rkhunter did not work, ZBOT IS ACTIVE
On 17 January 2016 at 16:34, <rkhunter-users-requ...@lists.sourceforge.net>
wrote:
> Send Rkhunter-users mailing list submissions to
> rkhunter-users@lists.sourceforge.net
>
> To subscribe or unsubscribe via the World Wide Web, visit
> https://lists.sourceforge.net/lists/listinfo/rkhunter-users
> or, via email, send a message with subject or body 'help' to
> rkhunter-users-requ...@lists.sourceforge.net
>
> You can reach the person managing the list at
> rkhunter-users-ow...@lists.sourceforge.net
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of Rkhunter-users digest..."
>
>
> Today's Topics:
>
> 1. /bin/su (absolutely_f...@libero.it)
> 2. Results of RKhunter (sok)
> 3. Re: Results of RKhunter (Al Varnell)
> 4. Re: Results of RKhunter (lanceh1412-busin...@yahoo.co.uk)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Fri, 1 Jan 2016 13:55:45 +0100 (CET)
> From: "absolutely_f...@libero.it" <absolutely_f...@libero.it>
> Subject: [Rkhunter-users] /bin/su
> To: rkhunter-users@lists.sourceforge.net
> Message-ID:
> <1507454025.6971811451652945184.javamail.ht...@webmail-53.iol.local
> >
> Content-Type: text/plain; charset="utf-8"
>
> Hi,
> according to RK documentation (rkhunter.conf file):
> # NOTE: Only files and directories which have been added by the user, and
> are# not part of the internal lists, can be excluded. So, for example, it
> is not# possible to exclude the 'ps' command by using '/bin/ps'. These will
> be# silently ignored from the configuration.
> So, my understanding is that is it impossible to bypass /bin/su binary
> (for example), as it is present in internal list:
> ~# grep -r /bin/su
> /var/lib/rkhunter/*/var/lib/rkhunter/db/rkhunter.dat:File:0:/bin/su:792c7d91365f75e2d5dde3d1ecb047eae206c0a69294b00645808d2ed2dc4ed4::04755:0:0:34904:1447148635:coreutils:0::./var/lib/rkhunter/db/rkhunter_prop_list.dat:/bin/su
>
> Did I get it right?
> Is it possible to manually modify values (permission, owner) in
> /var/lib/rkhunter/db/rkhunter.dat?Or this will results pointless because it
> will be overwritten during update?Thank you
> -------------- next part --------------
> An HTML attachment was scrubbed...
>
> ------------------------------
>
> Message: 2
> Date: Sun, 17 Jan 2016 23:45:48 +0200
> From: sok <slas...@gmail.com>
> Subject: [Rkhunter-users] Results of RKhunter
> To: rkhunter-users@lists.sourceforge.net
> Message-ID: <569c0b8c.7090...@gmail.com>
> Content-Type: text/plain; charset=utf-8; format=flowed
>
> Dear frients,
> this is the first time I am running Rkhunter.
> I am using Ubuntu 14.04.This is what I have found after running Rkhunger:
>
> [23:32:57] /usr/bin/rpm [ Warning ]
> [23:32:57] Warning: The file '/usr/bin/rpm' exists on the system, but it
> is not present in the rkhunter.dat file.
> [23:32:59] /usr/bin/unhide.rb [ Warning ]
> [23:32:59] Warning: The command '/usr/bin/unhide.rb' has been replaced
> by a script: /usr/bin/unhide.rb: Ruby script, ASCII text
> [23:34:24] Checking /dev for suspicious file types [ Warning ]
> [23:34:24] Warning: Suspicious file types found in /dev:
> [23:34:24] Checking for hidden files and directories [ Warning ]
> [23:34:24] Warning: Hidden directory found: '/etc/.java: directory '
> [23:34:24] Warning: Hidden directory found: '/dev/.udev: directory '
> [23:34:24] Warning: Hidden file found: /etc/.fstab.swp: Vim swap file,
> version 7.4
> [23:34:24] Warning: Hidden file found: /dev/.initramfs: symbolic link to
> `/run/initramfs'
>
> Do you think that I am inftected?What can I do for this?thanks
>
>
>
> ------------------------------
>
> Message: 3
> Date: Sun, 17 Jan 2016 13:54:54 -0800
> From: Al Varnell <alvarn...@mac.com>
> Subject: Re: [Rkhunter-users] Results of RKhunter
> To: RKHunter-Users Body <rkhunter-users@lists.sourceforge.net>
> Message-ID: <f4d47202-e587-4a68-8169-04c460701...@mac.com>
> Content-Type: text/plain; charset="utf-8"
>
> I doubt it, but if you don?t know enough about Ubuntu to know whether or
> not those files should be found, then perhaps RKHunter isn?t the right tool
> for you to be using.
>
> -Al-
>
> On Sun, Jan 17, 2016 at 01:45 PM, sok wrote:
> >
> >
> > Dear frients,
> > this is the first time I am running Rkhunter.
> > I am using Ubuntu 14.04.This is what I have found after running Rkhunger:
> >
> > [23:32:57] /usr/bin/rpm [ Warning ]
> > [23:32:57] Warning: The file '/usr/bin/rpm' exists on the system, but it
> > is not present in the rkhunter.dat file.
