On 23/03/12 18:47, Berni Elbourn wrote:
> On 22/03/12 10:47, John Horne wrote:
>> On Thu, 2012-03-22 at 09:32 +0000, Berni Elbourn wrote:
>>
>>>
>>> Warning: Checking running processes for suspicious files [ Warning ]
>>> Warning: One or more of these files were found: backdoor, adore.o, 
>>> mod_rootme.so, phide_mod.o, lbk.ko, vlogger.o,
>>> cleaner.o, cleaner, ava, tzava, mod_klgr.o, hydra, hydra.restore, ras2xm, 
>>> vobiscum, sshd3, system, t0rnsb, t0rns, t0rnp,
>>> rx4u, rx2me, crontab, sshdu, glotzer, holber, xhide, xh, emech, psybnc, 
>>> mech, httpd.bin, mh, xl, write,
>>> Phantasmagoria.o, lkt.o, nlkt.o
>>>             Check the output of the lsof command 'lsof -F n -w -n'
>>>
>> I suspect you are running an old version of rkhunter. The latest version
>> simply shows the specific file causing the problem:
>>
>>      Warning: The following processes are using suspicious files:
>>              Command: crontab
>>                UID: 0    PID: 19336
>>                Pathname: /usr/bin/crontab
>>                Possible Rootkit: Unknown rootkit
>>
>>
>>
>> John.
>>
> Its the version from Debian squeeze.
>

The version in squeeze-backports (1.3.8) gives:

Warning: The following processes are using suspicious files:
          Command: crontab
            UID: 1000    PID: 5385
            Pathname: /usr/bin/crontab
            Possible Rootkit: Unknown rootkit

Result!


-- 
"Confidence is what you have before you understand a problem" - Woody Allen

------------------------------------------------------------------------------
This SF email is sponsosred by:
Try Windows Azure free for 90 days Click Here 
http://p.sf.net/sfu/sfd2d-msazure
_______________________________________________
Rkhunter-users mailing list
Rkhunter-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/rkhunter-users

Reply via email to