Re: [Rkhunter-users] Stealthy Linux rootkit found in the wild after going undetected for 2 years
On Tue, 2024-02-06 at 16:12 +1100, John Dodson wrote: > Hi Guys, > I just found time to think about rkhunter again, & realise the last update > via fedora was for, > > Version : 1.4.6 > Release : 22.fc39 > Build Date : Sat 22 Jul 2023 03:14:29 > > Did we make any progress on transition? > & particularly was there any answer to the question below? > >From the 1.4.6 changelog: Added the 'Diamorphine LKM' test. John. > Cheers > > John > > > On Sun, 2023-12-10 at 22:17 +0200, Brent Clark wrote: > > Good day Guys > > > > I came across this > > > > https://arstechnica.com/security/2023/12/stealthy-linux-rootkit-found-in-the-wild-after-going-undetected-for-2-years/ > > > > Does rkhunter can detect / scan for > > > > Diamorphine > > Suterusu > > Rooty > > > > Regards > > Brent > > > > > > > > ___ > > Rkhunter-users mailing list > > Rkhunter-users@lists.sourceforge.net > > https://lists.sourceforge.net/lists/listinfo/rkhunter-users > > > > ___ > Rkhunter-users mailing list > Rkhunter-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/rkhunter-users -- John Horne | Senior Operations Analyst | Technology and Information Services University of Plymouth | Drake Circus | Plymouth | Devon | PL4 8AA | UK [https://www.plymouth.ac.uk/images/email_footer.gif]<http://www.plymouth.ac.uk/worldclass> This email and any files with it are confidential and intended solely for the use of the recipient to whom it is addressed. If you are not the intended recipient then copying, distribution or other use of the information contained is strictly prohibited and you should not rely on it. If you have received this email in error please let the sender know immediately and delete it from your system(s). Internet emails are not necessarily secure. While we take every care, University of Plymouth accepts no responsibility for viruses and it is your responsibility to scan emails and their attachments. University of Plymouth does not accept responsibility for any changes made after it was sent. Nothing in this email or its attachments constitutes an order for goods or services unless accompanied by an official order form. ___ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users
Re: [Rkhunter-users] Strange "preloaded share library" message on fresh pi installation
On Fri, 2021-08-20 at 11:25 +0100, Adam Funk wrote:
> On 2021-08-19, John Horne wrote:
>
> > On Thu, 2021-08-19 at 13:43 +0100, Adam Funk wrote:
> > > On a fairly fresh installation of Raspberry Pi OS (buster image of
> > > 2021-05-07 kept up to date with `sudo apt update` and `apt
> > > dist-upgrade`), I'm getting this strange warning from rkhunter:
> > >
> > > Warning: Found preloaded shared library: /usr/lib/arm-linux-
> > > gnueabihf/libarmmem-${PLATFORM}.so
> > >
> > > I've never seen this on the other Pi OS that I've been using, and it
> > > looks like a variable substitution has failed in producing the
> > > message.
> > >
> > >
> > The variable is part of the file name used by the shared library mechanism.
> > Nothing to do with the message itself.
>
> Thanks!
>
> Do you know what causes it, and whether it's a concern or "noise"?
>
A quick google seems to indicate it is something to do with Raspberry Pi and
the 6l and 7l ARMHF platforms. It looks genuine.
John.
--
John Horne | Senior Operations Analyst | Technology and Information Services
University of Plymouth | Drake Circus | Plymouth | Devon | PL4 8AA | UK
[http://www.plymouth.ac.uk/images/email_footer.gif]<http://www.plymouth.ac.uk/worldclass>
This email and any files with it are confidential and intended solely for the
use of the recipient to whom it is addressed. If you are not the intended
recipient then copying, distribution or other use of the information contained
is strictly prohibited and you should not rely on it. If you have received this
email in error please let the sender know immediately and delete it from your
system(s). Internet emails are not necessarily secure. While we take every
care, University of Plymouth accepts no responsibility for viruses and it is
your responsibility to scan emails and their attachments. University of
Plymouth does not accept responsibility for any changes made after it was sent.
Nothing in this email or its attachments constitutes an order for goods or
services unless accompanied by an official order form.
___
Rkhunter-users mailing list
Rkhunter-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/rkhunter-users
Re: [Rkhunter-users] Strange "preloaded share library" message on fresh pi installation
On Thu, 2021-08-19 at 13:43 +0100, Adam Funk wrote:
> On a fairly fresh installation of Raspberry Pi OS (buster image of
> 2021-05-07 kept up to date with `sudo apt update` and `apt
> dist-upgrade`), I'm getting this strange warning from rkhunter:
>
> Warning: Found preloaded shared library: /usr/lib/arm-linux-
> gnueabihf/libarmmem-${PLATFORM}.so
>
> I've never seen this on the other Pi OS that I've been using, and it
> looks like a variable substitution has failed in producing the
> message.
>
>
The variable is part of the file name used by the shared library mechanism.
Nothing to do with the message itself.
John.
--
John Horne | Senior Operations Analyst | Technology and Information Services
University of Plymouth | Drake Circus | Plymouth | Devon | PL4 8AA | UK
[http://www.plymouth.ac.uk/images/email_footer.gif]<http://www.plymouth.ac.uk/worldclass>
This email and any files with it are confidential and intended solely for the
use of the recipient to whom it is addressed. If you are not the intended
recipient then copying, distribution or other use of the information contained
is strictly prohibited and you should not rely on it. If you have received this
email in error please let the sender know immediately and delete it from your
system(s). Internet emails are not necessarily secure. While we take every
care, University of Plymouth accepts no responsibility for viruses and it is
your responsibility to scan emails and their attachments. University of
Plymouth does not accept responsibility for any changes made after it was sent.
Nothing in this email or its attachments constitutes an order for goods or
services unless accompanied by an official order form.
___
Rkhunter-users mailing list
Rkhunter-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/rkhunter-users
Re: [Rkhunter-users] Potential rootkit warning, regarding systemd...
On Thu, 2021-08-19 at 12:37 +0200, k...@gmx.de wrote: > Hello, > I've got a Linux Server (openSUSE 15.2) that suddenly showed a suspicious > warning during the night after a timed rkhunter scan (cron job), the days > before it was quite. > There was no update on the machine before, no reboot or something like > that... > > RKHunter shows a warning about 'systemd' as a possible rootkit, can anybody > help me with that? > Any hints how I could verify what that means? > Is there a known false positive relating to that message or something like > that? > > > Running Rootkit Hunter version 1.4.6 (updated): > > ... > [04:06:33] Info: Starting test name 'malware' > [04:06:33] Performing malware checks > [04:06:33] > [04:06:33] Info: Test 'deleted_files' disabled at users request. > [04:06:33] > [04:06:33] Info: Starting test name 'running_procs' > [04:06:50] Checking running processes for suspicious files [ Warning ] > [04:06:50] Warning: The following processes are using suspicious files: > [04:06:50] Command: systemd > [04:06:50]UID: 0PID: 1 > [04:06:50]Pathname: > [04:06:50]Possible Rootkit: Unknown rootkit > [04:06:50] Without the pathname not much can be said really. I vaguely remember a bug fix in the dev version for when pathnames weren't being shown, but that might have been with a different test. John. -- John Horne | Senior Operations Analyst | Technology and Information Services University of Plymouth | Drake Circus | Plymouth | Devon | PL4 8AA | UK [http://www.plymouth.ac.uk/images/email_footer.gif]<http://www.plymouth.ac.uk/worldclass> This email and any files with it are confidential and intended solely for the use of the recipient to whom it is addressed. If you are not the intended recipient then copying, distribution or other use of the information contained is strictly prohibited and you should not rely on it. If you have received this email in error please let the sender know immediately and delete it from your system(s). Internet emails are not necessarily secure. While we take every care, University of Plymouth accepts no responsibility for viruses and it is your responsibility to scan emails and their attachments. University of Plymouth does not accept responsibility for any changes made after it was sent. Nothing in this email or its attachments constitutes an order for goods or services unless accompanied by an official order form. ___ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users
Re: [Rkhunter-users] rkhunter sent lots of bounced emails.
On Fri, 2021-08-13 at 11:12 -0700, Pallav Kothari wrote:
> Hey there,
>
> Rkhunter sent a lot of bounced e-mails after it ran it's daily scan on 3rd
> august.
> I'm not sure why rkhunter sent so many e-mails because MAIL-ON-WARNING is
> commented out.
> sudo cat /etc/rkhunter.conf | grep root
> #MAIL-ON-WARNING=me@mydomain root@mydomain
> sudo cat /etc/rkhunter.conf | grep mail
> #MAIL_CMD=mail -s "[rkhunter] Warnings found for ${HOST_NAME}"
> Mail from rkhunter server:
> regular_text: Date: Wed, 28 Jul 2021 03:41:44 -0700
> regular_text: From: root@www-12
> regular_text: To: root@localhost
> regular_text: Subject: rkhunter Daily Run on server12
> regular_text: Message-ID:
> regular_text: User-Agent: Heirloom mailx 12.5 7/5/10
> regular_text: MIME-Version: 1.0
> regular_text: Content-Type: text/plain; charset=us-ascii
> regular_text: Content-Transfer-Encoding: 7b
>
The email you quoted is a bit old (28 July). Maybe your configuration file
changed in the mean time.
John.
--
John Horne | Senior Operations Analyst | Technology and Information Services
University of Plymouth | Drake Circus | Plymouth | Devon | PL4 8AA | UK
[http://www.plymouth.ac.uk/images/email_footer.gif]<http://www.plymouth.ac.uk/worldclass>
This email and any files with it are confidential and intended solely for the
use of the recipient to whom it is addressed. If you are not the intended
recipient then copying, distribution or other use of the information contained
is strictly prohibited and you should not rely on it. If you have received this
email in error please let the sender know immediately and delete it from your
system(s). Internet emails are not necessarily secure. While we take every
care, University of Plymouth accepts no responsibility for viruses and it is
your responsibility to scan emails and their attachments. University of
Plymouth does not accept responsibility for any changes made after it was sent.
Nothing in this email or its attachments constitutes an order for goods or
services unless accompanied by an official order form.
