This How To Fix Rkhunter: File Properties Have Changed will help you to get fixed or under control this warning. In this particular example, the warning is in relation to the curl package. The solution might applies to other packages too.
Index Of How To Fix Rkhunter: File Properties Have Changed
Background
Recently I have a received a new Rkhunter notification. Fixing it is actually quite simple, but I thought it maybe a good help to you too, hence I decided to write this how to. The environment used is Linux (4.19.0-21-amd64 #1 SMP Debian 4.19.249-2 (2022-06-30) x86_64).
Warning: The file properties have changed: File: /usr/bin/curl Current hash: f8f928a7c0230c61e6e8c00f4594a42e8de44476ceef37d095a223668765e09f Stored hash : c8612c63638287bd61ce28csedfdf3476a7716ae522fe7f04zjsdowkd816a4a878 Current inode: 2406 Stored inode: 4190 Current file modification time: 1682100497 (21-Apr-2023 20:08:17) Stored file modification time : 1677223501 (24-Feb-2023 08:25:01)
How To Fix Rkhunter: File Properties Have Changed
Double Check
Rkhunter is actually a great security software, as it would detect if for example cyber criminals make changes on your system. Same time, it could turn into alerts if automated software updates take place. The reason is, Rkhunter will observe that the hash value of a particular file changes due to an update. This turns into an alert. Therefore, let’s first check whether the alert above was caused by a software update. This you can do if you execute:
more /var/log/apt/history.log
The command will tell you the contend of the history file. In this case it was:
Start-Date: 2023-04-22 04:17:48 Commandline: /usr/bin/apt-get -o quiet=1 dist-upgrade -y -o APT::Get::Show-Upgraded=true Upgrade: libcurl4:amd64 (7.64.0-4+deb10u5, 7.64.0-4+deb10u6), curl:amd64 (7.64.0-4+deb10u5, 7.64.0-4+deb10u6), libcurl3-gnutls:amd64 (7.64.0-4+deb10u5, 7.64.0-4+deb10u6) End-Date: 2023-04-22 04:17:49
As you can see in this file, an unattended upgrade was started. This upgrade (on the third line) included curl. Looking back at the Rkhunter warning (see chapter Background) we also see, that the alert is for curl. I would call this a full match – jackpot!
Basically, curl was updated by the automated software update. Rkhunter found out, that something with curl changed (the hash value do not match anymore). Therefore, Rkhunter notifies you about this issue.
If you have not found a software update being the root cause of changes, than you need to investigate further:
- Have you made changes? Check if you can catch up / remember with changes that you or your colleagues made
- Check other log files to find out whether changes were made
If you cannot explain the Rkhunter warning, than you should take action instead of ignoring it as indeed such a situation could be caused by cyber criminals doing some stuff on your system that you do not like.
Fix The Warning
To get rid of this error message, we need to update the Rkhunter database. This will turn into Rkhunter updating the hash values and by this not providing you with error messages again – unless other updates occur 😉
Execute the below command to update Rkhunter:
sudo rkhunter --update --propupd
Executing the command will turn into a result like this:
[ Rootkit Hunter version 1.4.6 ] File updated: searched for 181 files, found 144 Checking rkhunter data files... Checking file mirrors.dat [ No update ] Checking file programs_bad.dat [ No update ] Checking file backdoorports.dat [ No update ] Checking file suspscan.dat [ No update ] Checking file i18n/cn [ Skipped ] Checking file i18n/de [ Skipped ] Checking file i18n/en [ No update ] Checking file i18n/tr [ Skipped ] Checking file i18n/tr.utf8 [ Skipped ] Checking file i18n/zh [ Skipped ] Checking file i18n/zh.utf8 [ Skipped ] Checking file i18n/ja [ Skipped ]
Once done, check out whether there are still any other issues. You can you this by executing:
sudo rkhunter --check
As a result, and if fine, you should find many messages of OK or None found or Not found. This could look like the blow. Please note, this is just an extract, hence it is shortened and you maybe not fine everything.
[ Rootkit Hunter version 1.4.6 ] Checking system commands... Performing 'strings' command checks Checking 'strings' command [ OK ] Performing 'shared libraries' checks Checking for preloading variables [ None found ] Checking for preloaded libraries [ None found ] Checking LD_LIBRARY_PATH variable [ Not found ] Performing file properties checks Checking for prerequisites [ OK ] /usr/sbin/adduser [ OK ] /usr/sbin/chroot [ OK ] <.....> Checking for rootkits... Performing check of known rootkit files and directories 55808 Trojan - Variant A [ Not found ] ADM Worm [ Not found ] AjaKit Rootkit [ Not found ] <.....> System checks summary ===================== File properties checks... Files checked: 144 Suspect files: 0 Rootkit checks... Rootkits checked : 498 Possible rootkits: 0 Applications checks... All checks skipped The system checks took: 3 minutes and 54 seconds All results have been written to the log file: /var/log/rkhunter.log No warnings were found while checking the system.
You would love to see the final message that is “No warnings were found while checking the system”
Additional Information
There are various sources in the internet that allow you to further deep dive into the rkhunter specifics. In the below you find some links that maybe help you:
- Rkhunter – How To Fix Rkhunter Warning
- Fix Rkhunter Error
- How To Fix Rkhunter sudo Warning
- Rkhunter Linux man page – man page including rkhunter description and command options
- Debian Linux rkhunter man page – specific Debian Linux man page about rkhunter
It would be amazing if you follow my myhowto.blog. To my blog is actually easy! You can leverage on
- Click to follow me on Twitter
- Bookmark this page and comeback from time to time
I am really looking forward for you to contact me if for example you found a better option or other idea then in this how to. Also, please touch base if you found an error or anything not working or if you have something that you would love to be added to the myhowto.blog. Simply click this link to touch base with me.
Linking Or Recommending The How To Or The myhowto.blog
I would love to see you are recommending this how to or link it to your website. Also, I would love if you link or recommend the whole myhowto.blog. Please feel free to do so! In case you like to touch base regarding this topic with me, then simply click this link. I look forward!