date:20100912

Re: [Rkhunter-users] Running processes false warning?

2010-09-12 Thread Nerijus Baliunas

On Thu, 09 Sep 2010 10:21:56 +0100 John Horne  wrote:

> The test is for complete files names, not partial matches - so
> '.../system' matches, but '.../system_bus_socket' will not. Without
> seeing the lsof output, which has obviously changed by now, it is
> impossible to say what was matched.

I have similar problem with wine. When there are no wine apps running,
I get no warning, but with wine running I get the warning.
I made a diff of lsof output with wine running and not - it seems the following
opened directory is guilty:
+n/mnt/d/winnt4nowin/windows/system
Is it possible to whitelist it somehow?
I tried to change rkhunter binary like this:

--- rkhunter.orig   2009-11-29 15:05:09.0 +0200
+++ rkhunter2010-09-13 02:48:20.524209918 +0300
@@ -6384,7 +6384,6 @@
 ras2xm:Unknown rootkit
 vobiscum:Unknown rootkit
 sshd3:Unknown rootkit
-system:Unknown rootkit
 t0rnsb:T0rn
 t0rns:T0rn
 t0rnp:T0rn

but then I get a warning:
[02:54:07] /usr/bin/rkhunter [ Warning ]
[02:54:07] Warning: Package manager verification has failed:
[02:54:07]  File: /usr/bin/rkhunter
[02:54:07]  The file hash value has changed
[02:54:07]  The file size has changed
[02:54:07]  The file modification time has changed

The warning remains even after running rkhunter --propupd, why?
Ah, it's because of "Package manager verification".

Regards,
Nerijus

--
Start uncovering the many advantages of virtual appliances
and start using them to simplify application deployment and
accelerate your shift to cloud computing
http://p.sf.net/sfu/novell-sfdev2dev
___
Rkhunter-users mailing list
Rkhunter-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/rkhunter-users

Re: [Rkhunter-users] Unhide testers wanted for Ruby version

2010-09-12 Thread unspawn

Hello Yago,

On Sun, 12 Sep 2010 16:42:00 +0200 Yago Jesus  wrote:
>(..) I think it is really good having more choices to do the same 
thing. 
..and as such I'd like to see if providing it as an option is worth 
it. (If the tool isn't worth including then it won't be, if it is 
then any dependencies will be local and not required by RKH.)


>(..) Unhide is a live project. If you read the changelog you can 
find that Unhide is improving more and more with new checks and new 
possibilities every new version.
Indeed it is and unhide.rb was not updated or improved since 
September(?) of last year AFAIK.


>(..) rkhunter should focus in integrate more options from Unhide 
instead of trying to add a reduced version of Unhide.
I have promoted unhide long before we included it and the tool has 
served me well over the years. 
So therefore this request I sent out should not be interpreted as 
RKH moving away from unhide. 

I'm looking forward to the new version.


Cheers,
unSpawn
---


--
Start uncovering the many advantages of virtual appliances
and start using them to simplify application deployment and
accelerate your shift to cloud computing
http://p.sf.net/sfu/novell-sfdev2dev
___
Rkhunter-users mailing list
Rkhunter-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/rkhunter-users

Re: [Rkhunter-users] Unhide testers wanted for Ruby version

2010-09-12 Thread Yago Jesus

 Hi,

As Unhide maintainer, I would like to write a few words about. First, as
a big supporter of open source I think it is really good having more
choices to do the same thing. Moreover, I know Johan (he sent me some
patches for Unhide) and I think he is a very skilled and smart person,
and Unhide.rb is a great piece of software, so my intention is not start
a flame-war.

One of the points that makes me think Rkhunter is better than Chkrootkit
is the posibility of using external programs than re-implement the
funcionality of these programs in other tools. Chkrootkit implements its
own limited version of Unhide in the similar fashion of Unhide.rb (only
PS / Proc if I recall).

So, let me explain the reasons why I think this option was wrong for
Chkrootkit:

First of all, Unhide is a live project. If you read the changelog you
can find that Unhide is improving more and more with new checks and new
possibilities every new  version. For example in the last update we have
added a new check using Threads that makes the brute check almost
impossible to bypass. In the next version (that will be released ASAP)
we are going to add a new amazing reversing option to check if your
/bin/ps is showing fake processes.

Then, I think (please read this with absolutely respect, it is only my
own opinion I don't want to say what you must do) rkhunter should focus
in integrate more options from Unhide instead of trying to add a reduced
version of Unhide. For example, Unhide is not only a process detector,
it comes with other tool for tcp-checks.

Of course, we are open to change Unhide in the form that make it more
Rkhunter friendly, so please don't hesitate to send us feedback about it.

Cheers,


2010/9/12 

> Hello all,
>
> A long time ago a feature request was made for inclusion of a
> replacement for the "unhide" tool made in Ruby
> (https://sourceforge.net/tracker/?func=detail&aid=2759279&group_id=1
> 55034&atid=794190).
> This version is availabe from
> https://launchpad.net/unhide.rb and I'd like to see if anybody on
> this list would be willing to test-drive it.
>
> You should be able to install Ruby and the tool yourself w/o
> requiring help and run johanwalles' 'ps' test from the above
> thread. Extra mana points for testing a common proces hiders like
> say 'xhide'.
>
>
> TIA,
> unSpawn
> ---
>
>
>
> --
> Start uncovering the many advantages of virtual appliances
> and start using them to simplify application deployment and
> accelerate your shift to cloud computing
> http://p.sf.net/sfu/novell-sfdev2dev
> ___
> Rkhunter-users mailing list
> Rkhunter-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/rkhunter-users
>
--
Start uncovering the many advantages of virtual appliances
and start using them to simplify application deployment and
accelerate your shift to cloud computing
http://p.sf.net/sfu/novell-sfdev2dev
___
Rkhunter-users mailing list
Rkhunter-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/rkhunter-users

[Rkhunter-users] Unhide testers wanted for Ruby version

2010-09-12 Thread unspawn

Hello all,

A long time ago a feature request was made for inclusion of a 
replacement for the "unhide" tool made in Ruby 
(https://sourceforge.net/tracker/?func=detail&aid=2759279&group_id=1
55034&atid=794190). This version is availabe from 
https://launchpad.net/unhide.rb and I'd like to see if anybody on 
this list would be willing to test-drive it.

You should be able to install Ruby and the tool yourself w/o 
requiring help and run johanwalles' 'ps' test from the above 
thread. Extra mana points for testing a common proces hiders like 
say 'xhide'.


TIA, 
unSpawn
---


--
Start uncovering the many advantages of virtual appliances
and start using them to simplify application deployment and
accelerate your shift to cloud computing
http://p.sf.net/sfu/novell-sfdev2dev
___
Rkhunter-users mailing list
Rkhunter-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/rkhunter-users

Re: [Rkhunter-users] Running processes false warning?

Re: [Rkhunter-users] Unhide testers wanted for Ruby version

Re: [Rkhunter-users] Unhide testers wanted for Ruby version

[Rkhunter-users] Unhide testers wanted for Ruby version

4 matches

Site Navigation

Mail list logo

Footer information