___
Rkhunter-users mailing list
Rkhunter-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/rkhunter-users
Re: [Rkhunter-users] Update failed - wrong link
On Thu, 2021-07-01 at 17:42 +0200, Ewert, Steffen wrote: > > I have here a Debian 10 system. Every time if I do a "rkhunter --update" I > get > > | [17:30:24] Running Rootkit Hunter version 1.4.6 on DFlExt4 > | [17:30:24] > | [17:30:24] Info: Start date is Thu 01 Jul 2021 05:30:24 PM CEST > | [17:30:24] > | [17:30:24] Checking configuration file and command-line options... > | [17:30:24] Info: Detected operating system is 'Linux' > | [17:30:24] Info: Found O/S name: Debian GNU/Linux 10 (buster) > ... > | [17:30:24] > | [17:30:24] Checking rkhunter data files... > | [17:30:24] Info: Created temporary file > '/var/lib/rkhunter/tmp/rkhunter.upd.rObivgfPpM' > | [17:30:24] Info: Created temporary file > '/var/lib/rkhunter/tmp/mirrors.dat.SVrROABgWb' > | [17:30:24] Info: The mirrors file has been rotated: > /var/lib/rkhunter/db/mirrors.dat > | [17:30:24] Info: Executing download command '/usr/bin/wget -q -O > "/var/lib/rkhunter/tmp/rkhunter.upd.rObivgfPpM" > https://rkhunter.sourceforge.io/mirrors.dat 2>/dev/null' > | [17:30:25] Info: Download failed - 1 mirror(s) left. > | [17:30:25] Info: Created temporary file > '/var/lib/rkhunter/tmp/mirrors.dat.3VeWSgPHKp' > | [17:30:25] Info: The mirrors file has been rotated: > /var/lib/rkhunter/db/mirrors.dat > | [17:30:25] Info: Executing download command '/usr/bin/wget -q -O > "/var/lib/rkhunter/tmp/rkhunter.upd.rObivgfPpM" > https://rkhunter.sourceforge.io/mirrors.dat 2>/dev/null' > | [17:30:26] Warning: Download of 'mirrors.dat' failed: Unable to determine > the latest version number. > | [17:30:26] Checking file mirrors.dat [ Update > failed ] > | [17:30:26] Info: Executing download command '/usr/bin/wget -q -O > "/var/lib/rkhunter/tmp/rkhunter.upd.rObivgfPpM" > https://rkhunter.sourceforge.io/programs_bad.dat 2>/dev/null' > | [17:30:27] Info: Download failed - 1 mirror(s) left. > Hello, I have been using a test Debian 10 server (for other work), and have just installed rkhunter via apt. I was a bit surprised in that the supplied configuration file is obviously wrong. Trying to run an '--update' it seems they have set the WEB_CMD config option to (literally) "/bin/false" (i.e with the double-quotes). However, double-quotes are a perfectly valid filename character. So RKH sees this as a relative file name, and fails before doing much at all. I created a /etc/rkhunter.conf.local file containing 'WEB_CMD=wget'. As to your problem, they have also set the MIRRORS_MODE option such that RKH expects local mirrors. To the rkhunter.conf.local file I added 'MIRRORS_MODE=0'. Updates now worked. However, they have also configured RKH not to update any of the language files (except 'en'). No problem with that really, but it's not exactly user-friendly! (If you want to enable this, then add 'UPDATE_LANG=' to the /etc/rkhunter.conf.local file.) Finally it seems they have disabled the mirrors file itself from being updated - which is obviously useful if you are using local mirrors. However, if you have modified the mirrors mode to use remote mirrors, then you may also want to set 'UPDATE_MIRRORS=1'. John. -- John Horne | Senior Operations Analyst | Technology and Information Services University of Plymouth | Drake Circus | Plymouth | Devon | PL4 8AA | UK [http://www.plymouth.ac.uk/images/email_footer.gif]<http://www.plymouth.ac.uk/worldclass> This email and any files with it are confidential and intended solely for the use of the recipient to whom it is addressed. If you are not the intended recipient then copying, distribution or other use of the information contained is strictly prohibited and you should not rely on it. If you have received this email in error please let the sender know immediately and delete it from your system(s). Internet emails are not necessarily secure. While we take every care, University of Plymouth accepts no responsibility for viruses and it is your responsibility to scan emails and their attachments. University of Plymouth does not accept responsibility for any changes made after it was sent. Nothing in this email or its attachments constitutes an order for goods or services unless accompanied by an official order form. ___ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users
[Rkhunter-users] GNU GPL license updated
Hello,
For the next release of 'rkhunter' I have updated the GNU GPL license file
('LICENSE') from version 2 to version 3. I have also modified the supplied RPM
spec file template ('rkhunter.spec') to state the license as 'GPLv3+'.
I doubt these changes will affect anyone, but I feel that I should let you know
anyway.
John.
--
John Horne | Senior Operations Analyst | Technology and Information Services
University of Plymouth | Drake Circus | Plymouth | Devon | PL4 8AA | UK
[http://www.plymouth.ac.uk/images/email_footer.gif]<http://www.plymouth.ac.uk/worldclass>
This email and any files with it are confidential and intended solely for the
use of the recipient to whom it is addressed. If you are not the intended
recipient then copying, distribution or other use of the information contained
is strictly prohibited and you should not rely on it. If you have received this
email in error please let the sender know immediately and delete it from your
system(s). Internet emails are not necessarily secure. While we take every
care, University of Plymouth accepts no responsibility for viruses and it is
your responsibility to scan emails and their attachments. University of
Plymouth does not accept responsibility for any changes made after it was sent.
Nothing in this email or its attachments constitutes an order for goods or
services unless accompanied by an official order form.
___
Rkhunter-users mailing list
Rkhunter-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/rkhunter-users
Re: [Rkhunter-users] Now using HTTPS
On Sat, 2021-02-06 at 18:30 +, John Horne wrote:
> Hello,
>
> I have now modified the rkhunter sourceforge (SF) site to use HTTPS rather
> than HTTP. This should only affect the '--update' and '--versioncheck'
> options, which download files from SF. The rkhunter code itself has not been
> modified (yet) as SF say that they will simply perform a redirect as
> required.
>
Hello,
Unfortunately I have had to revert this change (so we are using HTTP again).
Rkhunter performs a check on the mirror URL(s), causing the above change to
fail. So we will need to push out a new version of rkhunter before we can move
to HTTPS.
If you really want to use HTTPS now, then you can either get the latest
development version (from
https://sourceforge.net/p/rkhunter/rkh_code/ci/develop/tree/ ) and download a
snapshot or you can modify the code yourself (it's only one line).
If you want to modify the code, then you need to change the 'rkhunter' program
(version 1.4.6) line 7502 from:
==
if [ $DOING_VERS_CHK -eq 0 -a "${MIRROR}" = "http://
rkhunter.sourceforge.net" ]; then
==
to
==
if [ $DOING_VERS_CHK -eq 0 -a \( "${MIRROR}" =
"https://rkhunter.sourceforge.io; -o "${MIRROR}" =
"http://rkhunter.sourceforge.net; \) ]; then
==
In either case, you will then need to modify your 'mirrors.dat' file (usually
found at '/var/lib/rkhunter/db/mirrors.dat'). Change the mirror URLs in it to
'https://rkhunter.sourceforge.io' and modify the version number (the first
line) to something that begins '2022' (which is the year of the version). This
stops the file from being updated itself (otherwise the mirror would revert to
using HTTP again).
John.
--
John Horne | Senior Operations Analyst | Technology and Information Services
University of Plymouth | Drake Circus | Plymouth | Devon | PL4 8AA | UK
[http://www.plymouth.ac.uk/images/email_footer.gif]<http://www.plymouth.ac.uk/worldclass>
This email and any files with it are confidential and intended solely for the
use of the recipient to whom it is addressed. If you are not the intended
recipient then copying, distribution or other use of the information contained
is strictly prohibited and you should not rely on it. If you have received this
email in error please let the sender know immediately and delete it from your
system(s). Internet emails are not necessarily secure. While we take every
care, University of Plymouth accepts no responsibility for viruses and it is
your responsibility to scan emails and their attachments. University of
Plymouth does not accept responsibility for any changes made after it was sent.
Nothing in this email or its attachments constitutes an order for goods or
services unless accompanied by an official order form.
___
Rkhunter-users mailing list
Rkhunter-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/rkhunter-users
[Rkhunter-users] Now using HTTPS
Hello, I have now modified the rkhunter sourceforge (SF) site to use HTTPS rather than HTTP. This should only affect the '--update' and '--versioncheck' options, which download files from SF. The rkhunter code itself has not been modified (yet) as SF say that they will simply perform a redirect as required. The modification also now uses PHP 7 rather than PHP 5 at SF. I don't think this has any effect on rkhunter. The Rootkit Hunter project website itself has not been modified to use HTTPS yet. So you may get a warning about some parts of the site being unsecure. I'll look into that when I get a moment. John. -- John Horne | Senior Operations Analyst | Technology and Information Services University of Plymouth | Drake Circus | Plymouth | Devon | PL4 8AA | UK [http://www.plymouth.ac.uk/images/email_footer.gif]<http://www.plymouth.ac.uk/worldclass> This email and any files with it are confidential and intended solely for the use of the recipient to whom it is addressed. If you are not the intended recipient then copying, distribution or other use of the information contained is strictly prohibited and you should not rely on it. If you have received this email in error please let the sender know immediately and delete it from your system(s). Internet emails are not necessarily secure. While we take every care, University of Plymouth accepts no responsibility for viruses and it is your responsibility to scan emails and their attachments. University of Plymouth does not accept responsibility for any changes made after it was sent. Nothing in this email or its attachments constitutes an order for goods or services unless accompanied by an official order form. ___ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users
Re: [Rkhunter-users] Log + SCRIPTWHITELIST question (was Re: Log file attached)
On Mon, 2020-05-11 at 19:56 +, Bruce Cantrall wrote: > I sometime want to send special email with only part of the log file as shell > script from cron. I use egrep to get the parts I want in the email so it is > formatted to my liking: > ... > --- > Does anyone know how to whitelist a file with a SPACE in it? Double-quotes > did not seem to work in conf file with SCRIPTWHITELIST. > [10:23:37] /whatever/LicenseInformation.rtf [ Warning ] > [10:23:37] Warning: No hash value found for file > '/whatever/LicenseInformation.rtf ' in the 'rkhunter.dat' file. > > $ grep License /usr/local/etc/rkhunter.conf > SCRIPTWHITELIST=/whatever/License Information.rtf > Hi, The SCRIPTWHITELIST option above looks fine. It is treated correctly as the warning shows it recognizes the space (made visible by ''). Did you tell rkhunter to actually monitor the file (using USER_FILEPROP_FILES_DIRS)? The 'no hash value' message seems to indicate that 'rkhunter --propupd' has not been run (once it has been told to monitor the file). John. -- John Horne | Senior Operations Analyst | Technology and Information Services University of Plymouth | Drake Circus | Plymouth | Devon | PL4 8AA | UK [http://www.plymouth.ac.uk/images/email_footer.gif]<http://www.plymouth.ac.uk/worldclass> This email and any files with it are confidential and intended solely for the use of the recipient to whom it is addressed. If you are not the intended recipient then copying, distribution or other use of the information contained is strictly prohibited and you should not rely on it. If you have received this email in error please let the sender know immediately and delete it from your system(s). Internet emails are not necessarily secure. While we take every care, University of Plymouth accepts no responsibility for viruses and it is your responsibility to scan emails and their attachments. University of Plymouth does not accept responsibility for any changes made after it was sent. Nothing in this email or its attachments constitutes an order for goods or services unless accompanied by an official order form. ___ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users
