On Thursday 28 July 2011 5:16:47 pm John Horne wrote: > On Thu, 2011-07-28 at 11:11 -0400, Dimitri Yioulos wrote: > > I understand perfectly that rkhunter depends on unhide to > > find hidden network ports, and I have no reason to believe > > that unhide doesn't work as advertised. I did update to the > > latest version, btw, put it still returns the same > > information. > > > > ANY assistance you or anyone can give me to try and resolve > > this would be greatly appreciated. > > It may be overkill but you could try running unhide via strace > to see what is going on. Something like: strace -f unhide sys > > You may well want to capture all the output into a file. Use > the 'unhide' command rather than 'unhide-tcp' as 'unhide-tcp' > does not look for the program name associated with a found PID. > > Of course you could also try running strace on one of the found > PIDs. Eg: strace -p 900 > > > > > John. > > -- > John Horne, University of Plymouth, UK > Tel: +44 (0)1752 587287 Fax: +44 (0)1752 587001 > > > --------------------------------------------------------------- >--------------- Got Input? Slashdot Needs You. > Take our quick survey online. Come on, we don't ask for help > often. Plus, you'll get a chance to win $100 to spend on > ThinkGeek. http://p.sf.net/sfu/slashdot-survey > _______________________________________________ > Rkhunter-users mailing list > Rkhunter-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/rkhunter-users
John and Yago, Aha! John, I ran "strace -o traceout.txt -f unhide sys". It wasn't the output to the file that gave me the clue as to what was causing the issue but, rather, the limited output that occurred to stdout. It suggested that there were hidden PIDs related to Java, e.g.: Found HIDDEN PID: 2446 Command: /usr/java/jdk1.5.0_11/bin/java Now, we do have a couple of Java-based applications running on this machine (yes, the JDK is older, but we don't necessarily want to tinker with, or upgrade it, as at least one app which relies on it is older, and does work well). I stopped each, in turn, and found that the hidden port went away when a particular program was stopped. Interestingly enough, though, the hidden port hasn't reappeared since we started, and used, the app. That would suggest, as per Yago ("sometimes when a program release(s) a socket because its ends, the kernel doesn't release the port"), that there may be a bug somewhere. We could live with that, as long as we can whitelist the port or app. I know that it's possible in rkhunter. We'll see what happens going forward. I'll update with further information, if warranted. Thank you both very much for your help and insights. Dimitri -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. ------------------------------------------------------------------------------ Got Input? Slashdot Needs You. Take our quick survey online. Come on, we don't ask for help often. Plus, you'll get a chance to win $100 to spend on ThinkGeek. http://p.sf.net/sfu/slashdot-survey _______________________________________________ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users