Hi there,

I ran rkhunter on my comp and it came back with a "bad" status on my /usr/bin/top command. I have run rkhunter before, though admittedly not as often as I should.
I have never used that command until today when i was checking to see if the command worked, which it does. What does the "bad" staus mean? How can I fix it? How did it occur, so that i ca prevent it from occurring again?

TIA

laceupboots

what is the full messege you are getting? bad staus.....

Here is the run I did , my bad it's passwrd thats bad not top.


[vicki@girlpenguin files]$ su
Password:
[root@girlpenguin files]# ./rkhunter

Rootkit Hunter 1.0.9, Copyright 2003-2004, Michael Boelen

Rootkit Hunter comes with ABSOLUTELY NO WARRANTY. This is free software,
and you are welcome to redistribute it under the terms of the GNU General
Public License. See LICENSE for details.


Valid parameters:
--checkall (-c) : Check system
--createlogfile* : Create logfile
--cronjob : Run as cronjob (removes colored layout)
--help (-h) : Show this help
--nocolors* : Don't use colors for output
--report-mode* : Don't show uninteresting information for reports
--skip-keypress* : Don't wait after every test (non-interactive)
--quick* : Perform quick scan (instead of full scan)
--version : Show version and quit
--versioncheck : Check for latest version

--bindir <bindir>* : Use <bindir> instead of using default binaries
--configfile <file>* : Use different configuration file
--dbdir <dir>* : Use <dbdir> as database directory
--rootdir <rootdir>* : Use <rootdir> instead of / (slash at end)
--tmpdir <tempdir>* : Use <tempdir> as temporary directory

Explicit scan options:
--disable-md5-check* : Disable MD5 checks
--disable-passwd-check* : Disable passwd/group checks
--scan-knownbad-files* : Perform besides 'known good' check a 'known bad' check

Multiple parameters are allowed
*) Parameter can only be used with other parameters



[root@girlpenguin files]# ./rkhunter -c


Rootkit Hunter 1.0.9 is running

Determining OS... Ready


Checking binaries
* Selftests
Strings (command) [ OK ]


* System tools
Performing 'known good' check...
/sbin/chkconfig [ OK ]
/sbin/depmod [ OK ]
/sbin/ifconfig [ OK ]
/sbin/ifstatus [ OK ]
/sbin/init [ OK ]
/sbin/insmod [ OK ]
/sbin/lsmod [ OK ]
/sbin/modinfo [ OK ]
/sbin/modprobe [ OK ]
/sbin/rmmod [ OK ]
/sbin/runlevel [ OK ]
/sbin/sulogin [ OK ]
/sbin/sysctl [ OK ]
/sbin/syslogd [ OK ]
/bin/cat [ OK ]
/bin/chmod [ OK ]
/bin/chown [ OK ]
/bin/egrep [ OK ]
/bin/fgrep [ OK ]
/bin/grep [ OK ]
/bin/id [ OK ]
/bin/kill [ OK ]
/bin/login [ OK ]
/bin/ls [ OK ]
/bin/more [ OK ]
/bin/mount [ OK ]
/bin/netstat [ OK ]
/bin/ps [ OK ]
/bin/sh [ OK ]
/bin/su [ OK ]
/usr/bin/chattr [ OK ]
/usr/bin/du [ OK ]
/usr/bin/file [ OK ]
/usr/bin/find [ OK ]
/usr/bin/head [ OK ]
/usr/bin/kill [ OK ]
/usr/bin/login [ OK ]
/usr/bin/lsattr [ OK ]
/usr/bin/md5sum [ OK ]
/usr/bin/passwd [ BAD ]
/usr/bin/top [ OK ]
/usr/bin/vmstat [ OK ]
/usr/bin/w [ OK ]
/usr/bin/wc [ OK ]
/usr/bin/wget [ OK ]
/usr/bin/whereis [ OK ]
/usr/bin/who [ OK ]

[Press <ENTER> to continue]



