First, running just the suspscan test:
#rkhunter --sk -c --enable suspscan
[ Rootkit Hunter version 1.3.4 ]
Checking for rootkits...
Performing malware checks
Checking for files with suspicious contents [ Warning ]
System checks summary
=====================
File properties checks...
All checks skipped
Rootkit checks...
Rootkits checked : 0
Possible rootkits: 0
Applications checks...
All checks skipped
The system checks took: 1 second
All results have been written to the logfile (/var/log/rkhunter.log)
One or more warnings have been found while checking the system.
Please check the log file (/var/log/rkhunter.log)
Here's the log:
[12:03:09] Running Rootkit Hunter version 1.3.4 on six
[12:03:10]
[12:03:10] Info: Start date is Mon Aug 17 12:03:09 CDT 2009
[12:03:10]
[12:03:10] Checking configuration file and command-line options...
[12:03:10] Info: Detected operating system is 'Linux'
[12:03:10] Info: Found O/S name: Red Hat Enterprise Linux Server release 5.3
(Tikanga)
[12:03:10] Info: Command line is /usr/local/bin/rkhunter --sk -c --enable
suspscan
[12:03:10] Info: Environment shell is /bin/bash; rkhunter is using bash
[12:03:10] Info: Using configuration file '/usr/local/etc/rkhunter.conf'
[12:03:10] Info: Installation directory is '/usr/local'
[12:03:10] Info: Using language 'en'
[12:03:10] Info: Using '/var/lib/rkhunter/db' as the database directory
[12:03:10] Info: Using '/usr/local/lib/rkhunter/scripts' as the support script
directory
[12:03:10] Info: Using '/usr/kerberos/sbin /usr/kerberos/bin /usr/local/sbin
/usr/local/bin /sbin /bin /usr/sbin /usr/bin /root/bin /bin /usr/bin /sbin
/usr/sbin /usr/local/bin /usr/local/sbin /usr/libexec /usr/local/libexec' as
the command directories
[12:03:10] Info: Using '/' as the root directory by default
[12:03:10] Info: Using '/var/lib/rkhunter/tmp' as the temporary directory
[12:03:10] Info: Emailing warnings to 'root' using command '/bin/mail -s
"[rkhunter] Warnings found for ${HOST_NAME}"'
[12:03:10] Info: X will be automatically detected
[12:03:10] Info: Using second color set
[12:03:10] Info: Found the 'diff' command: /usr/bin/diff
[12:03:10] Info: Found the 'file' command: /usr/bin/file
[12:03:10] Info: Found the 'find' command: /usr/bin/find
[12:03:10] Info: Found the 'ifconfig' command: /sbin/ifconfig
[12:03:10] Info: Found the 'ip' command: /sbin/ip
[12:03:10] Info: Found the 'ldd' command: /usr/bin/ldd
[12:03:10] Info: Found the 'lsattr' command: /usr/bin/lsattr
[12:03:10] Info: Found the 'lsmod' command: /sbin/lsmod
[12:03:10] Info: Found the 'lsof' command: /usr/sbin/lsof
[12:03:10] Info: Found the 'mktemp' command: /bin/mktemp
[12:03:10] Info: Found the 'netstat' command: /bin/netstat
[12:03:10] Info: Found the 'perl' command: /usr/bin/perl
[12:03:10] Info: Found the 'ps' command: /bin/ps
[12:03:10] Info: Found the 'pwd' command: /bin/pwd
[12:03:10] Info: Found the 'readlink' command: /usr/bin/readlink
[12:03:10] Info: Found the 'sort' command: /bin/sort
[12:03:10] Info: Found the 'stat' command: /usr/bin/stat
[12:03:10] Info: Found the 'strings' command: /usr/bin/strings
[12:03:10] Info: Found the 'uniq' command: /usr/bin/uniq
[12:03:10] Info: Enabled tests are: suspscan rootkits malware
[12:03:10] Info: Disabled tests are: none
[12:03:11] Info: Found ksym file '/proc/kallsyms'
[12:03:11]
[12:03:11] Starting system checks...
[12:03:11]
[12:03:11] Info: Test 'system_commands' disabled at users request.
[12:03:11]
[12:03:11] Checking for rootkits...
[12:03:11] Info: Starting test name 'rootkits'
[12:03:11]
[12:03:11] Info: Test 'known_rkts' disabled at users request.
[12:03:11]
[12:03:11] Info: Test 'additional_rkts' disabled at users request.
[12:03:11]
[12:03:11] Performing malware checks
[12:03:11] Info: Starting test name 'malware'
[12:03:11]
[12:03:11] Info: Test 'deleted_files' disabled at users request.
