Subject: proposal of inclusion of my own scan into rkhunter
Hello,
I am a sysadmin of about 50 Linux machines,
and had a few infections lately.
rkhunter did make sure there was no known rootkit there,
so that was nice to know.
Still, it was running the malware all the while from somewhere.
There was no stuff in /tmp and /var/tmp where people like
to stash their malware either.
However, by checking ps, lsof and netstat, I found an infection
in directory [/dev/shm/ /fs], so a spaces subdirectory in tmpfs.
rkhunter does not check in /tmp, /var/tmp and /dev/shm for
malware, so I would like to contribute to rkhunter to include
this.
This is the code in bash-style:
for ckitem in /tmp /var/tmp /dev/shm ; do
find $ckitem -perm -100 -type f -ls | grep -v monitrc.chk
done
So code above supposes there should be no executables in the
directories /tmp, /var/tmp and /dev/shm,
it can whitelist any known-good executables via the grep -v
If you find it useful to include, please include my name in
the credits : \"Michael van Gruijthuijsen\".
:)
Thank you,
Michael
sysadmin
------------------------------------------------------------------------------
Increase Visibility of Your 3D Game App & Earn a Chance To Win $500!
Tap into the largest installed PC base & get more eyes on your game by
optimizing for Intel(R) Graphics Technology. Get started today with the
Intel(R) Software Partner Program. Five $500 cash prizes are up for grabs.
http://p.sf.net/sfu/intelisp-dev2dev
_______________________________________________
Rkhunter-users mailing list
Rkhunter-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/rkhunter-users