Re: [Rkhunter-users] Log file attached
On Mon, 2020-05-11 at 04:36 +, Fred Sahakian via Rkhunter-users wrote: > I have a new installation of Rkhunter running nicely. The reporting logs are > coming as an attachment in an email. On another server I have, log > information is embedded within the email. Im stumped on how to get the report > on the new installation to be embedded as well instead of an attachment. > Hi, rkhunter itself does not reformat mail at all (i.e. as an attachment). It simply uses whatever command has been configured (MAIL_CMD). I suggest looking at the rkhunter configs on both servers to see if they are using different mail commands. John. -- John Horne | Senior Operations Analyst | Technology and Information Services University of Plymouth | Drake Circus | Plymouth | Devon | PL4 8AA | UK [http://www.plymouth.ac.uk/images/email_footer.gif]<http://www.plymouth.ac.uk/worldclass> This email and any files with it are confidential and intended solely for the use of the recipient to whom it is addressed. If you are not the intended recipient then copying, distribution or other use of the information contained is strictly prohibited and you should not rely on it. If you have received this email in error please let the sender know immediately and delete it from your system(s). Internet emails are not necessarily secure. While we take every care, University of Plymouth accepts no responsibility for viruses and it is your responsibility to scan emails and their attachments. University of Plymouth does not accept responsibility for any changes made after it was sent. Nothing in this email or its attachments constitutes an order for goods or services unless accompanied by an official order form. ___ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users
Re: [Rkhunter-users] rkhunter from a rescue system
On Tue, 2019-11-26 at 11:42 +, Schultheis Burkhard wrote: > Because it's a bad idea to run rkhunter from system which rkhunter should > examine, I want to rn rkhunter from a clean rescue system with mounted > partitions (on /mnt) from the system in question. I have searched the > internet for a replacement for the deprecated option -r, but have not found a > solution until now. > The only thing I can think of is that if you have the whole system mounted under /mnt, then chroot to /mnt and then run rkhunter. > Is it really impossible to direct rkhunter to another root directory? > Yes, other than as above by using chroot. > If so, then rkhunter is almost useless in my opinion. > Fair enough, you don't have to use it. John. -- John Horne | Senior Operations Analyst | Technology and Information Services University of Plymouth | Drake Circus | Plymouth | Devon | PL4 8AA | UK [http://www.plymouth.ac.uk/images/email_footer.gif]<http://www.plymouth.ac.uk/worldclass> This email and any files with it are confidential and intended solely for the use of the recipient to whom it is addressed. If you are not the intended recipient then copying, distribution or other use of the information contained is strictly prohibited and you should not rely on it. If you have received this email in error please let the sender know immediately and delete it from your system(s). Internet emails are not necessarily secure. While we take every care, University of Plymouth accepts no responsibility for viruses and it is your responsibility to scan emails and their attachments. University of Plymouth does not accept responsibility for any changes made after it was sent. Nothing in this email or its attachments constitutes an order for goods or services unless accompanied by an official order form. ___ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users
Re: [Rkhunter-users] Signatures updates
On Fri, 2019-11-22 at 11:33 +, rob pearman wrote: > Thanks John, Al for your help. > > Sorry if I confused things both not understanding properly how RKH > operates and also using the term 'signatures' which obv has specific > meaning in an RKH context. > No, the RKH signatures are similar to typical AV signatures. They are just not maintained anymore. John. > > On Fri, 22 Nov 2019 at 11:25, Al Varnell wrote: > > On Nov 22, 2019, at 02:04, rob pearman wrote: > > > > > > I couldn't see anything useful in the changelog > > > > > > There is a date next to each new release. I was simply trying to give you a > > feel for how often signatures are updated in answer to your second > > question. The last was on 20/02/2018. > > > > -Al- > > ___ > Rkhunter-users mailing list > Rkhunter-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/rkhunter-users -- John Horne | Senior Operations Analyst | Technology and Information Services University of Plymouth | Drake Circus | Plymouth | Devon | PL4 8AA | UK [http://www.plymouth.ac.uk/images/email_footer.gif]<http://www.plymouth.ac.uk/worldclass> This email and any files with it are confidential and intended solely for the use of the recipient to whom it is addressed. If you are not the intended recipient then copying, distribution or other use of the information contained is strictly prohibited and you should not rely on it. If you have received this email in error please let the sender know immediately and delete it from your system(s). Internet emails are not necessarily secure. While we take every care, University of Plymouth accepts no responsibility for viruses and it is your responsibility to scan emails and their attachments. University of Plymouth does not accept responsibility for any changes made after it was sent. Nothing in this email or its attachments constitutes an order for goods or services unless accompanied by an official order form. ___ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users
Re: [Rkhunter-users] Signatures updates
On Fri, 2019-11-22 at 10:04 +, rob pearman wrote:
> Thanks for coming back to me, Al.
>
> I couldn't see anything useful in the changelog, but looking further
> at how RKH seems to work it looks like it would pick up HiddenWasp (as
> an example) because it preloads a shared library as part of it's
> infection process.
>
Absolutely correct. Whilst using signatures works for specific things, RKH has
the advantage of detecting general things which can be characteristic of
malware. In this instance RKH does not list checking for hiddenwasp, but it
would detect 'odd things' such as the ld preloading and the fact that
hiddenwasp creates an account. For me these are reasons why RKH is actually
quite good to use, but alongside other security software.
Reading an article on hiddenwasp it was slightly odd/funny to read that approx
60 or so AV software did not detect it. This was because they had no signature
for it. If they checked rootkit/malware detection software, such as RKH, then I
suspect they would find that it would, in effect, be detected (or at least odd
things flagged).
As to signatures in RKH, this was something that unSpawn started. Unfortunately
it then sort of fizzled out, and unSpawn has not been heard of since then.
Although there is a signatures subdirectory, with files in it, they are not
maintained.
As to hiddenwasp, and a couple of others, I'll see about adding some checks for
the files it uses ('/lib/se1inux.so' or some such).
John.
> On Thu, 21 Nov 2019 at 18:54, Al Varnell wrote:
> > Take a look at the release dates in the Change Log to see how often
> > signatures are update:
> >
> > <https://sourceforge.net/p/rkhunter/rkh_code/ci/master/tree/files/CHANGELOG
> > >
> >
> > -Al-
> > macOS User
> >
> > On Nov 21, 2019, at 07:47, rob pearman wrote:
> >
> > Hi!
> >
> > I'd be grateful if someone could answer a couple of questions ...
> >
> > 1. I'm aware that in principle it checks for changes to key files that
> > might indicate a replacement by a rootkit/virus, and I've already set
> > up my installation to check against my package manager's details (DPKG
> > in my case), however there are also rootkit-specific tests run by RKH
> > that are listed toward the end of the 'check' process. Notably absent
> > from this list are some recent nasties such as HiddenWasp - is this
> > because the signatures haven't been updated yet, or would it be
> > detected by more generic checks that mean it doesn't need specific
> > checks to be performed?
> >
> > 2. what is the process, and how often are the RKH signatures updated?
> >
> > Thanks for your help.
> > Rob
>
> ___
> Rkhunter-users mailing list
> Rkhunter-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/rkhunter-users
--
John Horne | Senior Operations Analyst | Technology and Information Services
University of Plymouth | Drake Circus | Plymouth | Devon | PL4 8AA | UK
[http://www.plymouth.ac.uk/images/email_footer.gif]<http://www.plymouth.ac.uk/worldclass>
This email and any files with it are confidential and intended solely for the
use of the recipient to whom it is addressed. If you are not the intended
recipient then copying, distribution or other use of the information contained
is strictly prohibited and you should not rely on it. If you have received this
email in error please let the sender know immediately and delete it from your
system(s). Internet emails are not necessarily secure. While we take every
care, University of Plymouth accepts no responsibility for viruses and it is
your responsibility to scan emails and their attachments. University of
Plymouth does not accept responsibility for any changes made after it was sent.
Nothing in this email or its attachments constitutes an order for goods or
services unless accompanied by an official order form.
___
Rkhunter-users mailing list
Rkhunter-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/rkhunter-users
Re: [Rkhunter-users] How to whitelist a path in rkhunter 'running_procs' test?
On Wed, 2019-10-30 at 10:44 +, Finn Fausto wrote: > Hi! > > I have rootkit hunter running on one of my virtual machines. I'm getting a > result of: > > Info: Starting test name 'running_procs' > Checking running processes for suspicious files [ Warning ] > Warning: The following processes are using suspicious files: > Command: httpd.bin > UID: 0 PID: 1899 > Pathname: /opt/redmine/apache2/bin/httpd.bin > Possible Rootkit: IRC bot > > Yes, I'm using Redmine also for testing. And this is a false positive > detection by rkhunter, right? Since it is being used by Redmine. > I want rkhunter to skip the path of /opt/redmine/apache2/bin/httpd.bin when > my rkhunter script runs. > I already edit my rkhunter.conf and tried to put the path on EXISTWHITELIST, > SCRIPTWHITELIST, and ALLOWIPCPROC sections but I still get the warning. > > Cant find a reference on whitelisting a path that is located on /opt > directory. What variable in the rkhunter.conf should I use for whitelisting > the said path? > Use: RTKT_FILE_WHITELIST=/opt/redmine/apache2/bin/httpd.bin As the config file says though you may also want to ensure that the file is checked in the file properties check. For that add: USER_FILEPROP_FILES_DIRS=/opt/redmine/apache2/bin/httpd.bin John. -- John Horne | Senior Operations Analyst | Technology and Information Services University of Plymouth | Drake Circus | Plymouth | Devon | PL4 8AA | UK [http://www.plymouth.ac.uk/images/email_footer.gif]<http://www.plymouth.ac.uk/worldclass> This email and any files with it are confidential and intended solely for the use of the recipient to whom it is addressed. If you are not the intended recipient then copying, distribution or other use of the information contained is strictly prohibited and you should not rely on it. If you have received this email in error please let the sender know immediately and delete it from your system(s). Internet emails are not necessarily secure. While we take every care, University of Plymouth accepts no responsibility for viruses and it is your responsibility to scan emails and their attachments. University of Plymouth does not accept responsibility for any changes made after it was sent. Nothing in this email or its attachments constitutes an order for goods or services unless accompanied by an official order form. ___ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users
Re: [Rkhunter-users] Suspicious Shared Memory segments | warning per mail
