[Rkhunter-users] Detection failure after missing stringstest.dat

Wed, 10 Oct 2007 02:12:36 -0700 

Hi,
 we got a lot of problems yesterday because of rkh warnings, which
said we got compromised. 
 We run a daily scan of rkh in a cron job and send the report via
email to the system administration. Yesterday the cron daemon send me
a mail because of a missing file which rkh tried to access, "strings:
'/var/lib/rkhunter/tmp/stringstest.dat': No such file".
 Two minutes later rkh send five report mails with a lot of warnings
in it.
 E.g. (10 of more than 60 Warnings)
 Found warnings: 
 [23:30:24] Strings selftest: scanning for string
/usr/lib/.../netstat... WARNING! 
 [23:30:24] Strings selftest: scanning for string
/usr/lib/.../bkit-ssh/bkit-shdcfg... 
 [23:30:24] Strings selftest: scanning for string
/usr/lib/.../netstat... WARNING! 
 [23:30:24] Strings selftest: scanning for string
/usr/lib/.../bkit-ssh/bkit-pw... WARNING! 
 [23:30:24] Strings selftest: scanning for string
/usr/lib/.../bkit-ssh/bkit-shhk... 
 [23:30:24] Strings selftest: scanning for string
/usr/lib/.../bkit-ssh/bkit-shrs... WARNING! 
 [23:30:24] Strings selftest: scanning for string
/usr/lib/.../uconf.inv... 
 [23:30:24] Strings selftest: scanning for string
/usr/lib/.../bkit-ssh/bkit-shdcfg... WARNING! 
 [23:30:24] Strings selftest: scanning for string /usr/lib/.../psr...
WARNING! 
 [23:30:24] Strings selftest: scanning for string
/usr/lib/.../slocate... WARNING!
 We took that reports seriously and started searching. We started the
server with a live Image for searching the filesystem without rootkit
interferences. But didn't find anything. I did some dd Images of the
partitions and searched them on an other machine, but there was
nothing too.
 So I think this whole alarm was just a big failure of rkh, but why?
Any ideas?
 - Some Infos
 OS: Debian 4.0
 Kernel: 2.6.18-4-686
 RKH: 1.2.9
 Last update of RKH: 2007-10-07
 Cron: 3.0pl1
 Greets,
 Simon
-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >> http://get.splunk.com/
_______________________________________________
Rkhunter-users mailing list
Rkhunter-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/rkhunter-users

Reply via email to