On Monday 29 November 2010 5:01:04 pm John Horne wrote: > On Mon, 2010-11-29 at 11:26 -0800, Al Varnell wrote: > > On 11/29/10 9:12 AM, "Dimitri Yioulos" <dyiou...@firstbhph.com> wrote: > > > Greetz, all. > > > > > > I'm in the process of upgrading RKH from > > > version 1.3.6 to 1.3.8 via RPM from Dag > > > repository. Everything has gone fine, but I > > > note a couple of "changes" regarding > > > "Performing checks on network ports". > > > Specifically "Checking for backdoor ports" > > > simply returns "None found", rather than > > > listing each port individually. I actually > > > preferred to see the ports listed > > > individually. > > > > Ports checked are listed in rkhunter.log > > That is correct. > > The previous output from the test was not in > accordance with the general output of RKH > tests. For example, why are not all the strings > checked in the 'strings' test displayed, why > are not all the files and directories checked > by the 'rootkits' test displayed and so on? > Basically the output would be too verbose, and > generally not informative. Users (admins) > generally only want to know when something is > found/not found/wrong, not when things are > okay. So the 'ports' test output was modified > just to show the overall result. The actual > ports checked are logged. > > The only exceptions to the above are the file > properties check, which will list all the files > checked, the rootkits check, which will list > the rootkits searched for, and the apps test > which will list the apps being checked. For all > the other tests, a summary result is shown. > > > > And, "Checking for hidden ports" > > > returns "Skipped". Is there a way to > > > enable seen the ports individually, and not > > > having the hidden ports directive skipped? > > > Apologies if this has already been > > > answered; I haven't found any posts > > > relating to it. > > > > It is disabled by default, but I'm not sure > > why. You may be able to enable it with "sudo > > rkhunter --enable hidden_ports" but in my > > case that gave me: "Info: Unable to find the > > 'unhide-tcp' command" > > Exactly. If your system doesn't have the > unhide-tcp command then the check cannot run. > It is disabled by default because most people > won't have that command installed. If they do, > then they can modify the list of enabled tests > in the config file. > > > > > John. > > -- > John Horne, University of Plymouth, UK > Tel: +44 (0)1752 587287 Fax: +44 (0)1752 > 587001 >
Al and John, Thank you both for your responses. Learned a lot. Even though it may be in some documentation (yes, I should RTFM :-) ), or was in a previous post, I learned that installing unhide (which I did on all of my machines, as it's not a performance quasher) allows the hidden ports check to work. Also, seeing output of the backdoor ports check is obviously a personal preference. What I've found is that RKH seems to pause a bit as it runs that check and writes to rkhunter.log, but no more or less than if the ports checked were actually output to stdout. Oh, well. Once again, my gratitude for your help. Dimitri -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. ------------------------------------------------------------------------------ Increase Visibility of Your 3D Game App & Earn a Chance To Win $500! Tap into the largest installed PC base & get more eyes on your game by optimizing for Intel(R) Graphics Technology. Get started today with the Intel(R) Software Partner Program. Five $500 cash prizes are up for grabs. http://p.sf.net/sfu/intelisp-dev2dev _______________________________________________ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users