> > [23:32:59] /usr/bin/unhide.rb [ Warning ]
> > [23:32:59] Warning: The command '/usr/bin/unhide.rb' has been replaced
> > by a script: /usr/bin/unhide.rb: Ruby script, ASCII text
> > [23:34:24] Checking /dev for suspicious file types [ Warning ]
> > [23:34:24] Warning: Suspicious file types found in /dev:
> > [23:34:24] Checking for hidden files and directories [ Warning ]
> > [23:34:24] Warning: Hidden directory found: '/etc/.java: directory '
> > [23:34:24] Warning: Hidden directory found: '/dev/.udev: directory '
> > [23:34:24] Warning: Hidden file found: /etc/.fstab.swp: Vim swap file,
> > version 7.4
> > [23:34:24] Warning: Hidden file found: /dev/.initramfs: symbolic link to
> > `/run/initramfs'
> >
> > Do you think that I am inftected?What can I do for this?thanks
>
> -------------- next part --------------
> A non-text attachment was scrubbed...
> Name: smime.p7s
> Type: application/pkcs7-signature
> Size: 2366 bytes
> Desc: not available
>
> ------------------------------
>
> Message: 4
> Date: Sun, 17 Jan 2016 22:16:56 +0000 (UTC)
> From: <lanceh1412-busin...@yahoo.co.uk>
> Subject: Re: [Rkhunter-users] Results of RKhunter
> To: Al Varnell <alvarn...@mac.com>, RKHunter-Users Body
> <rkhunter-users@lists.sourceforge.net>
> Message-ID:
> <1728012417.10478733.1453069016413.javamail.ya...@mail.yahoo.com>
> Content-Type: text/plain; charset="utf-8"
>
> You usually get such results when you first run rkhunter. It is
> recommended that you run it on a fresh install and clear up any warnings
> found. If it is not a fresh install then it is hard to say whether you
> should be worried or not. The vim swap file suggests you were perhaps
> editing the fstab file while running rkhunter. Rkhunter gives warnings when
> it finds hidden directories such as .java. This is probably ok and if it
> were a clean install you would add an exclusion to the rkhunter.conf file.
> Details of how to do this are in the documentation and there are probably
> examples in the conf file. You would certainly get such results on a first
> run so unless you have reasons to believe you have been infected you are
> probably all right. Can't give you more info at the moment as I don't have
> access to my system.?
>
>
>
> On Sunday, 17 January 2016, 21:56, Al Varnell <alvarn...@mac.com> wrote:
>
>
> I doubt it, but if you don?t know enough about Ubuntu to know whether or
> not those files should be found, then perhaps RKHunter isn?t the right tool
> for you to be using.
>
> -Al-
>
> On Sun, Jan 17, 2016 at 01:45 PM, sok wrote:
> >
> >
> > Dear frients,
> > this is the first time I am running Rkhunter.
> > I am using Ubuntu 14.04.This is what I have found after running Rkhunger:
> >
> > [23:32:57]? /usr/bin/rpm? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? [ Warning ]
> > [23:32:57] Warning: The file '/usr/bin/rpm' exists on the system, but it
> > is not present in the rkhunter.dat file.
> > [23:32:59]? /usr/bin/unhide.rb? ? ? ? ? ? ? ? ? ? ? ? ? ? ? [ Warning ]
> > [23:32:59] Warning: The command '/usr/bin/unhide.rb' has been replaced
> > by a script: /usr/bin/unhide.rb: Ruby script, ASCII text
> > [23:34:24]? Checking /dev for suspicious file types? ? ? ? [ Warning ]
> > [23:34:24] Warning: Suspicious file types found in /dev:
> > [23:34:24]? Checking for hidden files and directories? ? ? [ Warning ]
> > [23:34:24] Warning: Hidden directory found: '/etc/.java: directory '
> > [23:34:24] Warning: Hidden directory found: '/dev/.udev: directory '
> > [23:34:24] Warning: Hidden file found: /etc/.fstab.swp: Vim swap file,
> > version 7.4
> > [23:34:24] Warning: Hidden file found: /dev/.initramfs: symbolic link to
> > `/run/initramfs'
> >
> > Do you think that I am inftected?What can I do for this?thanks
>
>
> ------------------------------------------------------------------------------
> Site24x7 APM Insight: Get Deep Visibility into Application Performance
> APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
> Monitor end-to-end web transactions and take corrective actions now
> Troubleshoot faster and improve end-user experience. Signup Now!
> http://pubads.g.doubleclick.net/gampad/clk?id=267308311&iu=/4140
> _______________________________________________
> Rkhunter-users mailing list
> Rkhunter-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/rkhunter-users
>
>
>
> -------------- next part --------------
> An HTML attachment was scrubbed...
>
> ------------------------------
>
>
> ------------------------------------------------------------------------------
> Site24x7 APM Insight: Get Deep Visibility into Application Performance
> APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
> Monitor end-to-end web transactions and take corrective actions now
> Troubleshoot faster and improve end-user experience. Signup Now!
> http://pubads.g.doubleclick.net/gampad/clk?id=267308311&iu=/4140
>
> ------------------------------
>
> _______________________________________________
> Rkhunter-users mailing list
> Rkhunter-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/rkhunter-users
>
>
> End of Rkhunter-users Digest, Vol 107, Issue 1
> **********************************************
>
------------------------------------------------------------------------------
Site24x7 APM Insight: Get Deep Visibility into Application Performance
APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
Monitor end-to-end web transactions and take corrective actions now
Troubleshoot faster and improve end-user experience. Signup Now!
http://pubads.g.doubleclick.net/gampad/clk?id=267308311&iu=/4140
_______________________________________________
Rkhunter-users mailing list
Rkhunter-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/rkhunter-users
