Rkhunter reports file properties have changed

Solution 1:

From the timestamps it looks like you updated several programs built Dec-19th about 7:30.
Modification timestamps should be the build timestamps. It depends on how they get moved into place. Some programs are linked to through /etc/alternatives, and the symbolic links will have the timestamp of the install.This could be an automatic security update.

Check Check your /var/log/apt/history.log file from then. It is likely compressed and rotated, but can be read with zless. If you use aptitude to do your updates, check its log/var/log/aptitude.log`. Many packages have md5sums that can be used to verify that the files they contain haven't been modified. It is safest to run statically linked tools from a read-only media which contains the comparison checksums. However, if you don't think the md5 toolchain is compromised you can use the local files.

Programs like rkhunter usually require a switch to enable updating their database of checksums. You may want to run the program before running updates, and then again after the updates with the switch to capture the changed hash codes.

Solution 2:

Well, if your system was compromised then you couldn't trust your logs anyway.

If you haven't run rkhunter since 2009 and you have updated your system, then these might be false positives. Otherwise it's time to take a good look at your backups.

Solution 3:

you need to run

sudo rkhunter --update --propupd

after any manual or automatic upgrade. I took it from here :

I took it from here and worked perfectly for me.

All the best!