On Mon, 2019-10-28 at 10:20 +, Koblenz Thomas wrote: > Hi > > the whitelist is working, I see that in the logs. but I still get a warning > via e-mail. > > Info: Found process pathname '/opt/commvault2/Base64/cvd': it is whitelisted. > > Is it possible to disable e-mail warnings for whitelisted things? > Would you send me a copy of the log file please? Or at least the part containing the output from the whole of the test. Thanks, John. > > > -Ursprüngliche Nachricht- > Von: Al Varnell > Gesendet: Montag, 28. Oktober 2019 09:27 > An: RKHunter-Users > Cc: Koblenz Thomas > Betreff: Re: [Rkhunter-users] Suspicious Shared Memory segments | warning per > mail > > On Mon, Oct 28, 2019 at 00:31 AM, Koblenz Thomas wrote: > > Hello, > > > > I have a problem with a false-positive for Suspicious Shared Memory > > segments. Since the last update of the Commvault Agent I always get > > warnings for Suspicious Shared Memory segments. > > > > [08:18:25] Process: /opt/commvault/Base64/cvdPID: 758Owner: root > > [ Found ] > > [08:18:25] Process: /opt/commvault/Base64/cvdPID: 758Owner: root > > [ Found ] > > > > > > I have already made the following entry in the rkhunter.log > > ALLOWIPCPROC= "/opt/commvault/Base64/cvd > > I suspect you meant to say in the rkhunter.conf file, but I think the error > is in placing a space and quote before the path. Shouldn't it read: > ALLOWIPCPROC=/opt/commvault/Base64/cvd > > -Al- > > > Unfortunately we still get mails informing us about a warning. Is it > > possible to configure rkhunter to stop sending mail when a whitelist has > > been configured? > > > > Version : Rootkit Hunter 1.4.2, Deb9.11 > > > > > > > > Thomas > > [K FAIR] > Um mehr über unser komplettes Produktportfolio zu erfahren, laden Sie unsere > neue kostenlose PLANT.BOOK-App in Ihrem Apple App Store< > https://itunes.apple.com/us/app/plantbook/id1287430289?mt=8> und Microsoft > Store< > https://www.microsoft.com/en-us/p/plantbook/9nt0fm3hssls?source=lp=pivot%3Aoverviewtab > > herunter. > To find more details about our complete product portfolio, download our new > free PLANT.BOOK app from your Apple App Store< > https://itunes.apple.com/us/app/plantbook/id1287430289?mt=8> and Microsoft > Store< > https://www.microsoft.com/en-us/p/plantbook/9nt0fm3hssls?source=lp=pivot%3Aoverviewtab> > ;. > > [ > https://www.zeppelin-systems.com/files/website.png]<https://www.zeppelin-systems.com/videos.html > > [https://www.zeppelin-systems.com/files/newsletter.png] < > https://www.zeppelin-systems.com/en/meta/newsletter.html> [ > https://www.zeppelin-systems.com/files/youtube.png] < > https://www.youtube.com/channel/UC3zqgeXXj7i1-CNwr6sUW5w/playlists> > > > Zeppelin Systems GmbH > Handelsregister - Commercial Register: AG Ulm HRB 729780 > Sitz - Registered Domicile: D-88045 Friedrichshafen > > Aufsichtsratsvorsitzender - Chairman of the supervisory board: Peter > Gerstmann > Geschäftsführung - Management board: Alexander Wassermann (Vorsitzender - > Chairman), Rochus C. Hofmann > > > > ___ > Rkhunter-users mailing list > Rkhunter-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/rkhunter-users -- John Horne | Senior Operations Analyst | Technology and Information Services University of Plymouth | Drake Circus | Plymouth | Devon | PL4 8AA | UK [http://www.plymouth.ac.uk/images/email_footer.gif]<http://www.plymouth.ac.uk/worldclass> This email and any files with it are confidential and intended solely for the use of the recipient to whom it is addressed. If you are not the intended recipient then copying, distribution or other use of the information contained is strictly prohibited and you should not rely on it. If you have received this email in error please let the sender know immediately and delete it from your system(s). Internet emails are not necessarily secure. While we take every care, University of Plymouth accepts no responsibility for viruses and it is your responsibility to scan emails and their attachments. University of Plymouth does not accept responsibility for any changes made after it was sent. Nothing in this email or its attachments constitutes an order for goods or services unless accompanied by an official order form. ___ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users
Re: [Rkhunter-users] rkhunter --propupd changes not recognized
On Tue, 2019-09-10 at 16:36 -0700, Al Varnell wrote: > It should be, but for whatever reason the OP must have intended to disable > it. But his issue was why propupd didn't prevent warning. > Correct. I was not going to argue *why* the user would want to do this :-) Secondly, he did say 'for example', so it may well not be curl that he was actually trying to modify. John. > > On Tue, Sep 10, 2019 at 15:05 PM, Stockwell, Steven [US] (MS) wrote: > > Shouldn't curl be 755 or 700? Not 600 (not executable). > > > > S^2 > > > > -----Original Message- > > From: John Horne > > Sent: Sunday, September 08, 2019 2:22 PM > > To: rkhunter-users@lists.sourceforge.net > > Subject: EXT :Re: [Rkhunter-users] rkhunter --propupd changes not > > recognized > > > > On Sun, 2019-09-08 at 11:45 +0200, ratatouille via Rkhunter-users wrote: > > > Hello! > > > > > > When I change the permissions of for example /usr/bin/curl to 0600 and > > > do a rkhunter --propupd after, rkhunter warns me nevertheless that > > > the properties of curl has been changed. > > > > > > How can I correct this? > > > > > If you are using the PKGMGR option then you'll need to exclude the file > > from > > using the package manager. (See PKGMGR_NO_VRFY) > > > > > > > > John. > > > -- John Horne | Senior Operations Analyst | Technology and Information Services University of Plymouth | Drake Circus | Plymouth | Devon | PL4 8AA | UK [http://www.plymouth.ac.uk/images/email_footer.gif]<http://www.plymouth.ac.uk/worldclass> This email and any files with it are confidential and intended solely for the use of the recipient to whom it is addressed. If you are not the intended recipient then copying, distribution or other use of the information contained is strictly prohibited and you should not rely on it. If you have received this email in error please let the sender know immediately and delete it from your system(s). Internet emails are not necessarily secure. While we take every care, University of Plymouth accepts no responsibility for viruses and it is your responsibility to scan emails and their attachments. University of Plymouth does not accept responsibility for any changes made after it was sent. Nothing in this email or its attachments constitutes an order for goods or services unless accompanied by an official order form. ___ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users
Re: [Rkhunter-users] rkhunter --propupd changes not recognized
On Sun, 2019-09-08 at 11:45 +0200, ratatouille via Rkhunter-users wrote: > Hello! > > When I change the permissions of for example /usr/bin/curl to 0600 and > do a rkhunter --propupd after, rkhunter warns me nevertheless that > the properties of curl has been changed. > > How can I correct this? > If you are using the PKGMGR option then you'll need to exclude the file from using the package manager. (See PKGMGR_NO_VRFY) John. -- John Horne | Senior Operations Analyst | Technology and Information Services University of Plymouth | Drake Circus | Plymouth | Devon | PL4 8AA | UK [http://www.plymouth.ac.uk/images/email_footer.gif]<http://www.plymouth.ac.uk/worldclass> This email and any files with it are confidential and intended solely for the use of the recipient to whom it is addressed. If you are not the intended recipient then copying, distribution or other use of the information contained is strictly prohibited and you should not rely on it. If you have received this email in error please let the sender know immediately and delete it from your system(s). Internet emails are not necessarily secure. While we take every care, University of Plymouth accepts no responsibility for viruses and it is your responsibility to scan emails and their attachments. University of Plymouth does not accept responsibility for any changes made after it was sent. Nothing in this email or its attachments constitutes an order for goods or services unless accompanied by an official order form. ___ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users
Re: [Rkhunter-users] rkhunter giving ssh root login warning even when both config files are set to “no” root login
On Fri, 2019-08-09 at 12:39 +0300, Nerijus Baliūnas via Rkhunter-users wrote: > 2019-08-09 12:18, John Horne rašė: > > On Thu, 2019-08-08 at 21:49 +, Richard Shelquist wrote: > > > I'm getting an ssh warning from rkhunter, even though the sshd and > > > rkhunter options for root login are both set to "no". My server is > > > running Centos 7.6.1810 with rkhunter 1.4.6. > > > > > > The system started with sshd and rkhunter root login options set to > > > "yes", and I was not receiving any error message. But then when server > > > setup was complete, I switched both of the root login options to "no" and > > > that is when the warnings began. > > > > > > Here are grep results which verify that the sshd and rkhunter config > > > settings are both set to "no": > > > > > > $grep PermitRootLogin /etc/ssh/sshd_config > > > PermitRootLogin no > > > > > You need the equal sign (=) in there. > > PermitRootLogin=no > > Not really, PermitRootLogin no works OK. Actually there are no "=" in > /etc/ssh/sshd_config > except line # This sshd was compiled with PATH=/usr/local/bin:/usr/bin > Oops, you are correct. I completely misread that as the RKH config option. In which case I would suspect an odd character has got into one of the config files for those options. Try running: cat -vet /etc/ssh/sshd_config | grep PermitRootLogin and see if any odd characters (a space or control characters) are shown with the option. (The line should end with a dollar sign, so a space at the end will look like '...no $' rather than '...no$') John. -- John Horne | Senior Operations Analyst | Technology and Information Services University of Plymouth | Drake Circus | Plymouth | Devon | PL4 8AA | UK [http://www.plymouth.ac.uk/images/email_footer.gif]<http://www.plymouth.ac.uk/worldclass> This email and any files with it are confidential and intended solely for the use of the recipient to whom it is addressed. If you are not the intended recipient then copying, distribution or other use of the information contained is strictly prohibited and you should not rely on it. If you have received this email in error please let the sender know immediately and delete it from your system(s). Internet emails are not necessarily secure. While we take every care, University of Plymouth accepts no responsibility for viruses and it is your responsibility to scan emails and their attachments. University of Plymouth does not accept responsibility for any changes made after it was sent. Nothing in this email or its attachments constitutes an order for goods or services unless accompanied by an official order form. ___ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users
Re: [Rkhunter-users] rkhunter giving ssh root login warning even when both config files are set to “no” root login
On Thu, 2019-08-08 at 21:49 +, Richard Shelquist wrote: > I'm getting an ssh warning from rkhunter, even though the sshd and rkhunter > options for root login are both set to "no". My server is running Centos > 7.6.1810 with rkhunter 1.4.6. > > The system started with sshd and rkhunter root login options set to "yes", > and I was not receiving any error message. But then when server setup was > complete, I switched both of the root login options to "no" and that is when > the warnings began. > > Here are grep results which verify that the sshd and rkhunter config settings > are both set to "no": > > $grep PermitRootLogin /etc/ssh/sshd_config > PermitRootLogin no > You need the equal sign (=) in there. PermitRootLogin=no John. -- John Horne | Senior Operations Analyst | Technology and Information Services University of Plymouth | Drake Circus | Plymouth | Devon | PL4 8AA | UK [http://www.plymouth.ac.uk/images/email_footer.gif]<http://www.plymouth.ac.uk/worldclass> This email and any files with it are confidential and intended solely for the use of the recipient to whom it is addressed. If you are not the intended recipient then copying, distribution or other use of the information contained is strictly prohibited and you should not rely on it. If you have received this email in error please let the sender know immediately and delete it from your system(s). Internet emails are not necessarily secure. While we take every care, University of Plymouth accepts no responsibility for viruses and it is your responsibility to scan emails and their attachments. University of Plymouth does not accept responsibility for any changes made after it was sent. Nothing in this email or its attachments constitutes an order for goods or services unless accompanied by an official order form. ___ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users
Re: [Rkhunter-users] Cannot update or versioncheck, "Unable to determine the latest version number."
