Re: [Rkhunter-users] RKH hangs forever malware check

Wed, 13 Feb 2013 07:44:00 -0800 

hi,

after a bit od debugging the script stops here
${LSOF_CMD} -wnlP +c 0 2>&1 | egrep -v ' (FIFO|V?DIR|IPv[46]) ' | sort | uniq >${RKHLSOF_FILE} 

and then nothing happens anymore

debug output is

RKHLSOF_FILE=/var/lib/rkhunter/tmp/lsofprocs.out.XiRMO9S1no
+ /usr/bin/lsof -wnlP +c 0
+ egrep -vO|V?DIR|IPv[46])
sort
+ uniq

anyone an idea why it stops here?
txs

On 02/13/2013 02:30 PM, Bendtsen, Jon wrote:

On 13/02/2013, at 14.17, W Forum W<wfor...@gmail.com>
  wrote:


txs

the last part I get with
trace -p PID

stat64("/usr/local/sbin/uniq", 0xbfd81c70) = -1 ENOENT (No such file or 
directory)
stat64("/usr/local/bin/uniq", 0xbfd81c70) = -1 ENOENT (No such file or 
directory)
stat64("/usr/sbin/uniq", 0xbfd81c70)    = -1 ENOENT (No such file or directory)
stat64("/usr/bin/uniq", {st_mode=S_IFREG|0755, st_size=30592, ...}) = 0
clone(child_stack=0, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, 
child_tidptr=0xb7620938) = 5921
close(3)                                = 0
close(-1)                               = -1 EBADF (Bad file descriptor)
wait4(-1,

and then its waiting forever, no idea why

Thanks for including a few lines above the "Bad file descriptor".

As you can see it looks for the uniq program. So I suggest that you read up on what a 
"Bad file descriptor" means and looks in the rkhunter script, probably 
/usr/bin/rkhunter and see if you can read up on what it is supposed to do right after 
looking for uniq. Maybe you can spot the problem.

My version of rkhunter is  1.4.0-1 from Debian Wheezy, and as far as I know, 
rkhunter was changed significantly between 1.3.x and 1.4.0, it actually lost a 
feature that I used to use all the time, namely the -r ROOTDIR= option, which I 
used to scan all the backups of my servers from a secured backup server. 
Occasionally I also used to boot up from a linux rescue CD and run rkhunter on 
the servers. Therefore I do not think it helps you much that I look in my 
1.4.0-1 version how it uses uniq.




JonB

------------------------------------------------------------------------------
Free Next-Gen Firewall Hardware Offer
Buy your Sophos next-gen firewall before the end March 2013 
and get the hardware for free! Learn more.
http://p.sf.net/sfu/sophos-d2d-feb
_______________________________________________
Rkhunter-users mailing list
Rkhunter-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/rkhunter-users

Reply via email to