[Rkhunter-users] false positive
Hello rkhunter team! I'd like to report a false positive while using firejail. This may help users using similar configurations who run into this problem rule out a false positive. I'm using a debian based distro (Parrot OS) running the latest rkhunter and firejail. firejail version 0.9.64.4 This needs the hardened ping profile. (ping-hardened.inc.profile ping.profile), and symlinks up (sudo firecfg). Run rkhunter -c -sk Rootkit checks... Rootkits checked : 477 Possible rootkits: 7 Rootkit names : Ping Rootkit or other backdoor Warning: Checking for possible rootkit strings [ Warning ] Found string '/bin/bash' in file '/usr/local/bin/ping'. Possible rootkit: Ping Rootkit or other backdoor After reviewing the problem and checking multiple other computers with the same config and unrelated to my setup, I was able to rule it out as a false positive. I reviewed another computer which is also a personal laptop running Parrot OS. The same possible rootkit appeared. I did much research and couldn't find a bug anywhere or information on the rootkit directly. After purging firejail and reinstalling profiles and the software itself the warning was gone (as the symlinks were gone) I used a friend's system who is unrelated to my network and who I seldom share any information with. He also uses Parrot OS as a desktop distro (no ports with services facing the web directly). He had firejail installed, same version (0.9.64.4), and he also had the ping hardened profile included in /etc/firejail but had not run sudo firecfg after installing the software a few months back. He ran rkhunter -c -sk and the following came out: Rootkit checks... Rootkits checked : 477 Possible rootkits: 6 (all of which are confirmed false positives) I also wrote firejail devs about the issue: https://github.com/netblue30/firejail/issues/5236 where further details may be seen. They also ruled it out as a false positive. I hope this helps other users who run into this issue find answers on the issue. There are some false positives arising from firejail which are nothing to worry about. thank you all! -- pgpPzD0n46Vww.pgp Description: OpenPGP digital signature ___ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users
Re: [Rkhunter-users] False positive due to prelink
Hi, John. Thanks for the response. I am using prelink, so removing the cache file is a no-go. However, I edited /etc/sysconfig/prelink, as follows: # Set this to no to disable prelinking altogether # (if you change this from yes to no prelink -ua # will be run next night to undo prelinking) PRELINKING=yes <-- changed from no to yes # Options to pass to prelink # -mTry to conserve virtual memory by allowing overlapping # assigned virtual memory slots for libraries which # never appear together in one binary # -RRandomize virtual memory slot assignments for libraries. # This makes it slightly harder for various buffer overflow # attacks, since library addresses will be different on each # host using -R. PRELINK_OPTS=-mR # How often should full prelink be run (in days) # Normally, prelink will be run in quick mode, every # $PRELINK_FULL_TIME_INTERVAL days it will be run # in normal mode. Comment it out if it should be run # in normal mode always. #PRELINK_FULL_TIME_INTERVAL=14<-- commented out # How often should prelink run (in days) even if # no packages have been upgraded via rpm. # If $PRELINK_FULL_TIME_INTERVAL days have not elapsed # yet since last normal mode prelinking, last # quick mode prelinking happened less than # $PRELINK_NONRPM_CHECK_INTERVAL days ago # and no packages have been upgraded by rpm # since last quick mode prelinking, prelink # will not do anything. # Change to # PRELINK_NONRPM_CHECK_INTERVAL=0 # if you want to disable the rpm database timestamp # check (especially if you don't use rpm/up2date/yum/apt-rpm # exclusively to upgrade system libraries and/or binaries). #PRELINK_NONRPM_CHECK_INTERVAL=7 <-- commented out That seemed to fix the problem. Funny, though, that on CentOS 6 systems, only the first directive is set to yes, and those directives I commented out in the CentOS 7 systems are uncommented in the 6 systems. Might be something special I did to the 7 systems to make RKH act as it did. Or not. Best, Dimitri -Original Message- From: John Horne [mailto:john.ho...