On Mon, 2019-08-05 at 08:15 -0400, Slow Bro wrote: > > > [01:00:07] Checking file mirrors.dat [ Skipped ] > > [01:00:07] Info: The mirrors file has no required mirrors in it: > > Your config file probably has the MIRROS_MODE option set. If you have set it to use local mirrors, then the mirrors file has no local mirrors in it (just the remote sourceforge ones). Hence, there are no required mirrors and all the other file checks fail. Remove the MIRRORS_MODE option from the config file. John. -- John Horne | Senior Operations Analyst | Technology and Information Services University of Plymouth | Drake Circus | Plymouth | Devon | PL4 8AA | UK [http://www.plymouth.ac.uk/images/email_footer.gif]<http://www.plymouth.ac.uk/worldclass> This email and any files with it are confidential and intended solely for the use of the recipient to whom it is addressed. If you are not the intended recipient then copying, distribution or other use of the information contained is strictly prohibited and you should not rely on it. If you have received this email in error please let the sender know immediately and delete it from your system(s). Internet emails are not necessarily secure. While we take every care, University of Plymouth accepts no responsibility for viruses and it is your responsibility to scan emails and their attachments. University of Plymouth does not accept responsibility for any changes made after it was sent. Nothing in this email or its attachments constitutes an order for goods or services unless accompanied by an official order form. ___ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users
Re: [Rkhunter-users] Broken link
On Mon, 2019-06-24 at 16:58 -0600, Pascal via Rkhunter-users wrote: > The link to "Rootkit Hunter installation tutorial" at > http://rkhunter.sourceforge.net is broken. > Thanks for that. I have changed the link to point to the wiki contents page. It does contain an 'install' page in there. To be honest though, the wiki hasn't been updated in a few years now. John. -- John Horne | Senior Operations Analyst | Technology and Information Services University of Plymouth | Drake Circus | Plymouth | Devon | PL4 8AA | UK [http://www.plymouth.ac.uk/images/email_footer.gif]<http://www.plymouth.ac.uk/worldclass> This email and any files with it are confidential and intended solely for the use of the recipient to whom it is addressed. If you are not the intended recipient then copying, distribution or other use of the information contained is strictly prohibited and you should not rely on it. If you have received this email in error please let the sender know immediately and delete it from your system(s). Internet emails are not necessarily secure. While we take every care, University of Plymouth accepts no responsibility for viruses and it is your responsibility to scan emails and their attachments. University of Plymouth does not accept responsibility for any changes made after it was sent. Nothing in this email or its attachments constitutes an order for goods or services unless accompanied by an official order form. ___ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users
Re: [Rkhunter-users] Warn users if file exists?
On Mon, 2019-06-24 at 17:16 -0600, Pascal via Rkhunter-users wrote: > Is this software capable of warning anyone with the file /etc/cron.d/sysstat2 > on their systems that they have been compromised? More details at > https://serverfault.com/questions/972726/how-do-i-warn-people-that-a-repo-has-been-hacked > Hi, I have added a check for the file in the dev version. If the file exists it'll be reported as a malware component. I couldn't actually find out what the file did or contained, and, as far as I can tell, the relevant file (an RPM file to install a yum repo) has now been corrected. Even so, these things can pop up again at times. John. -- John Horne | Senior Operations Analyst | Technology and Information Services University of Plymouth | Drake Circus | Plymouth | Devon | PL4 8AA | UK [http://www.plymouth.ac.uk/images/email_footer.gif]<http://www.plymouth.ac.uk/worldclass> This email and any files with it are confidential and intended solely for the use of the recipient to whom it is addressed. If you are not the intended recipient then copying, distribution or other use of the information contained is strictly prohibited and you should not rely on it. If you have received this email in error please let the sender know immediately and delete it from your system(s). Internet emails are not necessarily secure. While we take every care, University of Plymouth accepts no responsibility for viruses and it is your responsibility to scan emails and their attachments. University of Plymouth does not accept responsibility for any changes made after it was sent. Nothing in this email or its attachments constitutes an order for goods or services unless accompanied by an official order form. ___ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users
Re: [Rkhunter-users] Warn users if file exists?
On Mon, 2019-06-24 at 17:16 -0600, Pascal via Rkhunter-users wrote: > Is this software capable of warning anyone with the file /etc/cron.d/sysstat2 > on their systems that they have been compromised? More details at > https://serverfault.com/questions/972726/how-do-i-warn-people-that-a-repo-has-been-hacked > USER_FILEPROP_FILES_DIRS=/etc/cron.d/* If the file appears then when an RKH check is run it will let you know. John. -- John Horne | Senior Operations Analyst | Technology and Information Services University of Plymouth | Drake Circus | Plymouth | Devon | PL4 8AA | UK [http://www.plymouth.ac.uk/images/email_footer.gif]<http://www.plymouth.ac.uk/worldclass> This email and any files with it are confidential and intended solely for the use of the recipient to whom it is addressed. If you are not the intended recipient then copying, distribution or other use of the information contained is strictly prohibited and you should not rely on it. If you have received this email in error please let the sender know immediately and delete it from your system(s). Internet emails are not necessarily secure. While we take every care, University of Plymouth accepts no responsibility for viruses and it is your responsibility to scan emails and their attachments. University of Plymouth does not accept responsibility for any changes made after it was sent. Nothing in this email or its attachments constitutes an order for goods or services unless accompanied by an official order form. ___ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users
Re: [Rkhunter-users] Process with semicolon: bug or linux feauture
On Sun, 2019-05-26 at 00:19 +0300, Olexandra Bokova wrote: > Hi! > > Thank you for reply! > > I haven't got access to the server right now. I can give the message in two > days, if you need. But the main and only warning there is: > > Warning: Process '/usr/sbin/NetworkManager;5cyt67yr' (PID 2813) is listening > on the network. > I think we'll need to see the output from a debug run of rkhunter. Can you run rkhunter with the '--debug' option and send me a copy of the file it produces in '/tmp' please. Thanks, John. -- John Horne | Senior Operations Analyst | Technology and Information Services University of Plymouth | Drake Circus | Plymouth | Devon | PL4 8AA | UK [http://www.plymouth.ac.uk/images/email_footer.gif]<http://www.plymouth.ac.uk/worldclass> This email and any files with it are confidential and intended solely for the use of the recipient to whom it is addressed. If you are not the intended recipient then copying, distribution or other use of the information contained is strictly prohibited and you should not rely on it. If you have received this email in error please let the sender know immediately and delete it from your system(s). Internet emails are not necessarily secure. While we take every care, University of Plymouth accepts no responsibility for viruses and it is your responsibility to scan emails and their attachments. University of Plymouth does not accept responsibility for any changes made after it was sent. Nothing in this email or its attachments constitutes an order for goods or services unless accompanied by an official order form. ___ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users
Re: [Rkhunter-users] Process with semicolon: bug or linux feauture
On Fri, 2019-05-24 at 22:59 +0300, Olexandra Bokova wrote: > > For a quite long time get warnings about process listening the network. > It looks like '/usr/sbin/NetworkManager;bla-bla-bla' where bla-bla-bla is a > short ID like 1ab2c3d. I haven`t find any hint what this ID may mean. > Certanly it is not a PID and not a user-name. Could someone make it clear > please? > Hello, Can you show us the actual message from the log file please? John. -- John Horne | Senior Operations Analyst | Technology and Information Services University of Plymouth | Drake Circus | Plymouth | Devon | PL4 8AA | UK [http://www.plymouth.ac.uk/images/email_footer.gif]<http://www.plymouth.ac.uk/worldclass> This email and any files with it are confidential and intended solely for the use of the recipient to whom it is addressed. If you are not the intended recipient then copying, distribution or other use of the information contained is strictly prohibited and you should not rely on it. If you have received this email in error please let the sender know immediately and delete it from your system(s). Internet emails are not necessarily secure. While we take every care, University of Plymouth accepts no responsibility for viruses and it is your responsibility to scan emails and their attachments. University of Plymouth does not accept responsibility for any changes made after it was sent. Nothing in this email or its attachments constitutes an order for goods or services unless accompanied by an official order form. ___ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users
Re: [Rkhunter-users] Invalid USER_FILEPROP_FILES_DIRS in RKHunter > 1.4.0
On Wed, 2019-03-06 at 15:39 +1100, Abdul Qoyyuum wrote: > Hello fellow sysadmins, > > New to the mailing list. A system infrastructure that I'm maintaining has a > problem with RKHunter. Even more so that the RKHunter version is not the same > across all virtual machines. Some are on 1.4.0 and some are on 1.4.2. When > `rkhunter --propupd` is ran by puppet, this shows up in the logs: > > Invalid USER_FILEPROP_FILES_DIRS configuration option: Relative pathname: > !/path/to/exclude/bla/bla > Use the EXCLUDE_USER_FILEPROP_FILES_DIRS configuration option (look in the supplied configuration file). This will only work with version 1.4.2 and above. For earlier versions use the '!' character with the USER_FILEPROP_FILES_DIRS option as you have done. As others have mentioned though 1.4.2 is very old now. John. -- John Horne | Senior Operations Analyst | Technology and Information Services University of Plymouth | Drake Circus | Plymouth | Devon | PL4 8AA | UK [http://www.plymouth.ac.uk/images/email_footer.gif]<http://www.plymouth.ac.uk/worldclass> This email and any files with it are confidential and intended solely for the use of the recipient to whom it is addressed. If you are not the intended recipient then copying, distribution or other use of the information contained is strictly prohibited and you should not rely on it. If you have received this email in error please let the sender know immediately and delete it from your system(s). Internet emails are not necessarily secure. While we take every care, University of Plymouth accepts no responsibility for viruses and it is your responsibility to scan emails and their attachments. University of Plymouth does not accept responsibility for any changes made after it was sent. Nothing in this email or its attachments constitutes an order for goods or services unless accompanied by an official order form. ___ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users
Re: [Rkhunter-users] Invalid USER_FILEPROP_FILES_DIRS in RKHunter > 1.4.0
