rkhunter update "*.dat" fails

Message

w4kh · #1 Post by **w4kh** » 2020-05-27 17:33

When I try to update the various .dat files that work with rkhunter (version 1.4.6) I see failures:

root@mysystem10:/# rkhunter --update
[ Rootkit Hunter version 1.4.6 ]

Checking rkhunter data files...
  Checking file mirrors.dat                                  [ Skipped ]
  Checking file programs_bad.dat                        [ Update failed ]
  Checking file backdoorports.dat                        [ Update failed ]
  Checking file suspscan.dat                              [ Update failed ]
  Checking file i18n versions                              [ Update failed ]

Please check the log file (/var/log/rkhunter.log)

The log entries are clear:

Code: Select all

[12:25:18] Running Rootkit Hunter version 1.4.6 on mysystem10
[12:25:18]
[12:25:18] Info: Start date is Wed 27 May 2020 12:25:18 PM CDT
[12:25:18]
[12:25:18] Checking configuration file and command-line options...
[12:25:18] Info: Detected operating system is 'Linux'
[12:25:18] Info: Found O/S name: Debian GNU/Linux 10 (buster)
[12:25:18] Info: Command line is /usr/bin/rkhunter --update
[12:25:18] Info: Environment shell is /bin/bash; rkhunter is using dash
[12:25:18] Info: Using configuration file '/etc/rkhunter.conf'
[12:25:18] Info: Installation directory is '/usr'
[12:25:18] Info: Using language 'en'
[12:25:18] Info: Using '/var/lib/rkhunter/db' as the database directory
[12:25:18] Info: Using '/usr/share/rkhunter/scripts' as the support script directory
[12:25:18] Info: Using '/usr/local/sbin /usr/local/bin /usr/sbin /usr/bin /sbin /bin' as the command directories
[12:25:18] Info: Using '/var/lib/rkhunter/tmp' as the temporary directory
[12:25:18] Info: X will be automatically detected
[12:25:18] Info: Found the 'basename' command: /usr/bin/basename
[12:25:18] Info: Found the 'diff' command: /usr/bin/diff
[12:25:18] Info: Found the 'dirname' command: /usr/bin/dirname
[12:25:18] Info: Found the 'file' command: /usr/bin/file
[12:25:18] Info: Found the 'find' command: /usr/bin/find
[12:25:18] Info: Found the 'ifconfig' command: /usr/sbin/ifconfig
[12:25:18] Info: Found the 'ip' command: /usr/sbin/ip
[12:25:18] Info: Found the 'ipcs' command: /usr/bin/ipcs
[12:25:18] Info: Found the 'ldd' command: /usr/bin/ldd
[12:25:18] Info: Found the 'lsattr' command: /usr/bin/lsattr
[12:25:18] Info: Found the 'lsmod' command: /usr/sbin/lsmod
[12:25:18] Info: Found the 'lsof' command: /usr/bin/lsof
[12:25:18] Info: Found the 'mktemp' command: /usr/bin/mktemp
[12:25:18] Info: Found the 'netstat' command: /usr/bin/netstat
[12:25:18] Info: Found the 'numfmt' command: /usr/bin/numfmt
[12:25:18] Info: Found the 'perl' command: /usr/bin/perl
[12:25:18] Info: Found the 'pgrep' command: /usr/bin/pgrep
[12:25:18] Info: Found the 'ps' command: /usr/bin/ps
[12:25:18] Info: Found the 'pwd' command: /usr/bin/pwd
[12:25:18] Info: Found the 'readlink' command: /usr/bin/readlink
[12:25:18] Info: Found the 'stat' command: /usr/bin/stat
[12:25:18] Info: Found the 'strings' command: /usr/bin/strings
[12:25:18] Info: Found the 'wget' command: /usr/bin/wget
[12:25:18] Info: The mirrors file will be rotated
[12:25:18] Info: Only local mirrors will be used
[12:25:19] Info: The mirrors file will not be updated
[12:25:19] Info: Logging to log file: /var/log/rkhunter.log
[12:25:19] Info: Locking is not being used
[12:25:19]
[12:25:19] Checking rkhunter data files...
[12:25:19] Info: Created temporary file '/var/lib/rkhunter/tmp/rkhunter.upd.HgU0Ipfsw2'
[12:25:19] Checking file mirrors.dat                         [ Skipped ]
[12:25:19] Info: The mirrors file has no required mirrors in it: /var/lib/rkhunter/db/mirrors.dat
[12:25:19] Warning: Download of 'programs_bad.dat' failed: Unable to determine the latest version number.
[12:25:19] Checking file programs_bad.dat                    [ Update failed ]
[12:25:19] Info: The mirrors file has no required mirrors in it: /var/lib/rkhunter/db/mirrors.dat
[12:25:19] Warning: Download of 'backdoorports.dat' failed: Unable to determine the latest version number.
[12:25:19] Checking file backdoorports.dat                   [ Update failed ]
[12:25:19] Info: The mirrors file has no required mirrors in it: /var/lib/rkhunter/db/mirrors.dat
[12:25:19] Warning: Download of 'suspscan.dat' failed: Unable to determine the latest version number.
[12:25:19] Checking file suspscan.dat                        [ Update failed ]
[12:25:19] Info: The mirrors file has no required mirrors in it: /var/lib/rkhunter/db/mirrors.dat
[12:25:19] Checking file i18n versions                       [ Update failed ]
[12:25:19] Warning: Download of 'i18n.ver' failed: Unable to determine the latest version number.
[12:25:19]
[12:25:19] Info: End date is Wed 27 May 2020 12:25:19 PM CDT