Check rootkits
* Default files and directories
Rootkit '55808 Trojan - Variant A'... [ OK ]
Rootkit 'AjaKit'... [ OK ]
Rootkit 'aPa Kit'... [ OK ]
Rootkit 'Apache Worm'... [ OK ]
Rootkit 'Ambient (ark) Rootkit'... [ OK ]
Rootkit 'Balaur Rootkit'... [ OK ]
Rootkit 'BeastKit'... [ OK ]
Rootkit 'BOBKit'... [ OK ]
Rootkit 'CiNIK Worm (Slapper.B variant)'... [ OK ]
Rootkit 'Danny-Boy's Abuse Kit'... [ OK ]
Rootkit 'Devil RootKit'... [ OK ]
Rootkit 'Dica'... [ OK ]
Rootkit 'Dreams Rootkit'... [ OK ]
Rootkit 'Duarawkz'... [ OK ]
Rootkit 'Flea Linux Rootkit'... [ OK ]
Rootkit 'FreeBSD Rootkit'... [ OK ]
Rootkit '****`it Rootkit'... [ OK ]
Rootkit 'GasKit'... [ OK ]
Rootkit 'Heroin LKM'... [ OK ]
Rootkit 'HjC Kit'... [ OK ]
Rootkit 'ignoKit'... [ OK ]
Rootkit 'ImperalsS-FBRK'... [ OK ]
Rootkit 'Irix Rootkit'... [ OK ]
Rootkit 'Kitko'... [ OK ]
Rootkit 'Knark'... [ OK ]
Rootkit 'Li0n Worm'... [ OK ]
Rootkit 'Lockit / LJK2'... [ OK ]
Rootkit 'MRK'... [ OK ]
Rootkit 'RootKit for SunOS / NSDAP'... [ OK ]
Rootkit 'Optic Kit (Tux)'... [ OK ]
Rootkit 'Oz Rootkit'... [ OK ]
Rootkit 'Portacelo'... [ OK ]
Rootkit 'R3dstorm Toolkit'... [ OK ]
Sebek LKM [ OK ]
Rootkit 'Scalper Worm'... [ OK ]
Rootkit 'Shutdown'... [ OK ]
Rootkit 'SHV4'... [ OK ]
Rootkit 'Sin Rootkit'... [ OK ]
Rootkit 'Slapper'... [ OK ]
Rootkit 'Sneakin Rootkit'... [ OK ]
Rootkit 'Suckit Rootkit'... [ OK ]
Rootkit 'SunOS Rootkit'... [ OK ]
Rootkit 'Superkit'... [ OK ]
Rootkit 'TBD (Telnet BackDoor)'... [ OK ]
Rootkit 'TeLeKiT'... [ OK ]
Rootkit 'T0rn Rootkit'... [ OK ]
Rootkit 'Trojanit Kit'... [ OK ]
Rootkit 'Tuxtendo'... [ OK ]
Rootkit 'URK'... [ OK ]
Rootkit 'VcKit'... [ OK ]
Rootkit 'Volc Rootkit'... [ OK ]
Rootkit 'X-Org SunOS Rootkit'... [ OK ]
Rootkit 'zaRwT.KiT Rootkit'... [ OK ]

* Suspicious files and malware
Scanning for known rootkit files [ OK ]
Miscellaneous Login backdoors [ OK ]
Miscellaneous directories [ OK ]
Sniffer logs [ OK ]

[Press <ENTER> to continue]


* Trojan specific characteristics
shv4
Checking /etc/rc.d/rc.sysinit
Test 1 [ Clean ]
Test 2 [ Clean ]
Test 3 [ Clean ]
Checking /etc/inetd.conf [ Not found ]

* Suspicious file properties
chmod properties
Checking /bin/ps [ Clean ]
Checking /bin/ls [ Clean ]
Checking /usr/bin/w [ Clean ]
Checking /usr/bin/who [ Clean ]
Checking /bin/netstat [ Clean ]
Checking /bin/login [ Clean ]
Script replacements
Checking /bin/ps [ Clean ]
Checking /bin/ls [ Clean ]
Checking /usr/bin/w [ Clean ]
Checking /usr/bin/who [ Clean ]
Checking /bin/netstat [ Clean ]
Checking /bin/login [ Clean ]

* OS dependant tests

Linux
Checking loaded kernel modules... [ OK ]


Networking
* Check: frequently used backdoors
Port 2001: Scalper Rootkit [ OK ]
Port 2006: CB Rootkit [ OK ]
Port 2128: MRK [ OK ]
Port 14856: Optic Kit (Tux) [ OK ]
Port 47107: T0rn Rootkit [ OK ]
Port 60922: zaRwT.KiT [ OK ]

* Interfaces
Scanning for promiscuous interfaces [ OK ]

[Press <ENTER> to continue]



System checks
* Allround tests
Checking hostname... Found. Hostname is girlpenguin
Checking for differences in user accounts... OK. No changes.
Checking for differences in user groups... OK. No changes.
Checking rc.local file...
- /etc/rc.local [ OK ]
- /etc/rc.d/rc.local [ OK ]
- /usr/local/etc/rc.local [ Not found ]
- /usr/local/etc/rc.d/rc.local [ Not found ]
- /etc/conf.d/local.start [ Not found ]
Checking rc.d files...
Processing........................................
........................................
........................................
........................................
........................................
........................................
..........
Result rc.d files check [ OK ]
Checking history files
Bourne Shell [ OK ]

* Filesystem checks
Checking /dev for suspicious files... [ OK ]
Scanning for hidden files... [ OK ]

[Press <ENTER> to continue]



Security advisories
* Check: Groups and Accounts
Searching for /etc/passwd... [ Found ]
Checking users with UID '0' (root)... [ OK ]

* Check: SSH
Searching for sshd_config...

* Check: Events and Logging
Search for syslog configuration... found

Checking for running syslog slave... [ OK ]
Checking for logging to remote system... [ OK (no remote logging) ]


---------------------------- Scan results ----------------------------

MD5
MD5 compared: 63
Incorrect MD5 checksums: 1

File scan
Scanned files: 307
Possible infected files: 0
Possible rootkits:

Scanning took 121 seconds

-----------------------------------------------------------------------

Do you have some problems, undetected rootkits, false positives, ideas
or suggestions?
Please e-mail me by filling in the contact form (@http://www.rootkit.nl)

-----------------------------------------------------------------------
[root@girlpenguin files]#

have you seen this http://www.rootkit.nl/articles/rootkit_hunter_faq.html

it may shed some light on what to do. maybe one of the JL networking gurus may have a more defenative answer

Yes I did check out that site before I posted. Thanks anyway. It says it might be a false positive. I was also thinking there might be a checksum update. I know I have run that command before and had no problems. I just don't want anything to be hiding in there. Has to be a reason that the checksum doesn't match. An added line, a subtracted line, or a changed line can all change the checksum.

your right there has to be a reson why you got the error you did I just have not found it yet ;)