Hello folks, I have a small home network which I am fairly sure (thanks largely to RKHunter) is not actually compromised in any way. I recently upgraded to 1.3.0 and, having done so, decided to give it a good run by turning all pretty much all of the tests to see what would happen. This has produced a couple of questions none of which are really serious - just curious:
1) I run RKH from a daily cron job and in the resulting mail output I get these
strange characters that I don't get when I run it from the command line:
[1;33mChecking rkhunter version...[0;39m
This version : 1.3.0
Latest version: 1.3.0
[ Rootkit Hunter version 1.3.0 ]
[1;33mChecking rkhunter data files...[0;39m
Checking file mirrors.dat[34C[ [1;32mNo update[0;39m ]
Checking file programs_bad.dat[29C[ [1;32mNo update[0;39m ]
Checking file backdoorports.dat[28C[ [1;32mNo update[0;39m ]
Checking file suspscan.dat[33C[ [1;32mNo update[0;39m ]
Checking file i18n/cn[38C[ [1;32mNo update[0;39m ]
Checking file i18n/en[38C[ [1;32mNo update[0;39m ]
Is this normal? I don't think that there is anything strange about my locale
(GB English) as far as I know...
2) Deleted files:
What does this actually mean and what should I do?
Warning: The following processes are using deleted files:
Process: /bin/bash PID: 4037 File: /dev/pts/0
Process: /bin/mail PID: 13513 File: /tmp/Rsw5uchv
3) Not really a RKH question - this is actually a clamav / clamassassin
question but I thought I would ask here in case anyone knows... Suspscan finds
a bunch of these files in /tmp They all date back to 12 October on which day
my spamassassin and clamassassin processing crashed due to an (unrelated)
network problem. I guess they are real virus emails which were only partially
processed. My question: I know I could whitelist them in rkhunter.conf but I
presume it would be safe to delete them?
Warning: File '/tmp/clamassassinmsg.Rwmej24697' (score: 261) contains some
suspicious content and should be checked.
Warning: File '/tmp/clamassassinmsg.bofQu24733' (score: 241) contains some
suspicious content and should be checked.
Warning: File '/tmp/clamassassinmsg.gaFBP24833' (score: 261) contains some
suspicious content and should be checked.
Warning: File '/tmp/clamassassinmsg.JMSGn24791' (score: 251) contains some
suspicious content and should be checked.
Warning: File '/tmp/clamassassinmsg.XhwgM24780' (score: 271) contains some
suspicious content and should be checked.
Warning: File '/tmp/clamassassinmsg.RyEyx24711' (score: 292) contains some
suspicious content and should be checked.
Warning: File '/tmp/.spamassassin15054VGfFidtmp' (score: 204) contains some
suspicious content and should be checked.
Warning: File '/tmp/clamassassinmsg.XSqcq24800' (score: 231) contains some
suspicious content and should be checked.
Warning: File '/tmp/clamassassinmsg.lSYcw24761' (score: 271) contains some
suspicious content and should be checked.
Warning: File '/tmp/clamassassinmsg.yRklY24714' (score: 282) contains some
suspicious content and should be checked.
Warning: File '/tmp/clamassassinmsg.uAVrp24843' (score: 221) contains some
suspicious content and should be checked.
Warning: File '/tmp/clamassassinmsg.dBvgN24774' (score: 221) contains some
suspicious content and should be checked.
Warning: File '/tmp/.spamassassin150542nwcsPtmp' (score: 204) contains some
suspicious content and should be checked.
Warning: File '/tmp/clamassassinmsg.Gdpja24745' (score: 231) contains some
suspicious content and should be checked.
Warning: File '/var/tmp/clamdb/SCAM-UpdateSession.log' (score: 230) contains
some suspicious content and should be checked.
Warning: File '/var/tmp/clamdb/PHISH-UpdateSession.log' (score: 230) contains
some suspicious content and should be checked.
4) Question 3 is inconsequential, but I have left it there because it relates
to this question which is probably the only important one in my list...
Having run Suspscan which finds the above content, any further runs of RKH
produce the following:
Warning: Suspicious files found in /dev:
/dev/shm/suspscan.16568.strings: ASCII English text
/dev/shm/suspscan.11185.strings: ASCII English text
/dev/shm/suspscan.27539.strings: ASCII English text
/dev/shm/suspscan.22541.strings: ASCII English text
/dev/shm/suspscan.19189.strings: ASCII English text
/dev/shm/suspscan.15620.strings: ASCII English text
/dev/shm/suspscan.11709.strings: ASCII English text
/dev/shm/suspscan.8034.strings: ASCII English text
/dev/shm/suspscan.7005.strings: ASCII English text
/dev/shm/suspscan.11229.strings: ASCII English text
/dev/shm/suspscan.8636.strings: ASCII English text
(one for each day I have run RKH since it found the clamassassin entries)
My question:
Why does RKH trigger its own suspect file warning? Should these be whitelisted
or deleted?
I know I can (and probably will) turn off suspect file scanning, but I am just
curious as to why this should be.
Thanks in advance for your answers and thanks very much to unSpawn and all the
RKH rpoject team for all their efforts in providing us with such a great
product.
AD
pgp7vgWnIIbyo.pgp
Description: PGP signature
------------------------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/
_______________________________________________ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users