@plymouth.ac.uk] Sent: Monday, October 02, 2017 6:11 PM To: rkhunter-users@lists.sourceforge.net Subject: Re: [Rkhunter-users] False positive due to prelink On Mon, 2017-10-02 at 14:01 +, Dimitri Yioulos wrote: > Thank you for the response. Yes, of course, I'm familiar with -- > propupd. However, I run rkhunter via a cron job every hour (0 * * * * > /bin/rkhunter --cronjob --rwo --noappend-log). Having to run > --propupd prior to it, or any time I do a check when no system changes > have been made, doesn't make sense to me. I've gone through > /etc/sysconfig/prelink, and changed some settings there, and will see > if they make a difference. But, I don't recall having had to do that when I > was running RKhunter version 1.4.2. > Check your /etc directory to see if you have anything left relating to prelink. In particular a prelink.cache file. If you are not using prelink, then delete the cache file. John. > > -Original Message- > From: ellanios82 [mailto:ellanio...@gmail.com] > Sent: Monday, October 02, 2017 9:50 AM > To: rkhunter-users@lists.sourceforge.net > Subject: Re: [Rkhunter-users] False positive due to prelink > > On 02/10/17 16:17, Dimitri Yioulos wrote: > > > > [09:00:03]You may need to re-run rkhunter with the '--propupd' option. > > > > As I recall, I didn't get this error with version 1.4.2.Any idea > > what I need to do to get this resolved? > > > > as root , run : > > > # rkhunter --propupd > > > regards > > > > -- > - > --- > Check out the vibrant tech community on one of the world's most > engaging tech sites, Slashdot.org! http://sdm.link/slashdot > ___ > Rkhunter-users mailing list > Rkhunter-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/rkhunter-users > > -- > - > --- > Check out the vibrant tech community on one of the world's most > engaging tech sites, Slashdot.org! http://sdm.link/slashdot > ___ > Rkhunter-users mailing list > Rkhunter-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/rkhunter-users -- John Horne | Senior Operations Analyst | Technology and Information Services University of Plymouth | Drake Circus | Plymouth | Devon | PL4 8AA | UK [http://www.plymouth.ac.uk/images/email_footer.gif]<http://www.plymouth.ac.uk/worldclass> This email
Re: [Rkhunter-users] False positive due to prelink
On Mon, 2017-10-02 at 14:01 +, Dimitri Yioulos wrote: > Thank you for the response. Yes, of course, I'm familiar with -- > propupd. However, I run rkhunter via a cron job every hour (0 * * * * > /bin/rkhunter --cronjob --rwo --noappend-log). Having to run --propupd prior > to it, or any time I do a check when no system changes have been made, > doesn't make sense to me. I've gone through /etc/sysconfig/prelink, and > changed some settings there, and will see if they make a difference. But, I > don't recall having had to do that when I was running RKhunter version 1.4.2. > Check your /etc directory to see if you have anything left relating to prelink. In particular a prelink.cache file. If you are not using prelink, then delete the cache file. John. > > -Original Message- > From: ellanios82 [mailto:ellanio...@gmail.com] > Sent: Monday, October 02, 2017 9:50 AM > To: rkhunter-users@lists.sourceforge.net > Subject: Re: [Rkhunter-users] False positive due to prelink > > On 02/10/17 16:17, Dimitri Yioulos wrote: > > > > [09:00:03]You may need to re-run rkhunter with the '--propupd' option. > > > > As I recall, I didn't get this error with version 1.4.2.Any idea what > > I need to do to get this resolved? > > > > as root , run : > > > # rkhunter --propupd > > > regards > > > > --- > --- > Check out the vibrant tech community on one of the world's most engaging tech > sites, Slashdot.org! http://sdm.link/slashdot > ___ > Rkhunter-users mailing list > Rkhunter-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/rkhunter-users > > --- > --- > Check out the vibrant tech community on one of the world's most > engaging tech sites, Slashdot.org! http://sdm.link/slashdot > ___ > Rkhunter-users mailing list > Rkhunter-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/rkhunter-users -- John Horne | Senior Operations Analyst | Technology and Information Services University of Plymouth | Drake Circus | Plymouth | Devon | PL4 8AA | UK [http://www.plymouth.ac.uk/images/email_footer.gif]<http://www.plymouth.ac.uk/worldclass> This email and any files with it are confidential and intended solely for the use of the recipient to whom it is addressed. If you are not the intended recipient then copying, distribution or other use of the information contained is strictly prohibited and you should not rely on it. If you have received this email in error please let the sender know immediately and delete it from your system(s). Internet emails are not necessarily secure. While we take every care, Plymouth University accepts no responsibility for viruses and it is your responsibility to scan emails and their attachments. Plymouth University does not accept responsibility for any changes made after it was sent. Nothing in this email or its attachments constitutes an order for goods or services unless accompanied by an official order form. -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot ___ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users
