Home / ubuntu / Questions / 593240
Accepted
user364819
Asked: 2015-03-06 12:23:31 +0800 CST

rkhunter psswd and group file changes warning

  • 772

Today I did a scan of my machine with rkhunter:

sudo rkhunter --checkall

And these were the warnings that I got:

Checking for passwd file changes                         [ Warning ]
Checking for group file changes                          [ Warning ]

Is this anything to worry about? And if it is then how should I proceed?

OS Information:

Description:    Ubuntu 14.10
Release:    14.10
rootkit

1 Answers

  1. Best Answer

    You need to ask yourself:

    • did I add a user?
    • did I install software that might have added a user?

    Best method to use is to list the /etc/passwd file on your screen with

    more /etc/passwd

    and to check for unexpected usernames.

    These notices from rkhunter are more than likely caused by an out of date reference file. You might want to do a ... 

    sudo rkhunter --update
sudo rkhunter --propupd

    after you install new software. The 1st creates a new database reference file and the 2nd marks that reference file as a starting point.

    If a rootkit is found it is likely to throw more alarms than just a notice regarding /etc/passwd. That is just a file holding your "users" and it is not enough to start a rootkit.

    • 5