Hallo, Duane, Du meintest am 25.05.10:
>> ./installer.sh --remove >> ./installer.sh --install > The re-install worked! I have done --propupd and --update and run > the first scan after making some mods in the rkhunter.conf file. Fine! > I am pretty sure I have a trojan or resident spoofer in there, > especially on one of the domains that has bandwidth / traffic going > thru the roof. Maybe "rkhunter" cannot find every crap. It searches for some "well known" cases, but the other test is wether a file has/was changed. "propupd" produces a hash list of many files, and "rkhunter" compares the actual hash with the listed hash. If some rootkit has changed some critical file last week then the "propupd" run from yesterday stores the infected file "as good". The best way in this case is reinstalling at least the "base" packages or (even better) reinstalling the complete system from CD. Perhaps you know the tale of "Little Red Riding Hood" (you are using RedHat, you should know the tale): the girl tries to examine the wolfe, but she fails. Viele Gruesse! Helmut ------------------------------------------------------------------------------ _______________________________________________ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users
