Re: [Rkhunter-users] RKH hangs forever malware check

Wed, 13 Feb 2013 14:49:57 -0800 

On Wed, 2013-02-13 at 23:08 +0100, Wim De Geeter wrote:
> txs
> I tried it but it does nothing, the file 
> /var/lib/rkhunter/tmp/lsofprocs.out.XiRMO9S1no
> is empty and the script waits
> I have no clue what it could be
> anyone an idea, i am out of ideas
> many thanks
> 
> On 02/13/2013 07:12 PM, John Horne wrote: 
> > On Wed, 2013-02-13 at 16:41 +0100, W Forum W wrote:
> > > hi,
> > > 
> > > after a bit od debugging the script stops here
> > > 
> > > ${LSOF_CMD} -wnlP +c 0 2>&1 | egrep -v ' (FIFO|V?DIR|IPv[46]) ' | sort
> > > | uniq >${RKHLSOF_FILE}
> > > 
> > > and then nothing happens anymore
> > > 
> > > debug output is
> > > 
> > > RKHLSOF_FILE=/var/lib/rkhunter/tmp/lsofprocs.out.XiRMO9S1no
> > > + /usr/bin/lsof -wnlP +c 0
> > > + egrep -vO|V?DIR|IPv[46]) 
> > > sort
> > > + uniq
> > > 
> > > anyone an idea why it stops here?
> > > 
> > Hello,
> > 
> > Try running the commands separately from a console to see what happens.
> > 
Okay, maybe you didn't understand what I meant.

>From a console, as root, run:

    /usr/bin/lsof -wnlP +c 0

If that produces output, then run:

    /usr/bin/lsof -wnlP +c 0 2>&1 | egrep -v ' (FIFO|V?DIR|IPv[46]) '

If that produces output, then run:

    /usr/bin/lsof -wnlP +c 0 2>&1 | egrep -v ' (FIFO|V?DIR|IPv[46]) ' |
sort

If that produces output, then run:

    /usr/bin/lsof -wnlP +c 0 2>&1 | egrep -v ' (FIFO|V?DIR|IPv[46]) ' |
sort | uniq

Somewhere along the line the system should 'hang'. That will then
indicate where the problem lies. If the above all works fine, then try
running the last line again with the output redirected to a file (say
in /tmp).

To be honest the only command above that I would have thought might
cause a problem would be the 'lsof' command. However, it is possible
that lsof is producing a lot of output, and so the pipeline is taking a
time to complete (with all the grepping and sorting going on).





John.

-- 
John Horne, Plymouth University, UK
Tel: +44 (0)1752 587287    Fax: +44 (0)1752 587001


------------------------------------------------------------------------------
Free Next-Gen Firewall Hardware Offer
Buy your Sophos next-gen firewall before the end March 2013 
and get the hardware for free! Learn more.
http://p.sf.net/sfu/sophos-d2d-feb
_______________________________________________
Rkhunter-users mailing list
Rkhunter-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/rkhunter-users

Reply via email to