This how to helps you to learn to deal with rkhunter – Warning for /usr/bin/curl. In my case rkhunter reported a warning that said that file properties have for curl have changed.
rkhunter – Warning for /usr/bin/curl
Index Of How To rkhunter – Warning for /usr/bin/curl
Background
This how to assumes that you received a notification of suspect files by rkhunter or you found this in rkhunter‘s logfile. Typically this can happen, if you have installed an automated software update, but rkhunter did not update its database.
It’s actually correct, that rkhunter sends you an alert. Rkhunter searches for differences which it of course after a software update would find. So, it would not only find changes made by a cybercriminal, but also changes caused by a software update.
This How To helps you to find out whether a software update was the root cause for your warning for /usr/bin/curl
How To rkhunter Suspect Files Warning
Receiving rkhunter messages like the above is a typical scenario after for example Debian automatically updated the operating system. Nevertheless, since rkhunter is a key element of your cyber defence, you should better verify. To do so, this how to guides you thru an example how you can do this.
Check Logfiles
First of all, you like to check your logfile to find out whether indeed there was an operating systems update. Debian Linux auto updates are typically stored in the history.log. Simply read it and you will find out whether there was recently an update. Running the below command
more /var/log/apt/history.log
The outcome could for example look like this:
Start-Date: 2023-10-03 04:34:48 Commandline: /usr/bin/apt-get -o quiet=1 dist-upgrade -y -o APT::Get::Show-Upgraded=true Upgrade: exim4-base:amd64 (4.92-8+deb10u7, 4.92-8+deb10u8), exim4-daemon-light:amd64 (4.92-8+deb10u7, 4.92-8+deb10u8), exim4-config:amd64 (4.92-8+deb10 u7, 4.92-8+deb10u8) End-Date: 2023-10-03 04:34:53 Start-Date: 2023-10-04 04:51:19 Commandline: /usr/bin/apt-get -o quiet=1 dist-upgrade -y -o APT::Get::Show-Upgraded=true Upgrade: grub-common:amd64 (2.06-3~deb10u3, 2.06-3~deb10u4), grub2-common:amd64 (2.06-3~deb10u3, 2.06-3~deb10u4), grub-pc:amd64 (2.06-3~deb10u3, 2.06-3 ~deb10u4), grub-pc-bin:amd64 (2.06-3~deb10u3, 2.06-3~deb10u4) End-Date: 2023-10-04 04:51:26 Start-Date: 2023-10-06 04:47:17 Commandline: /usr/bin/apt-get -o quiet=1 dist-upgrade -y -o APT::Get::Show-Upgraded=true Upgrade: libx11-6:amd64 (2:1.6.7-1+deb10u3, 2:1.6.7-1+deb10u4), libx11-data:amd64 (2:1.6.7-1+deb10u3, 2:1.6.7-1+deb10u4), qemu-guest-agent:amd64 (1:3.1 +dfsg-8+deb10u10, 1:3.1+dfsg-8+deb10u11) End-Date: 2023-10-06 04:47:21 Start-Date: 2023-10-09 04:32:42 Commandline: /usr/bin/apt-get -o quiet=1 dist-upgrade -y -o APT::Get::Show-Upgraded=true Upgrade: python3-urllib3:amd64 (1.24.1-1, 1.24.1-1+deb10u1) End-Date: 2023-10-09 04:32:43 Start-Date: 2023-10-12 04:27:58 Commandline: /usr/bin/apt-get -o quiet=1 dist-upgrade -y -o APT::Get::Show-Upgraded=true Upgrade: libpython3.7-minimal:amd64 (3.7.3-2+deb10u5, 3.7.3-2+deb10u6), python3.7-venv:amd64 (3.7.3-2+deb10u5, 3.7.3-2+deb10u6), libcurl4:amd64 (7.64.0 -4+deb10u6, 7.64.0-4+deb10u7), python3.7:amd64 (3.7.3-2+deb10u5, 3.7.3-2+deb10u6), libpython3.7-stdlib:amd64 (3.7.3-2+deb10u5, 3.7.3-2+deb10u6), python 3.7-minimal:amd64 (3.7.3-2+deb10u5, 3.7.3-2+deb10u6), curl:amd64 (7.64.0-4+deb10u6, 7.64.0-4+deb10u7), libcurl3-gnutls:amd64 (7.64.0-4+deb10u6, 7.64.0- 4+deb10u7) End-Date: 2023-10-12 04:28:02
In the above, you can find indeed that curl (libcurl4:amd64 (7.64.0-4+deb10u6, 7.64.0-4+deb10u7)) was updated with the last update on 2023-10-12 04:28:02. This fits pretty well the date highlighted in the rkhunter warning.
With this information in hand, you are in a good position to compare now to rkhunter logs / email notification. Keep the window with this open move to the next chapter „Check rkhunter Log“.
Check rkhunter Log
Best is to open a new terminal window. This allows to compare the logs of the above and what is in the log of khunter. Run the following command:
cat /var/log/rkhunter.log | grep Warning
This should output something like the below:
[06:26:57] /usr/bin/curl [ Warning ]
Having this in hand now, you can compare the two logfiles for items that match.
Compare
The two above log files can now be compared. If you opened them in two different terminal windows, than this might be more easy. In the two above, as an example, its pretty easy to identify that for example „curl“ was updated. Looking into the rkhunter.log systemd can be found too. This is a good hit!
What does it mean? Basically, Debian has updated systemd and therefore most likely the hash value of the systemd file changed. rkhunter has found this out and prints a warning. This is perfect! If however you cannot find any indication of updates being made, than you potentially indeed have a security issue. In this case, you should more deep dive analyse your system!
Fix The rkhunter Warning for /usr/bin/curl
To fix the rkhunter Warning, you need to update the rkhunter database. I recommend to do this together with updating rkhunter itself. to do so, run the following command:
rkhunter --update --propupd
Additional Information
There are various sources in the internet that allow you to further deep dive into the rkhunter specifics. In the below you find some links that maybe help you:
- Rkhunter Linux man page – man page including rkhunter description and command options
- Debian Linux rkhunter man page – specific Debian Linux man page about rkhunter
It would be amazing if you follow my myhowto.blog. To my blog is actually easy! You can leverage on
- Click to follow me on Twitter
- Bookmark this page and comeback from time to time
I am really looking forward for you to contact me if for example you found a better option or other idea then in this how to. Also, please touch base if you found an error or anything not working or if you have something that you would love to be added to the myhowto.blog. Simply click this link to touch base with me.
Linking Or Recommending The How To Or The myhowto.blog
I would love to see you are recommending this how to or link it to your website. Also, I would love if you link or recommend the whole myhowto.blog. Please feel free to do so! In case you like to touch base regarding this topic with me, then simply click this link. I look forward!
