On Sun, 2009-12-27 at 13:23 +0200, Nerijus Baliunas wrote:
> Hello,
>
> I got a new warning with 1.3.6:
>
> Warning: Checking running processes for suspicious files [ Warning ]
> Warning: One or more of these files were found: backdoor, adore.o,
> mod_rootme.so, phide_mod.o, lbk.ko, vlogger.o, cleaner.o, cleaner, ava,
> tzava, mod_klgr.o, hydra, hydra.restore, ras2xm, vobiscum, sshd3, system,
> t0rnsb, t0rns, t0rnp, rx4u, rx2me, crontab, sshdu, glotzer, holber, xhide,
> xh, emech, psybnc, mech, httpd.bin, mh, xl, write, Phantasmagoria.o, lkt.o,
> nlkt.o
> Check the output of the lsof command 'lsof -F n -w -n'
>
> I think it would be better to write exact suspicious process.
>
RKH doesn't record that info, so cannot log it. However, submit it as a
feature request on the sourceforge web site if you like, and we will
look into it.
> Now by trying one by one
> I found that it is 'system', created by wine process and looks like:
> # ps axw|grep system
> 18034 ? Sl 0:00 c:\windows\system\services.exe
> 18036 ? Sl 0:00 c:\windows\system\winedevice.exe MountMgr
> 18044 ? Ss 0:01 c:\windows\system\explorer.exe /desktop
>
> If I exit wine application, I do not get this warning anymore.
> How can I whitelist it?
>
You can't. The only way around it is to disable the whole test
('running_procs').
John.
--
John Horne, University of Plymouth, UK
Tel: +44 (0)1752 587287 Fax: +44 (0)1752 587001
------------------------------------------------------------------------------
This SF.Net email is sponsored by the Verizon Developer Community
Take advantage of Verizon's best-in-class app development support
A streamlined, 14 day to market process makes app distribution fast and easy
Join now and get one step closer to millions of Verizon customers
http://p.sf.net/sfu/verizon-dev2dev
_______________________________________________
Rkhunter-users mailing list
Rkhunter-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/rkhunter-users
