On Mon, 2009-08-17 at 12:20 -0500, Rick Renshaw wrote:
> First, running just the suspscan test:
> 
> #rkhunter --sk -c --enable suspscan
> 
> [ Rootkit Hunter version 1.3.4 ]

> Checking for rootkits...

>   Performing malware checks
> 
>     Checking for files with suspicious contents
> [ Warning ]
> 
Okay. It seems you have hit a sort of bug. Your debug file shows the
following:

     [04:05:25] Warning: File '\''/tmp/tmp.wIfmC10700'\'' (score: 230)
     contains some suspicious content and should be checked.

and in your config file you have:

     APPEND_LOG=1

So the suspscan test is seeing your old log file entries (given that
your local time is around 12 or 13:00 hours). When the actual test runs,
no suspicious files are found, and so nothing is logged. But at the end
of the test is a 'kludge' to check the log file for suspicious file
warnings, and give a WARNING result if any are found. In your case some
are found.

I'll have to think about this. The kludge was put in because of the way
the test is currently coded. Without the kludge nothing suspicious would
be found (as far as I remember).

Your test did throw up a second bug though - the debug file itself was
logged as suspicious! I'll see about automatically skipping that :-)




Thanks,

John.

-- 
---------------------------------------------------------------
John Horne, University of Plymouth, UK  Tel: +44 (0)1752 587287
E-mail: john.ho...@plymouth.ac.uk       Fax: +44 (0)1752 587001


------------------------------------------------------------------------------
Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day 
trial. Simplify your report design, integration and deployment - and focus on 
what you do best, core application coding. Discover what's new with 
Crystal Reports now.  http://p.sf.net/sfu/bobj-july
_______________________________________________
Rkhunter-users mailing list
Rkhunter-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/rkhunter-users

Reply via email to