John, ----- Original Message ----- From: "John Horne" <[EMAIL PROTECTED]> To: "RkhunerList" <rkhunter-users@lists.sourceforge.net> Sent: Thursday, September 27, 2007 10:13 AM Subject: Re: [Rkhunter-users] Another Warnings question
> On Thu, 2007-09-27 at 09:55 -0500, Mike Blezien wrote: >> John, >> >> ----- Original Message ----- >> From: "John Horne" <[EMAIL PROTECTED]> >> To: "RkhunerList" <rkhunter-users@lists.sourceforge.net> >> Sent: Thursday, September 27, 2007 9:10 AM >> Subject: Re: [Rkhunter-users] Another Warnings question >> >> >> > On Thu, 2007-09-27 at 07:06 -0500, Mike Blezien wrote: >> >> Warning: The following processes are using deleted files: >> > [snipped] >> >> Process: /usr/local/apache/bin/httpd PID: 12461 File: >> >> /tmp/ZCUDfKYmV3 >> >> Process: /usr/bin/perl PID: 29438 File: /tmp/ZCUDfKYmV3 >> >> ============================================================================= >> >> >> >> what does this actual indicate and how can it be corrected or ignored? >> >> >> > This is from the 'deleted_files' test, which is disabled by default >> > because it may give false-positive results. >> > >> > The result is saying that the system reports the >> > processes, /usr/local/apache/bin/httpd and /usr/bin/perl, have file >> > descriptors open for files which no longer exist, which is suspicious. >> > >> > Look for ALLOWPROCDELFILE in the config file to see about whitelisting. >> >> this is what is in the conf file: >> >> ENABLE_TESTS="all" >> DISABLE_TESTS="suspscan hidden_procs deleted_files packet_cap_apps" >> >> the delete_files is disabled, but it's still being tested. do I need to >> change >> something else?? >> > Can you look in the log file for the lines containing: > > Info: Enabled tests are: > Info: Disabled tests are: > > They will indicate which tests are enabled or disabled. this is what was in the current rkhunter.log Info: Enabled tests are: all Info: Disabled tests are: apps suspscan deleted_files Mike ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2005. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/ _______________________________________________ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users
