On Wed, 2007-10-10 at 11:12 +0200, Simon wrote: > > we got a lot of problems yesterday because of rkh warnings, which said > we got compromised. > We run a daily scan of rkh in a cron job and send the report via email > to the system administration. Yesterday the cron daemon send me a mail > because of a missing file which rkh tried to access, "strings: > '/var/lib/rkhunter/tmp/stringstest.dat': No such file". > The latest version does not use temporary files in this test (and others) because of problems they can cause. The only time I have had problems with this test, with RKH 1.2.9, was when I was running rkhunter more than once concurrently. The test then becomes confused and reports warnings. So if possible I would say upgrade to version 1.3.0.
The strings test is really a test of the 'strings' command itself - i.e. has the strings command been modified to hide other pathnames? As such I would initially have checked the strings command (in my case by using RPM verify initially, and then checking the file attributes against another system.) If a system had been broken into I would not expect the strings test to report more than a few warnings. To report 60 or so would seem to indicate a failure in the test (as it was), rather than the fact that the system had been massively infected. John. -- --------------------------------------------------------------- John Horne, University of Plymouth, UK Tel: +44 (0)1752 233914 E-mail: [EMAIL PROTECTED] Fax: +44 (0)1752 233839 ------------------------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/ _______________________________________________ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users
