On Mon, 2009-08-17 at 12:20 -0500, Rick Renshaw wrote: > First, running just the suspscan test: > > #rkhunter --sk -c --enable suspscan > > [ Rootkit Hunter version 1.3.4 ]
> Checking for rootkits... > Performing malware checks > > Checking for files with suspicious contents > [ Warning ] > Okay. It seems you have hit a sort of bug. Your debug file shows the following: [04:05:25] Warning: File '\''/tmp/tmp.wIfmC10700'\'' (score: 230) contains some suspicious content and should be checked. and in your config file you have: APPEND_LOG=1 So the suspscan test is seeing your old log file entries (given that your local time is around 12 or 13:00 hours). When the actual test runs, no suspicious files are found, and so nothing is logged. But at the end of the test is a 'kludge' to check the log file for suspicious file warnings, and give a WARNING result if any are found. In your case some are found. I'll have to think about this. The kludge was put in because of the way the test is currently coded. Without the kludge nothing suspicious would be found (as far as I remember). Your test did throw up a second bug though - the debug file itself was logged as suspicious! I'll see about automatically skipping that :-) Thanks, John. -- --------------------------------------------------------------- John Horne, University of Plymouth, UK Tel: +44 (0)1752 587287 E-mail: john.ho...@plymouth.ac.uk Fax: +44 (0)1752 587001 ------------------------------------------------------------------------------ Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what's new with Crystal Reports now. http://p.sf.net/sfu/bobj-july _______________________________________________ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users