On Thu, 2007-07-12 at 23:15 +0100, Bruno Miguel wrote:
> Hi, I mande a scan with rkhunter, using the parameters "-c
> --scan-knownbad-files --check-listen --check-deleted --createlogfile"
> and got this two strange results:
>
> Checking network interfaces (promiscuous mode)... [ OK ]
> Performed successful test with `ip`
> Checking for packet capturing applications... Warning
> Warning! Process /sbin/dhclient3 (8164) listening
>
> Checking processes for deleted files... [ BAD ]
> Warning! Process /sbin/init (1) used deleted file /dev/console
>
> I have no idea why this warnings appear.
>
Because you specified '--check-listen --check-deleted'. These tests are
not enabled by default because they can give false-positive results.
The first warning indicates that the dhclient3 process is listening on
your network interface. Something listening on an interface is able to
interrogate the packets passing before it - hence it could see any
plain-text usernames, passwords, etc, etc. You can whitelist known
processes in your rkhunter.conf configuration file (look for
ALLOWPROCLISTEN).
The second warning indicates that your init process is attempting to use
a file which doesn't exist ('/dev/console'). My own Ubuntu system shows
the same thing, but I'm not sure why because '/dev/console' does exist.
Again, you can whitelist these processes in rkhunter.conf (look for
ALLOWPROCDELFILE).
John.
--
---------------------------------------------------------------
John Horne, University of Plymouth, UK Tel: +44 (0)1752 233914
E-mail: [EMAIL PROTECTED] Fax: +44 (0)1752 233839
-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/
_______________________________________________
Rkhunter-users mailing list
Rkhunter-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/rkhunter-users
