[Rkhunter-users] running_procs suspicious files check

Wed, 13 Feb 2013 16:24:20 -0800 

Hi

I am running 1.3.8 on Debian Squeeze and have a question about how the
'running_procs' is done.

I am getting complaints from rkhunter like this:

[11:13:23] Info: Starting test name 'running_procs'
[11:13:23]   Checking running processes for suspicious files [ Warning ]
[11:13:23] Warning: The following processes are using suspicious files:
[11:13:23]          Command: Thunar
[11:13:23]            UID: 73818    PID: 14163
[11:13:23]            Pathname: .vnc/hydra
[11:13:24]            Possible Rootkit: THC-Hydra (password capture)

The lsof output it is looking at (from perusing /usr/bin/rkhunter)
looks like this:
% sudo lsof -wnlP +c 0 -p 14163
COMMAND   PID     USER   FD   TYPE             DEVICE SIZE/OFF   NODE NAME
Thunar  14163    73818  cwd    DIR               0,35       20  12967
lib/linux64
...
Thunar  14163    73818    0r   CHR                1,3      0t0    940 /dev/null
Thunar  14163    73818    1w   REG               0,35     9071  17410 .vnc/hydra
Thunar  14163    73818    2w   REG               0,35     9071  17410 .vnc/hydra
Thunar  14163    73818    3u  unix 0xffff880c72ce8c00      0t0  76496 socket

This is part of a vnc session running xfce4 (Thunar is the file
manager thingie for xfce4).
Other processes that are part of the session are listed by
'running_procs' as well.

The problem is a combination of issues:
 - the host is named 'hydra'
 - the path given by lsof is relative (and does not actually exist, see below)
 - RTKT_FILE_WHITELIST does not accept relative pathnames (rkhunter
--check exits, complaining bitterly about being unable to find the
file) so I can't whitelist the file.

The vnc session creates files like .vnc/hydra:1.log, .vnc/hydra:1.pid, etc
but there is no file with the exact name .vnc/hydra, as far as I can tell.
I experimented with ALLOWPROCDELFILE but that did not help.

I had a quick search of the list but could not find discussion
relevant to this particular issue.
Is there some way I can whitelist such files, preferably on a per-user basis?

Cheers
Vince

------------------------------------------------------------------------------
Free Next-Gen Firewall Hardware Offer
Buy your Sophos next-gen firewall before the end March 2013 
and get the hardware for free! Learn more.
http://p.sf.net/sfu/sophos-d2d-feb
_______________________________________________
Rkhunter-users mailing list
Rkhunter-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/rkhunter-users

Reply via email to