On 23/03/12 18:47, Berni Elbourn wrote: > On 22/03/12 10:47, John Horne wrote: >> On Thu, 2012-03-22 at 09:32 +0000, Berni Elbourn wrote: >> >>> >>> Warning: Checking running processes for suspicious files [ Warning ] >>> Warning: One or more of these files were found: backdoor, adore.o, >>> mod_rootme.so, phide_mod.o, lbk.ko, vlogger.o, >>> cleaner.o, cleaner, ava, tzava, mod_klgr.o, hydra, hydra.restore, ras2xm, >>> vobiscum, sshd3, system, t0rnsb, t0rns, t0rnp, >>> rx4u, rx2me, crontab, sshdu, glotzer, holber, xhide, xh, emech, psybnc, >>> mech, httpd.bin, mh, xl, write, >>> Phantasmagoria.o, lkt.o, nlkt.o >>> Check the output of the lsof command 'lsof -F n -w -n' >>> >> I suspect you are running an old version of rkhunter. The latest version >> simply shows the specific file causing the problem: >> >> Warning: The following processes are using suspicious files: >> Command: crontab >> UID: 0 PID: 19336 >> Pathname: /usr/bin/crontab >> Possible Rootkit: Unknown rootkit >> >> >> >> John. >> > Its the version from Debian squeeze. >
The version in squeeze-backports (1.3.8) gives: Warning: The following processes are using suspicious files: Command: crontab UID: 1000 PID: 5385 Pathname: /usr/bin/crontab Possible Rootkit: Unknown rootkit Result! -- "Confidence is what you have before you understand a problem" - Woody Allen ------------------------------------------------------------------------------ This SF email is sponsosred by: Try Windows Azure free for 90 days Click Here http://p.sf.net/sfu/sfd2d-msazure _______________________________________________ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users