On Wed, 2019-03-06 at 17:19 +1100, Abdul Qoyyuum wrote: > Thanks for the response Al. > > I took on the maintenance job without knowing about these version differences > in the infrastructure and don't know much about RKHunter. The docs aren't > very well documented (or that I can't find them properly) so I can't tell > what has been changed between any version. > Look in the supplied CHANGELOG file. John. -- John Horne | Senior Operations Analyst | Technology and Information Services University of Plymouth | Drake Circus | Plymouth | Devon | PL4 8AA | UK [http://www.plymouth.ac.uk/images/email_footer.gif]<http://www.plymouth.ac.uk/worldclass> This email and any files with it are confidential and intended solely for the use of the recipient to whom it is addressed. If you are not the intended recipient then copying, distribution or other use of the information contained is strictly prohibited and you should not rely on it. If you have received this email in error please let the sender know immediately and delete it from your system(s). Internet emails are not necessarily secure. While we take every care, University of Plymouth accepts no responsibility for viruses and it is your responsibility to scan emails and their attachments. University of Plymouth does not accept responsibility for any changes made after it was sent. Nothing in this email or its attachments constitutes an order for goods or services unless accompanied by an official order form. ___ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users
Re: [Rkhunter-users] Found file '/var/run/udev.pid'. Possible rootkit: xorddos component
On Sun, 2019-02-24 at 11:33 -0600, Patrick Kirchner wrote: > Hi, > > I have this warning, which is new for my system, this morning in the > rkhunter.log report. > > The contents of /var/run/udev.pid are just 3219, which matches the udevd > process: > > ps -ef |grep 3219 > root 3219 1 0 Feb23 ?00:00:00 /sbin/udevd > > /sbin/udevd reports as an ELF binary: > > sudo file /sbin/udevd > /sbin/udevd: ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), > dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux > 3.2.0, stripped > > It looks to belong to the installed udevd package on my Gentoo system: > > equery b /sbin/udevd > * Searching for /sbin/udevd ... > sys-fs/eudev-3.2.5 (/sbin/udevd) > > Can I somehow safely whitelist this file in /etc/rkhunter.conf? I don't see > any other PID files whitelisted so I'm hesitant to do this. If so, is there > a special syntax for whitelisted a PID file as opposed to SCRIPTWHITELIST ? > Without installing gentoo, it is a bit difficult to see (using google) if udev creates a pid file in /run/udev. (My fedora system does not.) On the one hand if xorddos was present then I would have expected to have seen more than one warning (there are several checks for xorddos, so receiving just the one warning sways me towards a false-positive). On the other hand, why has this just started now? I assume you had udevd running before, and have run rkhunter on the system before. So why is the pid file only now created and detected? That seems suspicious. In answer to your question though, take a look at the config option RTKT_FILE_WHITELIST. John. -- John Horne | Senior Operations Analyst | Technology and Information Services University of Plymouth | Drake Circus | Plymouth | Devon | PL4 8AA | UK [http://www.plymouth.ac.uk/images/email_footer.gif]<http://www.plymouth.ac.uk/worldclass> This email and any files with it are confidential and intended solely for the use of the recipient to whom it is addressed. If you are not the intended recipient then copying, distribution or other use of the information contained is strictly prohibited and you should not rely on it. If you have received this email in error please let the sender know immediately and delete it from your system(s). Internet emails are not necessarily secure. While we take every care, University of Plymouth accepts no responsibility for viruses and it is your responsibility to scan emails and their attachments. University of Plymouth does not accept responsibility for any changes made after it was sent. Nothing in this email or its attachments constitutes an order for goods or services unless accompanied by an official order form. ___ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users
Re: [Rkhunter-users] Daily report & system updates
On Wed, 2019-02-20 at 09:44 -0500, Mark Stosberg wrote: > On Debian-basd systems, update /etc/defaults/rkhunter and set > APT_AUTOGEN="true". > > This will run "rkhunter --propupd" after every run of "unattended-upgrades"-- > the nightly security updates. > I would be wary of using the '--propupd' option automatically. That would, in effect, hide any changes made to any other files. It may be better to use the package manager option (PKGMGR) in the rkhunter config file. That way any updated packages should still verify okay (without using '--propupd'), but any other modified files (packaged or not) will still be flagged when you run a check. John. -- John Horne | Senior Operations Analyst | Technology and Information Services University of Plymouth | Drake Circus | Plymouth | Devon | PL4 8AA | UK [http://www.plymouth.ac.uk/images/email_footer.gif]<http://www.plymouth.ac.uk/worldclass> This email and any files with it are confidential and intended solely for the use of the recipient to whom it is addressed. If you are not the intended recipient then copying, distribution or other use of the information contained is strictly prohibited and you should not rely on it. If you have received this email in error please let the sender know immediately and delete it from your system(s). Internet emails are not necessarily secure. While we take every care, University of Plymouth accepts no responsibility for viruses and it is your responsibility to scan emails and their attachments. University of Plymouth does not accept responsibility for any changes made after it was sent. Nothing in this email or its attachments constitutes an order for goods or services unless accompanied by an official order form. ___ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users
Re: [Rkhunter-users] Rkhunter says : Invalid syslog facility name: none
On Mon, 2018-11-26 at 08:14 +0200, Brent Clark wrote: > Thanks for replying. > > Im running > > No LSB modules are available. > Distributor ID:Ubuntu > Description:Ubuntu 14.04.5 LTS > Release:14.04 > Codename:trusty > What do you have USE_SYSLOG set to in your rkhunter config file? John. > On 2018/11/24 03:40, Al Varnell wrote: > > What platform, OS and version are you running? > > > > Sent from my iPad > > > > -Al- > > macOS user > > > > On Nov 23, 2018, at 11:19, Brent Clark > <mailto:brentgclarkl...@gmail.com>> wrote: > > > > > Good day Guys > > > > > > I just installed rkhunter, but when I run it, I get the following > > > message. > > > > > > Invalid syslog facility name: none > > > > > > For the likes of me, I cant figure this out. > > > > > > Please could you assist on what the problem could be. > > > > > > Many thanks > > > Brent Clark > > > > > ___ > Rkhunter-users mailing list > Rkhunter-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/rkhunter-users -- John Horne | Senior Operations Analyst | Technology and Information Services University of Plymouth | Drake Circus | Plymouth | Devon | PL4 8AA | UK [http://www.plymouth.ac.uk/images/email_footer.gif]<http://www.plymouth.ac.uk/worldclass> This email and any files with it are confidential and intended solely for the use of the recipient to whom it is addressed. If you are not the intended recipient then copying, distribution or other use of the information contained is strictly prohibited and you should not rely on it. If you have received this email in error please let the sender know immediately and delete it from your system(s). Internet emails are not necessarily secure. While we take every care, University of Plymouth accepts no responsibility for viruses and it is your responsibility to scan emails and their attachments. University of Plymouth does not accept responsibility for any changes made after it was sent. Nothing in this email or its attachments constitutes an order for goods or services unless accompanied by an official order form. ___ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users
Re: [Rkhunter-users] Problem installing and running rkhunter
On Sat, 2018-11-10 at 16:43 -0500, Saul Jaffe wrote: > I just downloaded rkhunter from sourceforge. I did: > > sudo ./installer.sh --install > > Got as output: > > Starting installation: > Checking installation directory "/usr/local": it exists and is > writable. > ... > Installation complete > > The instructions I was following (from another website) said I had to do: > > sudo rkhunter --propupd > > next which gave the output: > > Invalid BINDIR configuration option: Invalid directory found: . > Hi, Could you run 'sudo -i' and then run the installer. Then try 'sudo rkhunter -- propupd'. I think just using 'sudo ./installer.sh' will confuse it a bit because it will use the PATH of whatever account you are logged in as. John. -- John Horne | Senior Operations Analyst | Technology and Information Services University of Plymouth | Drake Circus | Plymouth | Devon | PL4 8AA | UK [http://www.plymouth.ac.uk/images/email_footer.gif]<http://www.plymouth.ac.uk/worldclass> This email and any files with it are confidential and intended solely for the use of the recipient to whom it is addressed. If you are not the intended recipient then copying, distribution or other use of the information contained is strictly prohibited and you should not rely on it. If you have received this email in error please let the sender know immediately and delete it from your system(s). Internet emails are not necessarily secure. While we take every care, University of Plymouth accepts no responsibility for viruses and it is your responsibility to scan emails and their attachments. University of Plymouth does not accept responsibility for any changes made after it was sent. Nothing in this email or its attachments constitutes an order for goods or services unless accompanied by an official order form. ___ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users
Re: [Rkhunter-users] Problem installing and running rkhunter
On Sat, 2018-11-10 at 16:43 -0500, Saul Jaffe wrote:
>
> The instructions I was following (from another website) said I had to do:
>
> sudo rkhunter --propupd
>
> next which gave the output:
>
> Invalid BINDIR configuration option: Invalid directory found: .
>
Hi,
I took a further look at this, and BINDIR is calculated when rkhunter is run.
(The 'configuration option' bit threw me.)
When BINDIR is checked it includes the root account PATH, and I suspect that in
that you have the current directory ('.') included. This is not a good idea,
and so rkhunter will object to it. (Use of '.' can allow programs to be run by
mistake.)
John.
--
John Horne | Senior Operations Analyst | Technology and Information Services
University of Plymouth | Drake Circus | Plymouth | Devon | PL4 8AA | UK
[http://www.plymouth.ac.uk/images/email_footer.gif]<http://www.plymouth.ac.uk/worldclass>
This email and any files with it are confidential and intended solely for the
use of the recipient to whom it is addressed. If you are not the intended
recipient then copying, distribution or other use of the information contained
is strictly prohibited and you should not rely on it. If you have received this
email in error please let the sender know immediately and delete it from your
system(s). Internet emails are not necessarily secure. While we take every
care, University of Plymouth accepts no responsibility for viruses and it is
your responsibility to scan emails and their attachments. University of
Plymouth does not accept responsibility for any changes made after it was sent.
Nothing in this email or its attachments constitutes an order for goods or
services unless accompanied by an official order form.