Re: [Rkhunter-users] False positive due to prelink
Thank you for the response. Yes, of course, I'm familiar with --propupd. However, I run rkhunter via a cron job every hour (0 * * * * /bin/rkhunter --cronjob --rwo --noappend-log). Having to run --propupd prior to it, or any time I do a check when no system changes have been made, doesn't make sense to me. I've gone through /etc/sysconfig/prelink, and changed some settings there, and will see if they make a difference. But, I don't recall having had to do that when I was running RKhunter version 1.4.2. -Original Message- From: ellanios82 [mailto:ellanio...@gmail.com] Sent: Monday, October 02, 2017 9:50 AM To: rkhunter-users@lists.sourceforge.net Subject: Re: [Rkhunter-users] False positive due to prelink On 02/10/17 16:17, Dimitri Yioulos wrote: > > [09:00:03]You may need to re-run rkhunter with the '--propupd' option. > > As I recall, I didn't get this error with version 1.4.2.Any idea what > I need to do to get this resolved? > as root , run : # rkhunter --propupd regards -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot ___ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot ___ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users
Re: [Rkhunter-users] False positive due to prelink
On 02/10/17 16:17, Dimitri Yioulos wrote: [09:00:03]You may need to re-run rkhunter with the '--propupd' option. As I recall, I didn’t get this error with version 1.4.2.Any idea what I need to do to get this resolved? as root , run : # rkhunter --propupd regards -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot ___ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users
[Rkhunter-users] False positive due to prelink
Hello, all. I've upgraded to RKhunter 1.4.4 on a couple of CentOS 7 servers, and am getting the following warning: [09:00:03] Warning: The system has changed to using prelinking since the last run. [09:00:03] Because of the change(s) the file properties checks may give some false-positive results. [09:00:03] You may need to re-run rkhunter with the '--propupd' option. As I recall, I didn't get this error with version 1.4.2. Any idea what I need to do to get this resolved? With thanks. -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot___ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users
Re: [Rkhunter-users] False positive - Required commands check failed
On Thu, 18 Sep 2014 10:24:20 John Horne wrote: On Thu, 2014-09-18 at 09:05 +1000, Paul Colquhoun wrote: I'm running rkhunter 1.4.2 on a 64bit Gentoo linux installation. On every run, I am getting a summary like the one below: -- [17:12:37] Performing file properties checks [17:12:37] Warning: Checking for prerequisites [ Warning ] [17:12:37] No output from the 'lsattr' command - all file immutable-bit checks will be skipped. It refers to this. It is saying that you have the lsattr command available but it is giving no output. Disable the immutable check. That should stop the warnings. Thanks for that. I managed to fix the no output problem from the other end, by finding the (undocumented in the man page) attrs mount option for reiserfs that turns on support for attributes. -- Reverend Paul Colquhoun, ULC. http://andor.dropbear.id.au/ Asking for technical help in newsgroups? Read this first: http://catb.org/~esr/faqs/smart-questions.html#intro -- Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer http://pubads.g.doubleclick.net/gampad/clk?id=154622311iu=/4140/ostg.clktrk___ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users
Re: [Rkhunter-users] False positive - Required commands check failed
On Thu, 2014-09-18 at 09:05 +1000, Paul Colquhoun wrote: I'm running rkhunter 1.4.2 on a 64bit Gentoo linux installation. On every run, I am getting a summary like the one below: -- [17:12:37] Performing file properties checks [17:12:37] Warning: Checking for prerequisites [ Warning ] [17:12:37] No output from the 'lsattr' command - all file immutable-bit checks will be skipped. It refers to this. It is saying that you have the lsattr command available but it is giving no output. Disable the immutable check. That should stop the warnings. John. -- John Horne Tel: +44 (0)1752 587287 Plymouth University, UK -- Want excitement? Manually upgrade your production database. When you want reliability, choose Perforce Perforce version control. Predictably reliable. http://pubads.g.doubleclick.net/gampad/clk?id=157508191iu=/4140/ostg.clktrk ___ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users
Re: [Rkhunter-users] False Positive
