CountMurphy's questions -server

CountMurphy

Asked: 2012-03-22 15:07:40 +0800 CST

Rkhunter reports file properties have changed

I am running a fully updated LTS copy of Ubuntu server. Today I ran rkhunter (as I do from time to time). This is the output I got:

 Warning: The file properties have changed:
[15:52:25]          File: /bin/ps
[15:52:25]          Current hash: f22991ec93ae966c856d367f42fc3d8a484bd827
[15:52:25]          Stored hash : 1892268bf195ac118076b1b0f53e7a637eb6fbb3
[15:52:25]          Current inode: 142902    Stored inode: 130894
[15:52:25]          Current file modification time: 1324307913 (19-Dec-2011 07:18:33)
[15:52:25]          Stored file modification time : 1260992081 (16-Dec-2009 11:34:41)



 Warning: The file properties have changed:
[15:52:33]          File: /usr/bin/ldd
[15:52:33]          Current hash: f1e2ca5aa3a28994e2cebb64c993a72b7d97b28c
[15:52:33]          Stored hash : 295d9cedb121a5e431a39a6d201ecd7ce5640497
[15:52:33]          Current inode: 2236210    Stored inode: 2234359
[15:52:33]          Current size: 5280    Stored size: 5279
[15:52:33]          Current file modification time: 1331165514 (07-Mar-2012 16:11:54)
[15:52:33]          Stored file modification time : 1295653965 (21-Jan-2011 15:52:45)



 Warning: The file properties have changed:
[15:52:37]          File: /usr/bin/pgrep
[15:52:37]          Current hash: 3eada9a96760f3e2c9111cfe32901d1432813c1d
[15:52:37]          Stored hash : ce265d0db9964b173fe5036f703a9b8d66e55df3
[15:52:37]          Current inode: 2229646    Stored inode: 2224867
[15:52:37]          Current file modification time: 1324307913 (19-Dec-2011 07:18:33)
[15:52:37]          Stored file modification time : 1260992081 (16-Dec-2009 11:34:41)




Warning: The file properties have changed:
[15:52:41]          File: /usr/bin/top
[15:52:41]          Current hash: 6be13737d8b0950cea2f1ae3a46d4af713dbe971
[15:52:41]          Stored hash : c7b495ecef3982eeb6f08a511861b1a1ae8775e6
[15:52:41]          Current inode: 2229629    Stored inode: 2224862
[15:52:41]          Current file modification time: 1324307913 (19-Dec-2011 07:18:33)
[15:52:41]          Stored file modification time : 1260992081 (16-Dec-2009 11:34:41)



Warning: The file properties have changed:
[15:52:53]          File: /usr/sbin/cron
[15:52:53]          Current hash: e783ca973f970aa8a4bf5edc670e690b33914c3d
[15:52:53]          Stored hash : 4718257a8060736b9058aed025c992f02a74a5a7
[15:52:53]          Current inode: 2224719    Stored inode: 2228839
[15:52:54]          Current file modification time: 1330965568 (05-Mar-2012 08:39:28)

There were also a few other I left out. Has my server been rooted? I am running fail2ban and do monitor failed ssh logins. nothing has come up. Could someone compare these hashes to their copy of Ubuntu Server (lts)? Please tell me these are false positives.....

Edit:

This is a list of all the files with odd md5s:

kill
ps
ldd
pgrep
top
vmstat
w
watch
w.procps  
sysctl
cron

This doesn't look so good. I am going to create a vm with the same distro and update it, then run rkhunter again. If I was hacked, how on earth did they get in? SSH is on a nonstandard port, I'm running fail2ban and check the logs daily. I am running apache, but there is nothing www-data has write access to. I'm confused.

CountMurphy

Asked: 2012-03-18 12:20:44 +0800 CST

Have a legitimate ssl certificate, but I fail at installing it

I'm running an Ubuntu 10.04 LTS server that has been running Apache2 with a self signed certificate up until now. I finally purchased a real certificate but I can't manage to install it. I received three files from the provider:

AddTrustExternalCARoot.crt
mynewdomain_com.crt
PositiveSSLCA2.crt

Currently in my sites-enabled/ssl I have this for my self signed certificate:

    SSLEngine On
    SSLCertificateFile /etc/apache2/ssl/cert.pem

So I googled how to convert crt files to pem and it just looks to be a concatination of all the crt files. This is the guide I found that mostly matched what I'm using (I am using namecheap for my DNS now). So I created my new pem file, and pointed my config at it. When I run

service apache2 restart

the daemon fails to start. I figured that I must have put the crts in the wrong order, but it still fails to start. What am I doing wrong? How can I use my new certificate?

As for Key files, I generated one called server.key (which was used to create my csr). It now resides in /etc/apache2/server.key

When starting apache I get these errors:

[Sat Mar 17 13:44:43 2012] [warn] RSA server certificate is a CA certificate  (BasicConstraints: CA == TRUE !?)
[Sat Mar 17 13:44:43 2012] [warn] RSA server certificate CommonName (CN) `PositiveSSL CA 2' does NOT match server name!?
[Sat Mar 17 13:44:43 2012] [error] Unable to configure RSA server private key
[Sat Mar 17 13:44:43 2012] [error] SSL Library Error: 185073780 error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch

Rkhunter reports file properties have changed

Have a legitimate ssl certificate, but I fail at installing it

Can you pass user/pass for HTTP Basic Authentication in URL parameters?

Ping a Specific Port

Check if port is open or closed on a Linux server?

How to automate SSH login with password?

How do I tell Git for Windows where to find my private RSA key?

What's the default superuser username/password for postgres after a new install?

What port does SFTP use?

Command line to list users in a Windows Active Directory group?

What is a Pem file and how does it differ from other OpenSSL Generated Key File Formats?

How to determine if a bash variable is empty?