___
Rkhunter-users mailing list
Rkhunter-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/rkhunter-users
Re: [Rkhunter-users] Possible Rootkit
On Mon, 2018-09-10 at 19:43 +0200, Markus Egg wrote: > Am 10.05.18 um 04:04 schrieb Al Varnell: > > How about this section: > > > > > Performing additional rootkit checks > > > Checking for possible rootkit files and directories [None found] > > > Checking for possible rootkit strings[None found] > > Sorry to BUMP this older thread but I have a similar issue with rkhunter > 1.4.6, > just upgraded to 1.4.6.2 on Ubuntu 18.04 . > > rootkit checks and additional checks are green. > > There are only 2 messages about "The following suspicious (large) shared > memory > segments have been found:" > for /usr/bin/xfdesktop ... Size: 64MB (configured size allowed: 1,0MB) > and /usr/bin/lxterminal... Size: 1,0MB (configured size allowed: 1,0MB) > PID and user are correct. > > I am running XFCE so I wonder if rkhunter does not know about XFCE processes > It doesn't. Look at the ALLOWIPCPROC config option. John. -- John Horne | Senior Operations Analyst | Technology and Information Services University of Plymouth | Drake Circus | Plymouth | Devon | PL4 8AA | UK [http://www.plymouth.ac.uk/images/email_footer.gif]<http://www.plymouth.ac.uk/worldclass> This email and any files with it are confidential and intended solely for the use of the recipient to whom it is addressed. If you are not the intended recipient then copying, distribution or other use of the information contained is strictly prohibited and you should not rely on it. If you have received this email in error please let the sender know immediately and delete it from your system(s). Internet emails are not necessarily secure. While we take every care, University of Plymouth accepts no responsibility for viruses and it is your responsibility to scan emails and their attachments. University of Plymouth does not accept responsibility for any changes made after it was sent. Nothing in this email or its attachments constitutes an order for goods or services unless accompanied by an official order form. ___ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users
Re: [Rkhunter-users] Bytecode 67 failed to run
On Sun, 2018-06-24 at 20:28 +0300, ellanios82 wrote: > Hello List , > > > on openSUSE Tumbleweed , am seeing : > > > **LibClamAV Warning: Bytecode 67 failed to run: Time limit reached** > > > - what to do please > Perhaps ask on a ClamAV mailing list? Not sure what this has to do with RKH. John. -- John Horne | Senior Operations Analyst | Technology and Information Services University of Plymouth | Drake Circus | Plymouth | Devon | PL4 8AA | UK [http://www.plymouth.ac.uk/images/email_footer.gif]<http://www.plymouth.ac.uk/worldclass> This email and any files with it are confidential and intended solely for the use of the recipient to whom it is addressed. If you are not the intended recipient then copying, distribution or other use of the information contained is strictly prohibited and you should not rely on it. If you have received this email in error please let the sender know immediately and delete it from your system(s). Internet emails are not necessarily secure. While we take every care, Plymouth University accepts no responsibility for viruses and it is your responsibility to scan emails and their attachments. Plymouth University does not accept responsibility for any changes made after it was sent. Nothing in this email or its attachments constitutes an order for goods or services unless accompanied by an official order form. -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot ___ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users
Re: [Rkhunter-users] DISABE_TESTS=group_accounts still complains about file property changes
On Mon, 2018-06-18 at 10:35 +, Kielbasiewicz, Peter wrote: > I had tried this option before but it only works on USER files. > Files like /etc/passwd or group are built in system files. > Hi, Okay, I see the problem. Your root account PATH includes '/etc'. Although your server will find the actual 'passwd' command in an earlier PATH directory, RKH checks all the directories to ensure that any links or copies of commands are detected. As such '/etc/passwd' gets added to the list of files which are to have their properties checked (and cannot be modified). (The test worked for me because my root account doesn't include '/etc'.) I'm not too sure what to do about this. I'll have to think about it. John. -- John Horne | Senior Operations Analyst | Technology and Information Services University of Plymouth | Drake Circus | Plymouth | Devon | PL4 8AA | UK [http://www.plymouth.ac.uk/images/email_footer.gif]<http://www.plymouth.ac.uk/worldclass> This email and any files with it are confidential and intended solely for the use of the recipient to whom it is addressed. If you are not the intended recipient then copying, distribution or other use of the information contained is strictly prohibited and you should not rely on it. If you have received this email in error please let the sender know immediately and delete it from your system(s). Internet emails are not necessarily secure. While we take every care, Plymouth University accepts no responsibility for viruses and it is your responsibility to scan emails and their attachments. Plymouth University does not accept responsibility for any changes made after it was sent. Nothing in this email or its attachments constitutes an order for goods or services unless accompanied by an official order form. -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot ___ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users
Re: [Rkhunter-users] DISABE_TESTS=group_accounts still complains about file property changes
On Wed, 2018-06-20 at 09:55 +, Kielbasiewicz, Peter wrote: > Hi John, > I have systems with rkhunter 1.4.0, 1.4.2 and 1.4.6 as I use the rkhunter > from the official Ubuntu repos. > I have tested it on a latest Ubuntu 18.04 LTS which has rkhunter 1.4.6 as > shown below in the propupd segment. > The --debug option gave no output Correct because it writes everything to a debug file. Look in /tmp. John. -- John Horne | Senior Operations Analyst | Technology and Information Services University of Plymouth | Drake Circus | Plymouth | Devon | PL4 8AA | UK [http://www.plymouth.ac.uk/images/email_footer.gif]<http://www.plymouth.ac.uk/worldclass> This email and any files with it are confidential and intended solely for the use of the recipient to whom it is addressed. If you are not the intended recipient then copying, distribution or other use of the information contained is strictly prohibited and you should not rely on it. If you have received this email in error please let the sender know immediately and delete it from your system(s). Internet emails are not necessarily secure. While we take every care, Plymouth University accepts no responsibility for viruses and it is your responsibility to scan emails and their attachments. Plymouth University does not accept responsibility for any changes made after it was sent. Nothing in this email or its attachments constitutes an order for goods or services unless accompanied by an official order form. -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot ___ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users
Re: [Rkhunter-users] DISABE_TESTS=group_accounts still complains about file property changes
On Wed, 2018-06-20 at 04:47 +, Kielbasiewicz, Peter wrote: > Sorry John, > no change. > Did YOU ever try it on your machine? > Yes. It worked fine. You are running rkhunter version 1.4.6? Can you leave the EXCLUDE_USER_FILEPROP_FILES_DIRS option in the config file and make a change to the /etc/passwd file. Then run 'rkhunter --enable properties --debug' and send me the output file found in /tmp please. John. -- John Horne | Senior Operations Analyst | Technology and Information Services University of Plymouth | Drake Circus | Plymouth | Devon | PL4 8AA | UK [http://www.plymouth.ac.uk/images/email_footer.gif]<http://www.plymouth.ac.uk/worldclass> This email and any files with it are confidential and intended solely for the use of the recipient to whom it is addressed. If you are not the intended recipient then copying, distribution or other use of the information contained is strictly prohibited and you should not rely on it. If you have received this email in error please let the sender know immediately and delete it from your system(s). Internet emails are not necessarily secure. While we take every care, Plymouth University accepts no responsibility for viruses and it is your responsibility to scan emails and their attachments. Plymouth University does not accept responsibility for any changes made after it was sent. Nothing in this email or its attachments constitutes an order for goods or services unless accompanied by an official order form. -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot ___ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users
Re: [Rkhunter-users] DISABE_TESTS=group_accounts still complains about file property changes
On Tue, 2018-06-19 at 10:41 +, Kielbasiewicz, Peter wrote: > Sorry for the confusion. > I did copy the wrong statement in my last answer. > Of course I had added the values shown below > DISABLE_TESTS=passwd_changes group_changes deleted_files suspscan > EXCLUDE_USER_FILEPROP_FILES_DIRS="etc/passwd" > Remove the double-quotes. Also you need a '/' before 'etc' - that is: EXCLUDE_USER_FILEPROP_FILES_DIRS=/etc/passwd John. -- John Horne | Senior Operations Analyst | Technology and Information Services University of Plymouth | Drake Circus | Plymouth | Devon | PL4 8AA | UK [http://www.plymouth.ac.uk/images/email_footer.gif]<http://www.plymouth.ac.uk/worldclass> This email and any files with it are confidential and intended solely for the use of the recipient to whom it is addressed. If you are not the intended recipient then copying, distribution or other use of the information contained is strictly prohibited and you should not rely on it. If you have received this email in error please let the sender know immediately and delete it from your system(s). Internet emails are not necessarily secure. While we take every care, Plymouth University accepts no responsibility for viruses and it is your responsibility to scan emails and their attachments. Plymouth University does not accept responsibility for any changes made after it was sent. Nothing in this email or its attachments constitutes an order for goods or services unless accompanied by an official order form. -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot ___ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users
Re: [Rkhunter-users] DISABE_TESTS=group_accounts still complains about file property changes
On Tue, 2018-06-19 at 05:24 +, Kielbasiewicz, Peter wrote: > As I said, I had tried it before. > I added > USER_FILEPROP_FILES_DIRS="/etc/passwd" > to rkhunter.conf.local but still got messages that the checksum of passwd had > changed. > Yes, you will. That option says to monitor the file for changes. I said to use the 'EXCLUDE_USER_FILEPROP_FILES_DIRS' option. John. -- John Horne | Senior Operations Analyst | Technology and Information Services University of Plymouth | Drake Circus | Plymouth | Devon | PL4 8AA | UK [http://www.plymouth.ac.uk/images/email_footer.gif]<http://www.plymouth.ac.uk/worldclass> This email and any files with it are confidential and intended solely for the use of the recipient to whom it is addressed. If you are not the intended recipient then copying, distribution or other use of the information contained is strictly prohibited and you should not rely on it. If you have received this email in error please let the sender know immediately and delete it from your system(s). Internet emails are not necessarily secure. While we take every care, Plymouth University accepts no responsibility for viruses and it is your responsibility to scan emails and their attachments. Plymouth University does not accept responsibility for any changes made after it was sent. Nothing in this email or its attachments constitutes an order for goods or services unless accompanied by an official order form. -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot ___ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users
Re: [Rkhunter-users] DISABE_TESTS=group_accounts still complains about file property changes
On Mon, 2018-06-18 at 10:35 +, Kielbasiewicz, Peter wrote: > I had tried this option before but it only works on USER files. > Not really. It is not possible to disable some commands, but /etc/passwd is just a data file. John. -- John Horne | Senior Operations Analyst | Technology and Information Services University of Plymouth | Drake Circus | Plymouth | Devon | PL4 8AA | UK [http://www.plymouth.ac.uk/images/email_footer.gif]<http://www.plymouth.ac.uk/worldclass> This email and any files with it are confidential and intended solely for the use of the recipient to whom it is addressed. If you are not the intended recipient then copying, distribution or other use of the information contained is strictly prohibited and you should not rely on it. If you have received this email in error please let the sender know immediately and delete it from your system(s). Internet emails are not necessarily secure. While we take every care, Plymouth University accepts no responsibility for viruses and it is your responsibility to scan emails and their attachments. Plymouth University does not accept responsibility for any changes made after it was sent. Nothing in this email or its attachments constitutes an order for goods or services unless accompanied by an official order form. -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot ___ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users
Re: [Rkhunter-users] Are mirrors having issues again
On Sat, 2018-06-16 at 13:25 +, John Lorenz wrote: > A question > Is there any updates pushes happening at 4 AM PST time as this is very random > and hits 10 to 20 of my servers > RKH does not 'push'. It is purely pull from the client. John. -- John Horne | Senior Operations Analyst | Technology and Information Services University of Plymouth | Drake Circus | Plymouth | Devon | PL4 8AA | UK [http://www.plymouth.ac.uk/images/email_footer.gif]<http://www.plymouth.ac.uk/worldclass> This email and any files with it are confidential and intended solely for the use of the recipient to whom it is addressed. If you are not the intended recipient then copying, distribution or other use of the information contained is strictly prohibited and you should not rely on it. If you have received this email in error please let the sender know immediately and delete it from your system(s). Internet emails are not necessarily secure. While we take every care, Plymouth University accepts no responsibility for viruses and it is your responsibility to scan emails and their attachments. Plymouth University does not accept responsibility for any changes made after it was sent. Nothing in this email or its attachments constitutes an order for goods or services unless accompanied by an official order form. -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot ___ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users
Re: [Rkhunter-users] DISABE_TESTS=group_accounts still complains about file property changes