Hello Al, On Sat, 22 Mar 2014 01:02:13 +0100 Al Varnell alvarn...@mac.com wrote: I’m getting what I believe to be a False Positive with the OS X version of Macs Fan Control http://www.crystalidea.com/macs-fan-control. The specific file is located at: Macs Fan Control.app/Contents/Frameworks/QtCore.framework/Versions/5/QtCore RKH_libkeyutils.so.1.9-v1 FOUND From looking at the strings in the file and the signature it would appear that embedded words in the file match sub signatures 6, 7 8. Please note the sigs are prone to have false positives. They should only be run against specific targets if other attributes (hash, MAC times, size, log alerts, adjacent files) warrant it. It's more of a second opinion thing and not something to just run indiscriminately against file system contents as part of a regular check. Other than that it's good to remain vigilant but I haven't encountered a libkeyutils.so situation with Mac OS X yet. Finally: thanks, as I haven't had the chance to run those sigs against Mac OS X. Regards, unSpawn --- -- Learn Graph Databases - Download FREE O'Reilly Book Graph Databases is the definitive new guide to graph databases and their applications. Written by three acclaimed leaders in the field, this first edition is now available. Download your free book today! http://p.sf.net/sfu/13534_NeoTech ___ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users
[Rkhunter-users] False Positive
I’m getting what I believe to be a False Positive with the OS X version of Macs Fan Control http://www.crystalidea.com/macs-fan-control. The specific file is located at: Macs Fan Control.app/Contents/Frameworks/QtCore.framework/Versions/5/QtCore RKH_libkeyutils.so.1.9-v1 FOUND From looking at the strings in the file and the signature it would appear that embedded words in the file match sub signatures 6, 7 8. -Al- -- Al Varnell Mountain View, CA -- Learn Graph Databases - Download FREE O'Reilly Book Graph Databases is the definitive new guide to graph databases and their applications. Written by three acclaimed leaders in the field, this first edition is now available. Download your free book today! http://p.sf.net/sfu/13534_NeoTech ___ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users
[Rkhunter-users] False positive?
I believe I am getting a false positive on /etc/init.d/hdparm. I reinstalled hdparm to ensure that the file was factory standard. I am running a very old Dapper server using the rkhunter deb from Debian unstable. I have posted to log file at: http://pastebin.com/m50ee61a9 -- Join us December 9, 2009 for the Red Hat Virtual Experience, a free event focused on virtualization and cloud computing. Attend in-depth sessions from your desk. Your couch. Anywhere. http://p.sf.net/sfu/redhat-sfdev2dev ___ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users
Re: [Rkhunter-users] False positive results on a rkhunter scan
On Tue, 2009-04-28 at 08:55 +0200, stephan.tig...@materna.de wrote: I've got a false positive here: * Filesystem checks Checking /dev for suspicious files... [ OK ] Scanning for hidden files... [ Warning! ] --- It's a very old version of rkhunter. I would suggest you upgrade first of all. John. -- --- John Horne, University of Plymouth, UK Tel: +44 (0)1752 587287 E-mail: john.ho...@plymouth.ac.uk Fax: +44 (0)1752 587001 -- Register Now Save for Velocity, the Web Performance Operations Conference from O'Reilly Media. Velocity features a full day of expert-led, hands-on workshops and two days of sessions from industry leaders in dedicated Performance Operations tracks. Use code vel09scf and Save an extra 15% before 5/3. http://p.sf.net/sfu/velocityconf ___ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users
[Rkhunter-users] False Positive?
Hi there, while browsing the daily logs of my rkhunter-instance I stumbled upon this: -- begin log Warning: The file properties have changed: File: /bin/dmesg Current inode: 146150Stored inode: 146034 Current file modification time: 1195526070 Stored file modification time : 1192939733 Warning: The file properties have changed: File: /bin/login Current hash: 3628610ea3ec95b3f78176e7f3343e9173bc6c0a Stored hash : 96114ce4d499d9bcafa25c91657739fd52eacba3 Current inode: 146042Stored inode: 146053 Current size: 32196Stored size: 35204 Current file modification time: 1193769151 Stored file modification time : 1182535836 Warning: The file properties have changed: File: /bin/more Current inode: 146152Stored inode: 146036 Current file modification time: 1195526070 Stored file modification time : 1192939733 Warning: The file properties have changed: File: /bin/mount Current hash: 78fd75d183f846b030be0c3749117347c5710baa Stored hash : 4ef6e1f19cf7d65b0fe88b6b76c80a687f6c6764 Current inode: 146040Stored inode: 146044 Current size: 62256Stored size: 62224 Current file modification time: 1195526071 Stored file modification time : 1192939733 Warning: The file properties have changed: File: /bin/su