Hi
How to confirm deleted files are false positive?
I did a default un-install and default install of 1.3.2. ran --update then a
scan then --propupd
then -c -sk scan.Am running all tests and none disabled
[15:15:32] Info: Starting test name 'deleted_files'
[15:15:32] Checking running processes for deleted files [ Warning ]
[15:15:32] Warning: The following processes are using deleted files:
[15:15:32] Process: /usr/sbin/hald PID: 2834 File:
/tmp/init.riMOoa
[15:15:32] Process: /usr/sbin/crond PID: 2904 File:
/tmp/init.MdGsSR
[15:15:32] Process: /sbin/ifplugd PID: 3101 File:
/tmp/init.tR40pA
System checks summary.. Suspect files: 0...Possible rootkits: 0.... Suspect
applications: 0
============================================================================================
in your 1.3.2 conf you name some deleted file processes but none concern me at
present.
# Allow the specified processes to use deleted files.
#ALLOWPROCDELFILE=/sbin/cardmgr
#ALLOWPROCDELFILE=/usr/sbin/gpm
#ALLOWPROCDELFILE=/usr/libexec/gconfd-2
#ALLOWPROCDELFILE=/usr/sbin/mysqld
=======================================
cron ran at 14:30 localtime and logs show
Mar 6 14:33:10 gs anacron[3082]: Normal exit (2 jobs run)
Mar 6 15:01:02 gs crond[13956]: (root) CMD (nice -n 19 run-parts --report
/etc/cron.hourly)
Mar 6 15:08:18 gs crond[2904]: (CRON) STARTUP (V5.0)
Mar 6 15:08:20 gs anacron[3054]: Anacron 2.3 started on 2008-03-06
Mar 6 15:08:20 gs anacron[3054]: Normal exit (0 jobs run)
Mar 6 16:01:31 gs crond[2912]: (CRON) STARTUP (V5.0)
I would not call that a match. What thoughts you guys??
--------------------------
So I tried again after a full reboot
Warning: The following processes are using deleted files:
[16:32:59] Process: /usr/sbin/hald PID: 2868 File:
/tmp/init.Ah0aGe
[16:32:59] Process: /usr/sbin/crond PID: 2912 File:
/tmp/init.RDIhOJ
[16:32:59] Process: /sbin/ifplugd PID: 3101 File:
/tmp/init.I2rvZB
[16:32:59] Process: /sbin/dhclient PID: 3292 File:
/tmp/init.I2rvZB
The only difference this time....is I did not disable the net before running
the scan.
looking at the ifplugd and my wired eth dhclient....I am fairly happy I caused
that.
-----------------------
looking at ifplugd log
Mar 6 15:08:20 gs ifplugd(eth0)[3101]: Executing '/etc/ifplugd/ifplugd.action
eth0 up'.
then nothing for ifplugd until......rkh scan ran in period
Mar 6 15:51:57 gs ifplugd(eth0)[3101]: Executing '/etc/ifplugd/ifplugd.action
eth0 down'.
------------------------------------
I am assuming that the process, whichever one, once finished.....my distro is
deleting the temp
files.
If I had an exact time match I would not be posting....so I am looking for
comments or techniques
rather than assuming its false positive.
The idea did occur me to run a cut down tripwire or other checker on /tmp only
before or
after.....but I will let the gurus decide if that is the correct way.
cheerio
Get the name you always wanted with the new y7mail email address.
www.yahoo7.com.au/y7mail
-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2008.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
_______________________________________________
Rkhunter-users mailing list
Rkhunter-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/rkhunter-users
