On 23/03/12 18:47, Berni Elbourn wrote:
> On 22/03/12 10:47, John Horne wrote:
>> On Thu, 2012-03-22 at 09:32 +0000, Berni Elbourn wrote:
>>
>>>
>>> Warning: Checking running processes for suspicious files [ Warning ]
>>> Warning: One or more of these files were found: backdoor, adore.o,
>>> mod_rootme.so, phide_mod.o, lbk.ko, vlogger.o,
>>> cleaner.o, cleaner, ava, tzava, mod_klgr.o, hydra, hydra.restore, ras2xm,
>>> vobiscum, sshd3, system, t0rnsb, t0rns, t0rnp,
>>> rx4u, rx2me, crontab, sshdu, glotzer, holber, xhide, xh, emech, psybnc,
>>> mech, httpd.bin, mh, xl, write,
>>> Phantasmagoria.o, lkt.o, nlkt.o
>>> Check the output of the lsof command 'lsof -F n -w -n'
>>>
>> I suspect you are running an old version of rkhunter. The latest version
>> simply shows the specific file causing the problem:
>>
>> Warning: The following processes are using suspicious files:
>> Command: crontab
>> UID: 0 PID: 19336
>> Pathname: /usr/bin/crontab
>> Possible Rootkit: Unknown rootkit
>>
>>
>>
>> John.
>>
> Its the version from Debian squeeze.
>
The version in squeeze-backports (1.3.8) gives:
Warning: The following processes are using suspicious files:
Command: crontab
UID: 1000 PID: 5385
Pathname: /usr/bin/crontab
Possible Rootkit: Unknown rootkit
Result!
--
"Confidence is what you have before you understand a problem" - Woody Allen
------------------------------------------------------------------------------
This SF email is sponsosred by:
Try Windows Azure free for 90 days Click Here
http://p.sf.net/sfu/sfd2d-msazure
_______________________________________________
Rkhunter-users mailing list
Rkhunter-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/rkhunter-users
