"aureport -x --summary" shows -> /usr/sbin/sshd;61b30d72 (deleted)

Tito

4/30/23, 1:39 PM

On one of the machines running Centos i.e.

cat /etc/redhat-release 
CentOS Linux release 7.9.2009 (Core)

i found something strange by the command aureport -x --summary

 aureport -x --summary

Executable Summary Report
=================================
total  file
=================================
19328  /usr/bin/rpm
11802  /usr/sbin/crond
7713  /usr/sbin/sshd
4201  /usr/bin/grep
1564  /usr/libexec/postfix/pickup
1031  /usr/sbin/libvirtd
891  /usr/sbin/logrotate
866  /usr/sbin/unix_chkpwd
785  /usr/lib/systemd/systemd-logind
704  /usr/bin/ps
541  /usr/bin/su
302  /usr/bin/bash
295  /usr/sbin/xtables-multi
294  /usr/lib/systemd/systemd
222  /usr/bin/sudo
171  /usr/bin/id
135  /usr/bin/systemd-tmpfiles
66  /usr/bin/python2.7
48  /usr/bin/date
46  /usr/sbin/brctl
41  /usr/bin/ls
32  /usr/bin/ssh
31  /usr/bin/diff
30  /usr/sbin/sendmail.postfix
29  /usr/sbin/anacron
27  /usr/lib/polkit-1/polkitd
27  /usr/bin/pkla-check-authorization
24  /usr/libexec/postfix/cleanup
24  /usr/libexec/postfix/trivial-rewrite
24  /usr/libexec/postfix/local
20  /usr/sbin/virtlogd
18  /usr/sbin/postdrop
15  /usr/sbin/ebtables-restore
10  /usr/bin/kmod
6  /usr/bin/vim
6  /usr/libexec/postfix/master
5  /usr/sbin/sshd;61b30d72 (deleted)
4  /usr/bin/ssh-keygen
3  /usr/sbin/postfix
3  /usr/sbin/postlog
3  /usr/lib/systemd/systemd-update-utmp
3  /usr/sbin/autrace
2  /usr/bin/cpio
1  /usr/bin/getent
1  /usr/bin/chown
1  /usr/sbin/ip

what does "61b30d72 (deleted)" means

rkhunter does not show any warrning or susspect files! i.e.

rkhunter --update --propupd
[ Rootkit Hunter version 1.4.6 ]

and then

rkhunter -c -sk

!!!all green!!!

what 61b30d72 means?

0 + 0

linux

audit

centos

Score:3

Server

Tilman Schmidt

4/30/23, 1:51 PM

It means that the executable file /usr/sbin/sshd which the report line refers to has been deleted between the time of the audit log entry and the time of the report. The most probable cause is that it has been replaced by an update. This explanation is supported by the fact that there is another line /usr/sbin/sshd without the mention deleted which would refer to the updated executable which was present at the time the report was created.

0 + 0

Tito

4/30/23, 2:00 PM

Hello @Tilman Schmidt, thank you for you response i was suspecting this reply i wanted to make sure. The only thing that worries me in this case is that i have not made any updates and the server is not configure for automatic updates. i need to find what is going on.

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: "aureport -x --summary" shows -> /usr/sbin/sshd;61b30d72 (deleted)

TH: "aureport -x --summary" แสดง -> /usr/sbin/sshd;61b30d72 (ลบแล้ว)

RO: „aureport -x --summary” arată -> /usr/sbin/sshd;61b30d72 (șters)

RU: "aureport -x --summary" показывает -> /usr/sbin/sshd;61b30d72 (удалено)

VI: "aureport -x --summary" hiển thị -> /usr/sbin/sshd;61b30d72 (đã xóa)

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.