[12:03:11]
[12:03:11] Info: Test 'running_procs' disabled at users request.
[12:03:11]
[12:03:11] Info: Test 'hidden_procs' disabled at users request.
[12:03:11]
[12:03:11] Performing check of files with suspicious contents
[12:03:11] Info: Starting test name 'suspscan'
[12:03:11] Directories to check are: /tmp /var/tmp
[12:03:11] Temporary directory to use: /dev/shm
[12:03:11] Maximum file size to check (in bytes): '10240000'
[12:03:11] Score threshold is set to: 200
[12:03:11] Checking directory: '/tmp'
[12:03:11] No suitable files found to check.
[12:03:11] Checking directory: '/var/tmp'
[12:03:11] No suitable files found to check.
[12:03:11] Warning: Checking for files with suspicious contents [ Warning ]
[12:03:11]
[12:03:11] Info: Test 'other_malware' disabled at users request.
[12:03:11]
[12:03:11] Info: Test 'trojans' disabled at users request.
[12:03:11]
[12:03:11] Info: Test 'os_specific' disabled at users request.
[12:03:11]
[12:03:11] Info: Test 'network' disabled at users request.
[12:03:12]
[12:03:12] Info: Test 'local_host' disabled at users request.
[12:03:12]
[12:03:12] Info: Test 'apps' disabled at users request.
[12:03:12]
[12:03:12] System checks summary
[12:03:12] =====================
[12:03:12]
[12:03:12] File properties checks...
[12:03:12] All checks skipped
[12:03:12]
[12:03:12] Rootkit checks...
[12:03:12] Rootkits checked : 0
[12:03:12] Possible rootkits: 0
[12:03:12]
[12:03:12] Applications checks...
[12:03:12] All checks skipped
[12:03:12]
[12:03:12] The system checks took: 1 second
[12:03:12]
[12:03:12] Info: End date is Mon Aug 17 12:03:12 CDT 2009
If I specify a log file on the command line, it doesn't generate a warning:
#rkhunter --sk -c --logfile /var/log/rkhunter.suspscan.log --enable suspscan
[ Rootkit Hunter version 1.3.4 ]
Checking for rootkits...
Performing malware checks
Checking for files with suspicious contents [ None found ]
System checks summary
=====================
File properties checks...
All checks skipped
Rootkit checks...
Rootkits checked : 0
Possible rootkits: 0
Applications checks...
All checks skipped
The system checks took: 1 second
All results have been written to the logfile (/var/log/rkhunter.suspscan.log)
No warnings were found while checking the system.
Here's the log from this run:
[12:02:56] Running Rootkit Hunter version 1.3.4 on six
[12:02:56]
[12:02:56] Info: Start date is Mon Aug 17 12:02:56 CDT 2009
[12:02:56]
[12:02:56] Checking configuration file and command-line options...
[12:02:57] Info: Detected operating system is 'Linux'
[12:02:57] Info: Found O/S name: Red Hat Enterprise Linux Server release 5.3
(Tikanga)
[12:02:57] Info: Command line is /usr/local/bin/rkhunter --sk -c --logfile
/var/log/rkhunter.suspscan.log --enable suspscan
[12:02:57] Info: Environment shell is /bin/bash; rkhunter is using bash
[12:02:57] Info: Using configuration file '/usr/local/etc/rkhunter.conf'
[12:02:57] Info: Installation directory is '/usr/local'
[12:02:57] Info: Using language 'en'
[12:02:57] Info: Using '/var/lib/rkhunter/db' as the database directory
[12:02:57] Info: Using '/usr/local/lib/rkhunter/scripts' as the support script
directory
[12:02:57] Info: Using '/usr/kerberos/sbin /usr/kerberos/bin /usr/local/sbin
/usr/local/bin /sbin /bin /usr/sbin /usr/bin /root/bin /bin /usr/bin /sbin
/usr/sbin /usr/local/bin /usr/local/sbin /usr/libexec /usr/local/libexec' as
the command directories
[12:02:57] Info: Using '/' as the root directory by default
[12:02:57] Info: Using '/var/lib/rkhunter/tmp' as the temporary directory
[12:02:57] Info: Emailing warnings to 'root' using command '/bin/mail -s
"[rkhunter] Warnings found for ${HOST_NAME}"'
[12:02:57] Info: X will be automatically detected
[12:02:57] Info: Using second color set
[12:02:57] Info: Found the 'diff' command: /usr/bin/diff
[12:02:57] Info: Found the 'file' command: /usr/bin/file
[12:02:57] Info: Found the 'find' command: /usr/bin/find
[12:02:57] Info: Found the 'ifconfig' command: /sbin/ifconfig
[12:02:57] Info: Found the 'ip' command: /sbin/ip
[12:02:57] Info: Found the 'ldd' command: /usr/bin/ldd
