On Mon, 2010-11-29 at 12:10 +0100, Florian Barth wrote: > Hello, > > my question follows from a security-issue. A machines was attacked > and /bin/ping was substituted. Why did rkhunter not recognize this > substitution? It seems to me that /bin/ping is never checked whether > it was substituted or not. What is the reason for this behavior? From > my point of view it is important to check all files, where the > SUID-Bit is set. > Originally only commands which were known to have been used in attacks were checked. We have expanded this a bit, but it does not check all commands and does not search out for suid commands.
Since RKH can be quite slow checking a lot of commands, I would suggest using something actually designed for this purpose such as Aide, Tripwire or Samhain (if I remember correctly). If you really want RKH to monitor it then use the USER_FILEPROP_FILES_DIR option. John. -- John Horne, University of Plymouth, UK Tel: +44 (0)1752 587287 Fax: +44 (0)1752 587001 ------------------------------------------------------------------------------ Increase Visibility of Your 3D Game App & Earn a Chance To Win $500! Tap into the largest installed PC base & get more eyes on your game by optimizing for Intel(R) Graphics Technology. Get started today with the Intel(R) Software Partner Program. Five $500 cash prizes are up for grabs. http://p.sf.net/sfu/intelisp-dev2dev _______________________________________________ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users