Current hash: 876e222be3c2c8e4de7c7f1665ac1c4a236d0ead Stored hash : 1ec1b62bc0046bb82fab7c6d8ef5c8128363418a Current inode: 146043Stored inode: 146054 Current size: 25284Stored size: 27044 Current file modification time: 1193769151 Stored file modification time : 1182535837 Warning: The file properties have changed: File: /bin/which Current inode: 146036Stored inode: 146040 Current file modification time: 1195660549 Stored file modification time : 1192986014 Warning: The file properties have changed: File: /usr/bin/curl Current hash: 2eb2369f0f38f55d1ca4eef219923cd90155037d Stored hash : 828d3b67256fcc5eaa716858da125661eadf6e1a Current inode: 536193Stored inode: 535599 Current size: 98328Stored size: 98232 Current file modification time: 1194056128 Stored file modification time : 1189788713 Warning: The file properties have changed: File: /usr/bin/dpkg Current hash: 165507d35c32864252f82d477720295e8df5799f Stored hash : 442738ab55e2a25aeb82131ee72e7463c97a6892 Current inode: 535522Stored inode: 535702 Current file modification time: 1195536203 Stored file modification time : 1191819257 Warning: The file properties have changed: File: /usr/bin/dpkg-query Current inode: 535545Stored inode: 535749 Current file modification time: 1195536203 Stored file modification time : 1191819257 Warning: The file properties have changed: File: /usr/bin/killall Current hash: 185d67c0fe922902ec8f88b5a6b092573f32f7aa Stored hash : f0067a074d32964abb82f576e9332479d363896d Current inode: 535838Stored inode: 536976 Current size: 14404Stored size: 14360 Current file modification time: 1194161322 Stored file modification time : 1177330483 Warning: The file properties have changed: File: /usr/bin/lastlog Current hash: fc8f8520c08d2f268351456988cb8fae66bc3f78 Stored hash : b3bdc96a573ae6fabb4498735796d945a505c1b2 Current inode: 536445Stored inode: 535745 Current size: 6088Stored size: 6120 Current file modification time: 1193769151 Stored file modification time : 1182535836 Warning: The file properties have changed: File: /usr/bin/logger Current inode: 536292Stored inode: 535755 Current file modification time: 1195526071 Stored file modification time : 1192939733 Warning: The file properties have changed: File: /usr/bin/newgrp Current hash: 2caa870921de7e0742e5b9b99003fdb94635cebd Stored hash : b40f75996534f63a6ac20bcf6aa0fe9a133dbfd3 Current inode: 536446Stored inode: 535981 Current size: 18916Stored size: 20196 Current file modification time: 1193769151 Stored file modification time : 1182535836 Warning: The file properties have changed: File: /usr/bin/passwd Current hash: fcacf1c9f00e9436db1cb012a518cb284fcf2af9 Stored hash : 99ae9ef0c57f65ef87b20dce84d2e025ed20d736 Current inode: 536450Stored inode: 538605 Current file modification time: 1193769136 Stored file modification time : 1182535832 Warning: The file properties have changed: File: /usr/bin/perl Current hash: 5fcb98f27869caf54f13a686a681cbbaf0f304e5 Stored
Re: [Rkhunter-users] False Positive?
On Mon, 2007-11-26 at 09:54 +0100, Nicolas Dorwig wrote: I'm running Debain/unstable, and have updated my the rkhunter-signatures and hashes with rkhunter --update. My system is completely updated, no pending updates from apt. Are there still any files in unstable for which rkhunter does not have the correct hashes? RKH doesn't work like that. Read the man page for rkhunter. The '--update' option is only used to update some small data files. It has nothing to do with hashes. You need to run 'rkhunter --propupd'. Again read the man page, FAQ and Changelog about using '--propupd', and how rkhunter has changed from previous versions. John. -- --- John Horne, University of Plymouth, UK Tel: +44 (0)1752 233914 E-mail: [EMAIL PROTECTED] Fax: +44 (0)1752 233839 - This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2005. http://clk.atdmt.com/MRT/go/vse012070mrt/direct/01/ ___ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users
Re: [Rkhunter-users] false positive portsentry port 2001
On Thu, 2007-08-30 at 15:14 +0200, Bert Taanstra wrote: rkhunter 1.2.9-5 Ubuntu Gutsy gives a false positive port 2001: scalper rootkit if portsentry 1.2-11.1 is installed. Hi, Yes, I've had similar problems with FP reports of ports being used. The next release (1.3.0) has methods of whitelisting ports that are known to be in use, or ports (which may vary) that are in use by a known process (requires lsof for this). I would suggest either waiting for the full release or test the beta, or CVS, version. John. -- --- John Horne, University of Plymouth, UK Tel: +44 (0)1752 233914 E-mail: [EMAIL PROTECTED] Fax: +44 (0)1752 233839 - This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now http://get.splunk.com/ ___ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users