checking file i18n/de                                      [ Skipped ]
  Checking file i18n/en                                      [ No update ]
  Checking file i18n/tr                                      [ Skipped ]
  Checking file i18n/tr.utf8                                 [ Skipped ]
  Checking file i18n/zh                                      [ Skipped ]
  Checking file i18n/zh.utf8                                 [ Skipped ]
  Checking file i18n/ja                                      [ Skipped ]

Once done, check out whether there are still any other issues. You can you this by executing:

sudo rkhunter --check

As a result, and if fine, you should find many messages of OK or None found or Not found. This could look like the blow. Please note, this is just an extract, hence it is shortened and you maybe not fine everything.

[ Rootkit Hunter version 1.4.6 ]

Checking system commands...

  Performing 'strings' command checks
    Checking 'strings' command                               [ OK ]

  Performing 'shared libraries' checks
    Checking for preloading variables                        [ None found ]
    Checking for preloaded libraries                         [ None found ]
    Checking LD_LIBRARY_PATH variable                        [ Not found ]

  Performing file properties checks
    Checking for prerequisites                               [ OK ]
    /usr/sbin/adduser                                        [ OK ]
    /usr/sbin/chroot                                         [ OK ]
<.....>
Checking for rootkits...

  Performing check of known rootkit files and directories
    55808 Trojan - Variant A                                 [ Not found ]
    ADM Worm                                                 [ Not found ]
    AjaKit Rootkit                                           [ Not found ]
<.....>
System checks summary
=====================

File properties checks...
    Files checked: 144
    Suspect files: 0

Rootkit checks...
    Rootkits checked : 498
    Possible rootkits: 0

Applications checks...
    All checks skipped

The system checks took: 3 minutes and 54 seconds

All results have been written to the log file: /var/log/rkhunter.log

No warnings were found while checking the system.

You would love to see the final message that is “No warnings were found while checking the system”

Additional Information

There are various sources in the internet that allow you to further deep dive into the rkhunter specifics. In the below you find some links that maybe help you:

Follow me

It would be amazing if you follow my myhowto.blog. To my blog is actually easy! You can leverage on

      • Click to follow me on Twitter
      • Bookmark this page and comeback from time to time

Help and Comments

I am really looking forward for you to contact me if for example you found a better option or other idea then in this how to. Also, please touch base if you found an error or anything not working or if you have something that you would love to be added to the myhowto.blog. Simply click this link to touch base with me.

Linking Or Recommending The How To Or The myhowto.blog

I would love to see you are recommending this how to or link it to your website. Also, I would love if you link or recommend the whole myhowto.blog. Please feel free to do so! In case you like to touch base regarding this topic with me, then simply click this link. I look forward!