John Horne wrote: > On Wed, 2010-07-14 at 21:05 -0500, Mike McCarty wrote: >> Robert Fields wrote: >>> Does anyone know what would cause rkhunter to actually execute the >>> commands for all the system binaries and scripts it checks? >>> >>> I had never seen this behavior before but a coworker showed it to me >>> in the rkhunter.log file on a machine she admins. >>> >>> For example: >>> >>> [05:10:06] /sbin/lsmod [Warning] >>> [05:10:06] Warning: The file properties have changed: >>> [05:10:06] File: /sbin/lsmod >>> [05:10:06] Current hash: Module >>> ipv6 >>> nf_conntrack_ipv4 >> These entries are warning you that the properties of the executable >> file have changed in some way, not that it ran the program. >> > But the output certainly looks as if the program ran. The 'lsmod' > command starts with a header line containing 'Module', and 'ipv6' and > 'nf_conntrack_ipv4' are certainly module names.
Hmm. You are right, and That's Puzzling. > What I would like to see is the rkhunter log file for this, or better > still output from a run when the '--debug' was used. > > I have looked through the code but cannot see how such output could be > produced. Weird. That would be interesting to see, indeed. Mike -- p="p=%c%s%c;main(){printf(p,34,p,34);}";main(){printf(p,34,p,34);} Oppose globalization and One World Governments like the UN. This message made from 100% recycled bits. You have found the bank of Larn. I speak only for myself, and I am unanimous in that! ------------------------------------------------------------------------------ This SF.net email is sponsored by Sprint What will you do first with EVO, the first 4G phone? Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first _______________________________________________ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users