On Thu, 2010-09-09 at 09:51 +0200, John Bond wrote:
> I have an RKHunter 1.3.6 job running, which more or less often returns
> a warning on the "running processes" check.
> The log says that a file named "backdoor, adore.o, mod_rootme.so,
> phide_mod.o, lbk.ko, vlogger.o, cleaner.o, cleaner, ava, tzava,
> mod_klgr.o, hydra, hydra.restore, ras2xm, vobiscum, sshd3, system,
> t0rnsb, t0rns, t0rnp, rx4u, rx2me, crontab, sshdu, glotzer, holber,
> xhide, xh, emech, psybnc, mech, httpd.bin, mh, xl, write,
> Phantasmagoria.o, lkt.o, nlkt.o" has been found and must be verified
> with "lsof -F n -w -n".
>
> Lsof runs ran immediately (without any latency) after rkhunter don't
> show any match, if not partial matches of appropriate files, like:
>
> n/var/run/dbus/system_bus_socket
>
> Whiche starts with 'system'.
>
The test is for complete files names, not partial matches - so
'.../system' matches, but '.../system_bus_socket' will not. Without
seeing the lsof output, which has obviously changed by now, it is
impossible to say what was matched.
The test has been improved for the next release in that it will tell you
exactly which filename matched.
John.
--
John Horne, University of Plymouth, UK
Tel: +44 (0)1752 587287Fax: +44 (0)1752 587001
--
This SF.net Dev2Dev email is sponsored by:
Show off your parallel programming skills.
Enter the Intel(R) Threading Challenge 2010.
http://p.sf.net/sfu/intel-thread-sfd
___
Rkhunter-users mailing list
Rkhunter-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/rkhunter-users