This is really frustrating, since the installed .dat files (e.g., programs_bad.dat) have version identification as the first line

Code: Select all

Version:2014042901
httpd: 1.3a1 1.3b1 1.3b3 1.3b4 1.3b5 1.3b6 1.3b7 1.3.0 1.3.1 1.3.2 1.3.3 1.3.4 1.3.6 1.3.9 1.3.10 1.3.11 1.3.12 1.3.14 1.3.17 1.3.19 1.3.20 1.3.21 1.3.22 1.3.23 1.3.24 1.3.25 1.3.26 1.3.27 1.3.28 1.3.29 1.3.30 1.3.31 1.3.32 1.3.33 1.3.34 1.3.35 1.3.36 1.3.37 1.3.39 1.3.40 2.0a1 2.0a2 2.0a3 2.0a4 2.0a5 2.0a6 2.0a7 2.0a8 2.0a9 2.0.11 2.0.12 2.0.13 2.0.14 2.0.15 2.0.16 2.0.17 2.0.18 2.0.19 2.0.20 2.0.21 2.0.22 2.0.23 2.0.24 2.0.25 2.0.26 2.0.27 2.0.28 2.0.29 2.0.30 2.0.31 2.0.32 2.0.33 2.0.34 2.0.35 2.0.36 2.0.37 2.0.38 2.0.39 2.0.40 2.0.41 2.0.42 2.0.43 2.0.44 2.0.45 2.0.46 2.0.47 2.0.48 2.0.49 2.0.50 2.0.51 2.0.52 2.0.53 2.0.54 2.0.55 2.0.56 2.0.57 2.0.58 2.0.59 2.0.61 2.0.62 2.0.63 2.0.64 2.0.62 2.2.0 2.2.1 2.2.2 2.2.3 2.2.4 2.2.6 2.2.8 2.2.9 2.2.10 2.2.11 2.2.12 2.2.13 2.2.14 2.2.15 2.2.16 2.2.17 2.2.18 2.2.19 2.2.20 2.2.21 2.2.22 2.2.23 2.2.24 2.2.25 2.2.26 2.4.2 2.4.3 2.4.4 2.4.6 2.4.7

Clearly, I am missing something, but so far I have hit only a deadend, even when attempting a more "direct" method of updating the files

Code: Select all

root@mysystem10:/# apt reinstall rkhunter
Reading package lists... Done
Building dependency tree       
Reading state information... Done
0 upgraded, 0 newly installed, 1 reinstalled, 0 to remove and 0 not upgraded.
Need to get 256 kB of archives.
After this operation, 0 B of additional disk space will be used.
Get:1 http://ftp.us.debian.org/debian buster/main amd64 rkhunter all 1.4.6-5 [256 kB]
Fetched 256 kB in 1s (469 kB/s)  
Preconfiguring packages ...
(Reading database ... 191614 files and directories currently installed.)
Preparing to unpack .../rkhunter_1.4.6-5_all.deb ...
Unpacking rkhunter (1.4.6-5) over (1.4.6-5) ...
Setting up rkhunter (1.4.6-5) ...
Processing triggers for man-db (2.8.5-2) ...

yielded no results or changes, and, the timestamp on /usr/bin/rkhunter is the same as for most of the .dat files

Code: Select all

ls -l /usr/bin/rkhunter
-rwxr-xr-x 1 root root 575854 Mar  2  2019 /usr/bin/rkhunter

Code: Select all

ls -l /var/lib/rkhunter/db/
total 84
-rw-r--r-- 1 root root  1055 Mar  2  2019 backdoorports.dat
drwxr-xr-x 2 root root  4096 May 27 12:23 i18n
-rw-r--r-- 1 root root    97 Mar  2  2019 mirrors.dat
-rw-r--r-- 1 root root  3605 Mar  2  2019 programs_bad.dat
-rw------- 1 root root 18653 May 27 11:51 rkhunter.dat
-rw------- 1 root root 18644 Apr  6 18:36 rkhunter.dat.old
-rw------- 1 root root 18167 May 27 11:51 rkhunter_prop_list.dat
drwxr-xr-x 2 root root  4096 May 27 12:23 signatures
-rw-r--r-- 1 root root  1904 Mar  2  2019 suspscan.dat

I am stumped... anyone with fresh eyes see what I am not seeing?