[12:02:57] Info: Found the 'lsattr' command: /usr/bin/lsattr
[12:02:57] Info: Found the 'lsmod' command: /sbin/lsmod
[12:02:57] Info: Found the 'lsof' command: /usr/sbin/lsof
[12:02:57] Info: Found the 'mktemp' command: /bin/mktemp
[12:02:57] Info: Found the 'netstat' command: /bin/netstat
[12:02:57] Info: Found the 'perl' command: /usr/bin/perl
[12:02:57] Info: Found the 'ps' command: /bin/ps
[12:02:57] Info: Found the 'pwd' command: /bin/pwd
[12:02:57] Info: Found the 'readlink' command: /usr/bin/readlink
[12:02:57] Info: Found the 'sort' command: /bin/sort
[12:02:57] Info: Found the 'stat' command: /usr/bin/stat
[12:02:57] Info: Found the 'strings' command: /usr/bin/strings
[12:02:57] Info: Found the 'uniq' command: /usr/bin/uniq
[12:02:57] Info: Enabled tests are: suspscan rootkits malware
[12:02:57] Info: Disabled tests are: none
[12:02:57] Info: Found ksym file '/proc/kallsyms'
[12:02:57]
[12:02:57] Starting system checks...
[12:02:58]
[12:02:58] Info: Test 'system_commands' disabled at users request.
[12:02:58]
[12:02:58] Checking for rootkits...
[12:02:58] Info: Starting test name 'rootkits'
[12:02:58]
[12:02:58] Info: Test 'known_rkts' disabled at users request.
[12:02:58]
[12:02:58] Info: Test 'additional_rkts' disabled at users request.
[12:02:58]
[12:02:58] Performing malware checks
[12:02:58] Info: Starting test name 'malware'
[12:02:58]
[12:02:58] Info: Test 'deleted_files' disabled at users request.
[12:02:58]
[12:02:58] Info: Test 'running_procs' disabled at users request.
[12:02:58]
[12:02:58] Info: Test 'hidden_procs' disabled at users request.
[12:02:58]
[12:02:58] Performing check of files with suspicious contents
[12:02:58] Info: Starting test name 'suspscan'
[12:02:58] Directories to check are: /tmp /var/tmp
[12:02:58] Temporary directory to use: /dev/shm
[12:02:58] Maximum file size to check (in bytes): '10240000'
[12:02:58] Score threshold is set to: 200
[12:02:58] Checking directory: '/tmp'
[12:02:58] No suitable files found to check.
[12:02:58] Checking directory: '/var/tmp'
[12:02:58] No suitable files found to check.
[12:02:58] Checking for files with suspicious contents [ None found ]
[12:02:58]
[12:02:58] Info: Test 'other_malware' disabled at users request.
[12:02:58]
[12:02:58] Info: Test 'trojans' disabled at users request.
[12:02:58]
[12:02:58] Info: Test 'os_specific' disabled at users request.
[12:02:58]
[12:02:58] Info: Test 'network' disabled at users request.
[12:02:58]
[12:02:58] Info: Test 'local_host' disabled at users request.
[12:02:58]
[12:02:58] Info: Test 'apps' disabled at users request.
[12:02:59]
[12:02:59] System checks summary
[12:02:59] =====================
[12:02:59]
[12:02:59] File properties checks...
[12:02:59] All checks skipped
[12:02:59]
[12:02:59] Rootkit checks...
[12:02:59] Rootkits checked : 0
[12:02:59] Possible rootkits: 0
[12:02:59]
[12:02:59] Applications checks...
[12:02:59] All checks skipped
[12:02:59]
[12:02:59] The system checks took: 1 second
[12:02:59]
[12:02:59] Info: End date is Mon Aug 17 12:02:59 CDT 2009
________________________________
Confidentiality Statement: The information contained in this E-mail is legally
privileged and confidential information which is intended only for the use of
the individual or entity to whom it is addressed. If the reader of this message
is not the intended recipient, you are hereby notified that any use,
dissemination, distribution or reproduction of this message is strictly
prohibited. If you have received this communication in error, please notify us
immediately by telephone, (903) 482-7100, and delete the misdirected message
from your system. Thank you for your cooperation.
------------------------------------------------------------------------------
Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day
trial. Simplify your report design, integration and deployment - and focus on
what you do best, core application coding. Discover what's new with
Crystal Reports now. http://p.sf.net/sfu/bobj-july
_______________________________________________
Rkhunter-users mailing list
Rkhunter-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/rkhunter-users
