John Horne wrote:
> On Wed, 2010-07-14 at 21:05 -0500, Mike McCarty wrote:
>> Robert Fields wrote:
>>> Does anyone know what would cause rkhunter to actually execute the
>>> commands for all the system binaries and scripts it checks?
>>>
>>> I had never seen this behavior before but a coworker showed it to me
>>> in the rkhunter.log file on a machine she admins.
>>>
>>> For example:
>>>
>>> [05:10:06] /sbin/lsmod [Warning]
>>> [05:10:06] Warning: The file properties have changed:
>>> [05:10:06] File: /sbin/lsmod
>>> [05:10:06] Current hash: Module
>>> ipv6
>>> nf_conntrack_ipv4
>> These entries are warning you that the properties of the executable
>> file have changed in some way, not that it ran the program.
>>
> But the output certainly looks as if the program ran. The 'lsmod'
> command starts with a header line containing 'Module', and 'ipv6' and
> 'nf_conntrack_ipv4' are certainly module names.
Hmm. You are right, and That's Puzzling.
> What I would like to see is the rkhunter log file for this, or better
> still output from a run when the '--debug' was used.
>
> I have looked through the code but cannot see how such output could be
> produced.
Weird. That would be interesting to see, indeed.
Mike
--
p="p=%c%s%c;main(){printf(p,34,p,34);}";main(){printf(p,34,p,34);}
Oppose globalization and One World Governments like the UN.
This message made from 100% recycled bits.
You have found the bank of Larn.
I speak only for myself, and I am unanimous in that!
------------------------------------------------------------------------------
This SF.net email is sponsored by Sprint
What will you do first with EVO, the first 4G phone?
Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first
_______________________________________________
Rkhunter-users mailing list
Rkhunter-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/rkhunter-users
