[Rkhunter-users] Not detecting unhide.rb

Sun, 20 Jul 2014 16:40:24 -0700 

Hi guys

The config file says RKH can use unhide C and Ruby versions.

I have tested for C and its all good.

I see no log entry that RKH is using unhide.rb
This is from https://launchpad.net/unhide.rb

I can provide log or a link to a log if you need it but thought it might be
quicker to show commands against raw unpack executable?

cat rkhunter | grep unhide.rb
cat rkhunter | grep *.rb
cat rkhunter | grep ruby
^^^^ no hits for above commands

cat rkhunter | grep unhide*
get_unhide_options() {
    # by the unhide commands in the 'hidden_procs' test.
        check_test hidden_procs || check_test hidden_ports &&
get_unhide_options
        # First we test for the 'unhide' C program.
        RKHTMPVAR="unhide"
        UNHIDE_CMD=`find_cmd unhide`
            RKHTMPVAR="unhide-posix"
            UNHIDE_CMD=`find_cmd unhide-posix`
            RKHTMPVAR="unhide-linux"
            UNHIDE_CMD=`find_cmd unhide-linux`
                    RKHTMPVAR="unhide-linux26"
                    UNHIDE_CMD=`find_cmd unhide-linux26`
                display --to LOG --type INFO
ROOTKIT_MALWARE_HIDDEN_PROCS_NOUNHIDE 'unhide'
            display --to LOG --type INFO NOT_FOUND_CMD 'unhide'
            if [ "${RKHTMPVAR}" != "unhide" ]; then
        # At this point if SEEN is 0, then a problem occurred with the
'unhide' program.
            # At this point we have either found a hidden PID, or an error
occurred with the 'unhide' program,
            # Lets see if there was a problem executing the 'unhide'
commands.
    UNHIDETCP_CMD=`find_cmd unhide-tcp`
        display --to LOG --type INFO FOUND_CMD 'unhide-tcp'
"${UNHIDETCP_CMD} ${UNHIDETCP_OPTS}"
        display --to LOG --type INFO NOT_FOUND_CMD 'unhide-tcp'
                inetadm nawk truss unhide unhide-posix unhide-tcp"
                unhide unhide-posix unhide-tcp"
        PROP_FILE_LIST="${PROP_FILE_LIST} unhide unhide-posix unhide-tcp"
        PROP_FILE_LIST="${PROP_FILE_LIST} unhide unhide-linux unhide-posix
unhide-tcp"
            PROP_FILE_LIST="${PROP_FILE_LIST} unhide-linux26"


In case I am showing up that I am a home user, by the time you read this, I
am already standing in the naughty corner

cheers

Gordon

------------------------------------------------------------------------------
Want fast and easy access to all the code in your enterprise? Index and
search up to 200,000 lines of code with a free copy of Black Duck
Code Sight - the same software that powers the world's largest code
search on Ohloh, the Black Duck Open Hub! Try it now.
http://p.sf.net/sfu/bds
_______________________________________________
Rkhunter-users mailing list
Rkhunter-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/rkhunter-users

Reply via email to