Re: [Rkhunter-users] running processes for suspicious files

Fri, 01 Jan 2010 23:06:50 -0800 

Am 29.12.2009, 22:38 Uhr, schrieb John Horne  
<john.ho...@plymouth.ac.uk>:

> On Sun, 2009-12-27 at 13:23 +0200, Nerijus Baliunas wrote:
>> Hello,
>>
>> I got a new warning with 1.3.6:
>>
>> Warning: Checking running processes for suspicious files [ Warning ]
>> Warning: One or more of these files were found: backdoor, adore.o,  
>> mod_rootme.so, phide_mod.o, lbk.ko, vlogger.o, cleaner.o, cleaner, ava,  
>> tzava, mod_klgr.o, hydra, hydra.restore, ras2xm, vobiscum, sshd3,  
>> system, t0rnsb, t0rns, t0rnp, rx4u, rx2me, crontab, sshdu, glotzer,  
>> holber, xhide, xh, emech, psybnc, mech, httpd.bin, mh, xl, write,  
>> Phantasmagoria.o, lkt.o, nlkt.o
>>          Check the output of the lsof command 'lsof -F n -w -n'
>>
> You can't. The only way around it is to disable the whole test
> ('running_procs').

Since I upgraded rkhunter to the lastest version I have also these  
warnings nearly every day.
So I looked at /usr/bin/rkhunter what these suspicious files could be and  
tested it on my machine with

r...@algol:~# lsof -wnlP -F n| grep '^n/' | sed -e 's/^n//' | sort | uniq  
| grep "${SUSP_FILES}"

What I found is

/usr/bin/system-tools-backends
/usr/lib/jvm/java-6-sun-1.6.0.12/jre/lib/fonts/LucidaSansRegular.ttf
/usr/lib/jvm/java-6-sun-1.6.0.12/jre/lib/i386/client/libjvm.so
/usr/lib/jvm/java-6-sun-1.6.0.12/jre/lib/i386/libawt.so
/usr/lib/jvm/java-6-sun-1.6.0.12/jre/lib/i386/libjava.so
/usr/lib/jvm/java-6-sun-1.6.0.12/jre/lib/i386/libverify.so
/usr/lib/libavahi-client.so.3.2.4
/usr/lib/libavahi-common.so.3.5.0
/usr/lib/libavahi-glib.so.1.0.1
/usr/lib/libxcb-xlib.so.0.0.0
/var/run/dbus/system_bus_socket

All normal processes.
The problem is that the suspicious file test greps for strings like ava,  
xl or sytem, strings
that occur in a lot of very normal processes that uses java, avahi or  
every program that uses xlib.

Is there a way to finetune these tests? In the current way it is IMHO very  
useless wih all these false positives.
So I'll disable the test now.

Greetings
Jens



------------------------------------------------------------------------------
This SF.Net email is sponsored by the Verizon Developer Community
Take advantage of Verizon's best-in-class app development support
A streamlined, 14 day to market process makes app distribution fast and easy
Join now and get one step closer to millions of Verizon customers
http://p.sf.net/sfu/verizon-dev2dev 
_______________________________________________
Rkhunter-users mailing list
Rkhunter-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/rkhunter-users

Reply via email to