I might be able to address any Mac questions you still have. I have no experience with any other OS or with unhindered, so would only be guessing about such questions.
Sent from my iPad -Al- > On Oct 5, 2020, at 15:05, vze1amckv--- via Rkhunter-users > <rkhunter-users@lists.sourceforge.net> wrote: > > Hello all, > > I e-mailed the list a few months ago, but must have missed the reply. A time > ago (when I used a Mac) I submitted a question via the "support requests" > ticketing function of Sourceforge and was assigned a ticket number of 44: > > https://sourceforge.net/p/rkhunter/support-requests/44 > > I see that no longer appears even in the list of closed tickets. Is there > any particular reason it's hidden, and can somebody with access to view the > ticket please let me know what's in it? I believe it was Macintosh specific > questions if I remember correctly. Sorry if the developers already replied; > I simply don't remember. It's normal for some issues to be initially hidden since they might contain security vulnerabilities that need to remain so until resolved to prevent exploitation. They normally remain hidden until a responsible person is assigned and they are judged to be OK for public viewing. But I was under the impression that the author would have access, so not sure why you are not able to view it. > More recently (several months ago) I installed rkhunter on a new XUbuntu > computer, but I think that I never executed it (as evidenced by the lack of > any /var/log/rkhunter.log file). > > Thus, since I'd presume it has nothing to compare the existing files to, I > was surprised when I saw a slew of warnings about changed file properties. I > know they're normal if you update the OS, just not sure what the point of > comparison is if it's the first run. This is perfectly normal. The first time it's run there is nothing to compare the current has value to, so it should be reporting each file as changed. Normally, one should make a first run immediately after installing a virgin OS in order to establish a baseline. I'm only surprised that only 125 of 145 files were found to have changed. > Now here's where it gets interesting. I also see this warning: > > [22:28:06] Info: Starting test name 'passwd_changes' > [22:28:06] Checking for passwd file changes [ Warning ] > [22:28:07] Warning: User 'tcpdump' has been added to the passwd file. > [22:28:07] > > I haven't installed tcpdump recently. Is there any other reason why a > "tcpdump" user would be created? For example do you know what other common > software might have tcpdump bundled with it? > > [22:28:08] Warning: Group 'render' has been added to the group file. > [22:28:08] Warning: Group 'tcpdump' has been added to the group file. > > I don't use this computer for any packet-capturing activities, so not sure > how tcpdump got added. Is there a way to find out when? > > The end of run shows this: > > [22:29:57] System checks summary > [22:29:57] ===================== > [22:29:57] > [22:29:57] File properties checks... > [22:29:57] Required commands check failed > [22:29:57] Files checked: 145 > [22:29:57] Suspect files: 125 > [22:29:58] > [22:29:58] Rootkit checks... > [22:29:58] Rootkits checked : 479 > [22:29:58] Possible rootkits: 4 > > > Then in July, I got the attached. (If the attachment doesn't come through... > basically the "unhide" test uncovered hundreds of hidden processes.) > > What's up with all these hidden processes? I know I can run "--propupd" to > suppress warnings, but I also know that puts my stamp of approval on what I > see. I'd think the existence of hidden processes would be the #1 clue of > actual infection. I'm under the impression that --propupd doesn't affect hidden findings, but as I said earlier, I'm not familiar with the unhide function. > Anyway, please let me know what happened to my support ticket. > https://sourceforge.net/p/rkhunter/support-requests/44 > Thanks! > <hidden_processes.text> > _______________________________________________ > Rkhunter-users mailing list > Rkhunter-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/rkhunter-users
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users
