On Thu, 2007-09-27 at 10:46 -0500, Mike Blezien wrote: > John, > > ----- Original Message ----- > From: "John Horne" <[EMAIL PROTECTED]> > To: "RkhunerList" <rkhunter-users@lists.sourceforge.net> > Sent: Thursday, September 27, 2007 10:13 AM > Subject: Re: [Rkhunter-users] Another Warnings question > > > > On Thu, 2007-09-27 at 09:55 -0500, Mike Blezien wrote: > >> John, > >> > >> ----- Original Message ----- > >> From: "John Horne" <[EMAIL PROTECTED]> > >> To: "RkhunerList" <rkhunter-users@lists.sourceforge.net> > >> Sent: Thursday, September 27, 2007 9:10 AM > >> Subject: Re: [Rkhunter-users] Another Warnings question > >> > >> > >> > On Thu, 2007-09-27 at 07:06 -0500, Mike Blezien wrote: > >> >> Warning: The following processes are using deleted files: > >> > [snipped] > >> >> Process: /usr/local/apache/bin/httpd PID: 12461 File: > >> >> /tmp/ZCUDfKYmV3 > >> >> Process: /usr/bin/perl PID: 29438 File: /tmp/ZCUDfKYmV3 > >> >> ============================================================================= > >> >> > >> >> what does this actual indicate and how can it be corrected or ignored? > >> >> > >> > This is from the 'deleted_files' test, which is disabled by default > >> > because it may give false-positive results. > >> > > >> > The result is saying that the system reports the > >> > processes, /usr/local/apache/bin/httpd and /usr/bin/perl, have file > >> > descriptors open for files which no longer exist, which is suspicious. > >> > > >> > Look for ALLOWPROCDELFILE in the config file to see about whitelisting. > >> > >> this is what is in the conf file: > >> > >> ENABLE_TESTS="all" > >> DISABLE_TESTS="suspscan hidden_procs deleted_files packet_cap_apps" > >> > >> the delete_files is disabled, but it's still being tested. do I need to > >> change > >> something else?? > >> > > Can you look in the log file for the lines containing: > > > > Info: Enabled tests are: > > Info: Disabled tests are: > > > > They will indicate which tests are enabled or disabled. > > this is what was in the current rkhunter.log > > Info: Enabled tests are: all > Info: Disabled tests are: apps suspscan deleted_files > Okay. Can you run RKH as you did initially when the deleted_files test ran, and then send me the whole log file please.
Thanks, John. -- --------------------------------------------------------------- John Horne, University of Plymouth, UK Tel: +44 (0)1752 233914 E-mail: [EMAIL PROTECTED] Fax: +44 (0)1752 233839 ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2005. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/ _______________________________________________ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users
