Hi guys, i am using ubuntu 20.04 and ispconfig according the perfect server. i get a message from rkhunter as follows: Code: Warning: The file properties have changed: File: /usr/bin/bash Current hash: 025cf78cd9d276019e916b97b0decd10cacb14902db8eb9f28233019babfb331 Stored hash : 04a484f27a4b485b28451923605d9b528453d6c098a5a5112bec859fb5f2eea9 Current inode: 9437586 Stored inode: 9437561 Current file modification time: 1650273286 (18-Apr-2022 11:14:46) Stored file modification time : 1592495095 (18-Jun-2020 17:44:55) Warning: The file properties have changed: File: /usr/bin/sh Current hash: 025cf78cd9d276019e916b97b0decd10cacb14902db8eb9f28233019babfb331 Stored hash : 04a484f27a4b485b28451923605d9b528453d6c098a5a5112bec859fb5f2eea9 I want to check if the file which changed was changed during automatic updates i installed unattended-upgrades so the upgrades are done automatically. with the command: Code: less /var/log/apt/history.log i check if there was an automated update at that day but it was not the case. How can i find out if this was a regular update or if someone else changed this file? rkhunter --propupd is a solution but i want to know what did cause this change of the file to keep the server more secure. thanks in advance for your great help
The modification time is from a couple days ago, maybe it would be in /var/log/apt/history.1.gz or older? The hash itself does look to be correct (that, or your server and mine are both compromised Code: $sha256sum /bin/bash 025cf78cd9d276019e916b97b0decd10cacb14902db8eb9f28233019babfb331 /bin/bash