On Tue, 22 Apr 2008 04:58:03 +0200 Cheng Bruce <[EMAIL PROTECTED]> wrote: >I tried to find the log of that day, but it was overwrote so that >I don't know what happened. I have set it logrotated. >After that day, there is no the same warning message appeared >again in the daily report. > >What should I do to check about this RootKit?
It goes to show you should reports at the time they are issued. The report suggest you to gather info running 'lsof -i' or 'netstat - an' and if you look inside RKH you'll see three references: file "/dev/rd/s/sendmeil", directory "/rk" and port TCP/60922. If you have verified the integrity of the machine, and if auditing (if applicable) shows the file and dir have never existed, and if the file and dir don't exist now, then you could conclude it's a false positive. >By the way, how can I add some files to be checked? RKH is not a file integrity checker, it only checks attributes for entities that can be subverted by rootkits. You may want to look into Aide, Samhain or another alternative (see Freshmeat.net?). Regards, unSpawn --- -- Love Music? Get a degree in Musical Education. Click Here. http://tagline.hushmail.com/fc/Ioyw6h4fQxI0cfyqeF5gDDo3Zjo87fRXjkuOFYuMUTbstARLJh0uti/ ------------------------------------------------------------------------- This SF.net email is sponsored by the 2008 JavaOne(SM) Conference Don't miss this year's exciting event. There's still time to save $100. Use priority code J8TL2D2. http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone _______________________________________________ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users
