On Sun, 2010-07-11 at 07:10 +0200, Helmut Hullen wrote: > Hallo, Chris, > > Du meintest am 10.07.10: > > > After upgrading to Mandriva 2010.1 yesterday I ran rkhunter --propupd > > since I'm sure a lot of files were changed. I still got the usual > > "please check your system as it may be infected" this morning after > > the rkhunter cronjob was ran. I got to looking at the log this > > evening and noticed: > > > /usr/sbin/rkhunter [ Warning ] > > Warning: The command '/usr/sbin/rkhunter' has been replaced and is > > not a script: /usr/sbin/rkhunter: a /bin/sh script text executable > > Here (Slackware 13, rkhunter 1.3.6) > > which -a rkhunter > > only shows > > /usr/bin/rkhunter > > # > ls -l $(which rkhunter) > > shows > > ... root root 425608 29. Nov 2009 /usr/bin/rkhunter > > # > > file $(which rkhunter) > > shows > > /usr/bin/rkhunter: POSIX shell script text executable > > Maybe the Mandriva packet uses another path for "rkhunter": that's no > problem. > > > Checking for string 'hdparm' [ Warning ] > > > Warning: Checking for possible rootkit strings [ Warning ] > > Found string 'hdparm' in file '/etc/rc.d/init.d/bootlogd'. Possible > > rootkit: Xzibit Rootkit > > Found string 'hdparm' in file '/etc/rc.d/rc.sysinit'. Possible > > rootkit: Xzibit Rootkit > > That's perhaps a false alarm - using "hdparm" in these files is allowed. > > Viele Gruesse! > Helmut > Morning Helmut, I show this for rkhunter's path:
# which rkhunter /usr/sbin/rkhunter root root 425606 2010-01-01 10:44 rkhunter* -- Chris KeyID 0xE372A7DA98E6705C
signature.asc
Description: This is a digitally signed message part
------------------------------------------------------------------------------ This SF.net email is sponsored by Sprint What will you do first with EVO, the first 4G phone? Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first
_______________________________________________ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users
