Hi
running 1.3.6 on Linux.
I saw this today:
Warning: Checking running processes for suspicious files [ Warning ]
Warning: One or more of these files were found: backdoor, adore.o,
mod_rootme.so, phide_mod.o, lbk.ko, vlogger.o, cleaner.o, cleaner,
ava, tzava, mod_klgr.o, hydra, hydra.restore, ras2xm, vobiscum, sshd3,
system, t0rnsb, t0rns, t0rnp, rx4u, rx2me, crontab, sshdu, glotzer,
holber, xhide, xh, emech, psybnc, mech, httpd.bin, mh, xl, write,
Phantasmagoria.o, lkt.o, nlkt.o
Check the output of the lsof command 'lsof -F n -w -n'
One or more warnings have been found while checking the system.
Please check the log file (/var/log/rkhunter.log)
I checked the system within about an hour of the warning but could not
find anything.
It seems that this could be a false positive.
The link below suggests more people than me are seeing this.
http://keith.chaos-realm.net/archives/217-rkhunter-false-positive.html
I wonder if it would be useful to try to provide more information when
the warning is triggered;
for example the name of the process, its pid or the uid it is running under.
Another call to lsof, with different arguments (not sure what to suggest) in the
else clause of the 'if [ -z "${FILENAME}" ]' might be sufficient and useful.
Cheers
Vince
------------------------------------------------------------------------------
Magic Quadrant for Content-Aware Data Loss Prevention
Research study explores the data loss prevention market. Includes in-depth
analysis on the changes within the DLP market, and the criteria used to
evaluate the strengths and weaknesses of these DLP solutions.
http://www.accelacomm.com/jaw/sfnl/114/51385063/
_______________________________________________
Rkhunter-users mailing list
Rkhunter-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/rkhunter-users
