On Tue, 2010-05-25 at 19:49 +0100, John Horne wrote:
> On Tue, 2010-05-25 at 09:34 -0700, Duane Loftus wrote:
> > OK, time for dumb questions.
> >
> > 1. John Horne says: It hasn't installed properly, try re-installing.
> > The INSTALLDIR option must exist for RKH to run.
> >
> > Is there any guidance on re-installing?
> >
> Yes, look in the README file that came with the rkhunter tarball (it
> says how to install it, and later on there is a section on removing it.)
>
> > Obviously, whatever I did to initally "install" wasn't very successful.
> >
> > - do I need to uninstall first? If so how.
> >
> I would suggest unpacking the tarball, probably in somewhere like /tmp.
> Then within the rkhunter directory (probably '/tmp/rkhunter-1.3.6') run
> the installer (as root) with the --remove option:
>
> ./installer.sh --remove
>
> However, whether this works or not depends on how you installed
> rkhunter. If you let it default the installation directories, then the
> above will work.
>
> > - is there a decent guide to installing (given the file structure of
> > Red Hat Fedora Core 6).
> >
> No need. Rkhunter (RKH) tries to be LSB compliant. As such it will
> install things into suitable directories. For Fedora let the installer
> default where things are installed.
>
> So, to install just use:
>
> ./installer.sh --install
>
> Once installed you can remove the /tmp/rkhunter-1.3.6 directory. I would
> then suggest running:
>
> rkhunter --update --propupd
>
> This will update your data files - not sure if there are any updates
> though - and the '--propupd' option will populate the file of file
> properties used by RKH.
>
> As has been mentioned you may get warnings when running RKH that some
> applications are too old, and possibly a security risk. Since you are
> running FC6, you may want to do the following as well to disable the
> 'apps' test completely:
>
> echo "suspscan hidden_procs deleted_files packet_cap_apps apps"
> >/etc/rkhunter.conf.local
> (That should all be on one line.)
>
> >
> > 2. Have I been successful in eliminating HTML from this email?
> >
> Yes.
>
> > 3. How do I reply and keep this in the thread. Helmut Hullen points
> > out that I was not, "Please keep the traffic in the mailing list - thank
> > you."
> >
> This is one of those problems that crops up on mailing lists every so
> often. It sometimes causes arguments :-( This mailing list does not
> include a 'Reply-To:' header. As such if you just hit 'reply' with your
> mail client, you will reply to the original sender of the message, not
> to the mailing list. Some mailing lists include the reply-to header,
> others do not. As has already been mentioned, some mail clients include
> a 'reply to list' option, so you could use that if available. For me, I
> hit 'reply to all', remove the original senders address, and cut/paste
> the mailing list address in.
>
>
>
> John.
>
YEA! Ta Da ! WooHoo!
The re-install worked! I have done --propupd and --update and run the
first scan after making some mods in the rkhunter.conf file.
{Thank you all so very much.}
I am pretty sure I have a trojan or resident spoofer in there,
especially on one of the domains that has bandwidth / traffic going thru
the roof. It will take some time and effort to learn the logs and what
I can do about them. I'll work at it.
Here is a section of my rkhunter.log. What should I be doing about the
"warning" items?
[20:58:22] Performing trojan specific checks
[20:58:22] Info: Starting test name 'trojans'
[20:58:22] Checking for enabled inetd services [ Skipped ]
[20:58:22] Info: Check skipped - file '/etc/inetd.conf' does not exist.
[20:58:23]
[20:58:23] Performing check for enabled xinetd services
[20:58:23] Info: Using xinetd configuration file '/etc/xinetd.conf'
[20:58:23] Checking '/etc/xinetd.conf' for enabled services [ None
found ]
[20:58:23] Found 'includedir /etc/xinetd.d' directive
[20:58:23] Checking '/etc/xinetd.d/chargen-dgram' for enabled
services [ None found ]
[20:58:23] Checking '/etc/xinetd.d/chargen-stream' for enabled
services [ None found ]
[20:58:23] Checking '/etc/xinetd.d/daytime-dgram' for enabled
services [ None found ]
[20:58:23] Checking '/etc/xinetd.d/daytime-stream' for enabled
services [ None found ]
[20:58:23] Checking '/etc/xinetd.d/discard-dgram' for enabled
services [ None found ]
[20:58:23] Checking '/etc/xinetd.d/discard-stream' for enabled
services [ None found ]
[20:58:23] Checking '/etc/xinetd.d/echo-dgram' for enabled services
[ None found ]
[20:58:23] Checking '/etc/xinetd.d/echo-stream' for enabled services
[ None found ]
[20:58:24] Checking '/etc/xinetd.d/finger' for enabled services
[ None found ]
[20:58:24] Checking '/etc/xinetd.d/ftp_psa' for enabled services
[ Warning ]
[20:58:24] Checking '/etc/xinetd.d/ntalk' for enabled services
[ None found ]
[20:58:24] Checking '/etc/xinetd.d/poppassd_psa' for enabled
services [ Warning ]
[20:58:25] Checking '/etc/xinetd.d/rsync' for enabled services
[ None found ]
[20:58:25] Checking '/etc/xinetd.d/smtp_psa' for enabled services
[ Warning ]
[20:58:25] Checking '/etc/xinetd.d/smtps_psa' for enabled services
[ Warning ]
[20:58:25] Checking '/etc/xinetd.d/submission_psa' for enabled
services [ Warning ]
[20:58:25] Checking '/etc/xinetd.d/swat' for enabled services [ None
found ]
[20:58:25] Checking '/etc/xinetd.d/talk' for enabled services [ None
found ]
[20:58:25] Checking '/etc/xinetd.d/tcpmux-server' for enabled
services [ None found ]
[20:58:25] Checking '/etc/xinetd.d/time-dgram' for enabled services
[ None found ]
[20:58:25] Checking '/etc/xinetd.d/time-stream' for enabled services
[ None found ]
[20:58:26] Checking for enabled xinetd services [ Warning ]
[20:58:26] Warning: Found enabled xinetd service: /etc/xinetd.d/ftp_psa
[20:58:26] Warning: Found enabled xinetd
service: /etc/xinetd.d/poppassd_psa
[20:58:26] Warning: Found enabled xinetd service: /etc/xinetd.d/smtp_psa
[20:58:26] Warning: Found enabled xinetd
service: /etc/xinetd.d/smtps_psa
[20:58:26] Warning: Found enabled xinetd
service: /etc/xinetd.d/submission_psa
[20:58:26] Checking for Apache backdoor [ Not
found ]
[20:58:26]
------------------------------------------------------------------------------
_______________________________________________
Rkhunter-users mailing list
Rkhunter-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/rkhunter-users