On Thu, 2018-06-14 at 05:48 +, Kielbasiewicz, Peter wrote: > I support >200 RnD Linux Boxes and maintain a local mechanism to monitor and > update passwd and group files. > So I needed to disable the test for group_accounts as changes to these files > occur consolidated on all machines and I want to avoid daily warnings from > every host on this as these are likely to obfuscate real problems. > Alas rkhunter still complains about file property changes so I needed to > disable the test on file properties too. > In general I think it is good to monitor file property changes but I did not > find a way to disable the test on individual system files. > Is there a trick to do this? > Hi, Take a look at the EXCLUDE_USER_FILEPROP_FILES_DIRS option. John. -- John Horne | Senior Operations Analyst | Technology and Information Services University of Plymouth | Drake Circus | Plymouth | Devon | PL4 8AA | UK [http://www.plymouth.ac.uk/images/email_footer.gif]<http://www.plymouth.ac.uk/worldclass> This email and any files with it are confidential and intended solely for the use of the recipient to whom it is addressed. If you are not the intended recipient then copying, distribution or other use of the information contained is strictly prohibited and you should not rely on it. If you have received this email in error please let the sender know immediately and delete it from your system(s). Internet emails are not necessarily secure. While we take every care, Plymouth University accepts no responsibility for viruses and it is your responsibility to scan emails and their attachments. Plymouth University does not accept responsibility for any changes made after it was sent. Nothing in this email or its attachments constitutes an order for goods or services unless accompanied by an official order form. -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot ___ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users
Re: [Rkhunter-users] rkhunter : found 199, missing hashes 199
On Mon, 2018-05-21 at 10:28 +0300, ellanios82 wrote: > > > > As a quick test could you run 'sha256sum /etc/group' just to see if it > > produces some output. > > - thanks : this was result : > > # sha256sum /etc/group > d39f143660f1f98ba61d67a6cf329371d0417df900b71051624ea85ea60add9a /etc/group > Okay, so there shouldn't really be a reason why the hashes are not read. Can you run 'rkhunter --propupd' and then send me a copy of the log file please (found at /var/log/rkhunter.log). John. -- John Horne | Senior Operations Analyst | Technology and Information Services University of Plymouth | Drake Circus | Plymouth | Devon | PL4 8AA | UK [http://www.plymouth.ac.uk/images/email_footer.gif]<http://www.plymouth.ac.uk/worldclass> This email and any files with it are confidential and intended solely for the use of the recipient to whom it is addressed. If you are not the intended recipient then copying, distribution or other use of the information contained is strictly prohibited and you should not rely on it. If you have received this email in error please let the sender know immediately and delete it from your system(s). Internet emails are not necessarily secure. While we take every care, Plymouth University accepts no responsibility for viruses and it is your responsibility to scan emails and their attachments. Plymouth University does not accept responsibility for any changes made after it was sent. Nothing in this email or its attachments constitutes an order for goods or services unless accompanied by an official order form. -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot ___ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users
Re: [Rkhunter-users] rkhunter : found 199, missing hashes 199
On Mon, 2018-05-21 at 00:02 +0300, ellanios82 wrote: > On 20/05/18 23:47, John Horne wrote: > > On Sun, 2018-05-20 at 21:33 +0300, ellanios82 wrote: > > > Dear List , > > > > > > > > >upon running "rkhunter --propupd" , i see "found 199, missing > > > hashes 199" > > > > > >: what do i need to do please ? > > > > > > > What version of rkhunter? > > What O/S? > > - vers. : rkhunter-1.4.4-2.1.x86_64 > O/S : openSUSE-Tumbleweed > I would say upgrade to version 1.4.6 to start with. As a quick test could you run 'sha256sum /etc/group' just to see if it produces some output. John. -- John Horne | Senior Operations Analyst | Technology and Information Services University of Plymouth | Drake Circus | Plymouth | Devon | PL4 8AA | UK [http://www.plymouth.ac.uk/images/email_footer.gif]<http://www.plymouth.ac.uk/worldclass> This email and any files with it are confidential and intended solely for the use of the recipient to whom it is addressed. If you are not the intended recipient then copying, distribution or other use of the information contained is strictly prohibited and you should not rely on it. If you have received this email in error please let the sender know immediately and delete it from your system(s). Internet emails are not necessarily secure. While we take every care, Plymouth University accepts no responsibility for viruses and it is your responsibility to scan emails and their attachments. Plymouth University does not accept responsibility for any changes made after it was sent. Nothing in this email or its attachments constitutes an order for goods or services unless accompanied by an official order form. -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot ___ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users
Re: [Rkhunter-users] rkhunter : found 199, missing hashes 199
On Sun, 2018-05-20 at 21:33 +0300, ellanios82 wrote: > Dear List , > > > upon running "rkhunter --propupd" , i see "found 199, missing > hashes 199" > > : what do i need to do please ? > What version of rkhunter? What O/S? John. -- John Horne | Senior Operations Analyst | Technology and Information Services University of Plymouth | Drake Circus | Plymouth | Devon | PL4 8AA | UK [http://www.plymouth.ac.uk/images/email_footer.gif]<http://www.plymouth.ac.uk/worldclass> This email and any files with it are confidential and intended solely for the use of the recipient to whom it is addressed. If you are not the intended recipient then copying, distribution or other use of the information contained is strictly prohibited and you should not rely on it. If you have received this email in error please let the sender know immediately and delete it from your system(s). Internet emails are not necessarily secure. While we take every care, Plymouth University accepts no responsibility for viruses and it is your responsibility to scan emails and their attachments. Plymouth University does not accept responsibility for any changes made after it was sent. Nothing in this email or its attachments constitutes an order for goods or services unless accompanied by an official order form. -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot ___ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users
Re: [Rkhunter-users] Rkhunter Problem
On Wed, 2018-05-16 at 12:20 -0400, Mark Misulich wrote: > > linux-2b8:/home/lx1 # echo $PATH > /sbin:/bin:/usr/sbin:/usr/bin > ... > It looks to me like usr/local/bin is not included in the directories > searched by root. > Correct. You could modify the PATH for your root account shell, or re-install rkhunter specifying the installation directory as /usr, or create a link from /usr/bin/rkhunter pointing to /usr/local/bin/rkhunter. John. -- John Horne | Senior Operations Analyst | Technology and Information Services University of Plymouth | Drake Circus | Plymouth | Devon | PL4 8AA | UK [http://www.plymouth.ac.uk/images/email_footer.gif]<http://www.plymouth.ac.uk/worldclass> This email and any files with it are confidential and intended solely for the use of the recipient to whom it is addressed. If you are not the intended recipient then copying, distribution or other use of the information contained is strictly prohibited and you should not rely on it. If you have received this email in error please let the sender know immediately and delete it from your system(s). Internet emails are not necessarily secure. While we take every care, Plymouth University accepts no responsibility for viruses and it is your responsibility to scan emails and their attachments. Plymouth University does not accept responsibility for any changes made after it was sent. Nothing in this email or its attachments constitutes an order for goods or services unless accompanied by an official order form. -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot ___ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users
Re: [Rkhunter-users] Rkhunter Problem
On Wed, 2018-05-16 at 09:43 -0400, Mark Misulich wrote: > Is it possible that rkhunter is installing correctly, and that something that > gets modified in the operating system when rkhunter was installed > previously is now preventing the program from starting? > No. As the 'root' user log in and type 'echo $PATH'. This will show you the list of directories that are searched for commands by the 'root' user. It should include '/usr/local/bin'. You might also want to type in 'alias' just to see if an alias for the rkhunter command has been set up. John. -- John Horne | Senior Operations Analyst | Technology and Information Services University of Plymouth | Drake Circus | Plymouth | Devon | PL4 8AA | UK [http://www.plymouth.ac.uk/images/email_footer.gif]<http://www.plymouth.ac.uk/worldclass> This email and any files with it are confidential and intended solely for the use of the recipient to whom it is addressed. If you are not the intended recipient then copying, distribution or other use of the information contained is strictly prohibited and you should not rely on it. If you have received this email in error please let the sender know immediately and delete it from your system(s). Internet emails are not necessarily secure. While we take every care, Plymouth University accepts no responsibility for viruses and it is your responsibility to scan emails and their attachments. Plymouth University does not accept responsibility for any changes made after it was sent. Nothing in this email or its attachments constitutes an order for goods or services unless accompanied by an official order form. -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot ___ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users
Re: [Rkhunter-users] Invalid option specified: --update
On Tue, 2018-05-15 at 11:34 -0500, Patrick Kirchner wrote: > Thanks for the reply John. > > rkhunter --update |cat -vet > Invalid option specified: --update$ > > rkhunter -h still works great and lists all the options. > Can you send us the file size and perhaps a SHA256 checksum for the 'rkhunter' command you have. Since rkhunter is a script, and assuming the packager hasn't modified it, then the size/checksum should match with mine. John. -- John Horne | Senior Operations Analyst | Technology and Information Services University of Plymouth | Drake Circus | Plymouth | Devon | PL4 8AA | UK [http://www.plymouth.ac.uk/images/email_footer.gif]<http://www.plymouth.ac.uk/worldclass> This email and any files with it are confidential and intended solely for the use of the recipient to whom it is addressed. If you are not the intended recipient then copying, distribution or other use of the information contained is strictly prohibited and you should not rely on it. If you have received this email in error please let the sender know immediately and delete it from your system(s). Internet emails are not necessarily secure. While we take every care, Plymouth University accepts no responsibility for viruses and it is your responsibility to scan emails and their attachments. Plymouth University does not accept responsibility for any changes made after it was sent. Nothing in this email or its attachments constitutes an order for goods or services unless accompanied by an official order form. -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot ___ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users
Re: [Rkhunter-users] Invalid option specified: --update
On Tue, 2018-05-15 at 08:26 -0500, Patrick Kirchner wrote: > I'm using "Rootkit Hunter 1.4.6" and have noticed my cronjobs no longer > accept the "--update" switch. I also tried just running "rkhunter --update" > in a terminal as root but it also complains that "--update" is an invalid > option. > > rkhunter -V > Rootkit Hunter 1.4.6 > > rkhunter --update > Invalid option specified: --update > Try 'rkhunter --update | cat -vet' to see if any 'odd' characters are appearing. Does 'rkhunter -h' work? John. -- John Horne | Senior Operations Analyst | Technology and Information Services University of Plymouth | Drake Circus | Plymouth | Devon | PL4 8AA | UK [http://www.plymouth.ac.uk/images/email_footer.gif]<http://www.plymouth.ac.uk/worldclass> This email and any files with it are confidential and intended solely for the use of the recipient to whom it is addressed. If you are not the intended recipient then copying, distribution or other use of the information contained is strictly prohibited and you should not rely on it. If you have received this email in error please let the sender know immediately and delete it from your system(s). Internet emails are not necessarily secure. While we take every care, Plymouth University accepts no responsibility for viruses and it is your responsibility to scan emails and their attachments. Plymouth University does not accept responsibility for any changes made after it was sent. Nothing in this email or its attachments constitutes an order for goods or services unless accompanied by an official order form. -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot ___ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users
Re: [Rkhunter-users] Possible Rootkit
On Wed, 2018-05-09 at 10:21 -0400, Mark Misulich wrote: > Hi, > when I run rkhunter on my opensuse 42.3 linux Operating System, I get > this result telling me that I have a possible rootkit. > > > Rootkit checks... > > Rootkits checked : 500 > > Possible rootkits: 1 > > I have looked through the var/log/rkhunter.log and don't find anything > that stands out to me as what this might be. > Try running 'grep -i warning /var/log/rkhunter.log'. Also what version of rkhunter are you running? John. -- John Horne | Senior Operations Analyst | Technology and Information Services University of Plymouth | Drake Circus | Plymouth | Devon | PL4 8AA | UK [http://www.plymouth.ac.uk/images/email_footer.gif]<http://www.plymouth.ac.uk/worldclass> This email and any files with it are confidential and intended solely for the use of the recipient to whom it is addressed. If you are not the intended recipient then copying, distribution or other use of the information contained is strictly prohibited and you should not rely on it. If you have received this email in error please let the sender know immediately and delete it from your system(s). Internet emails are not necessarily secure. While we take every care, Plymouth University accepts no responsibility for viruses and it is your responsibility to scan emails and their attachments. Plymouth University does not accept responsibility for any changes made after it was sent. Nothing in this email or its attachments constitutes an order for goods or services unless accompanied by an official order form. -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot ___ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users
Re: [Rkhunter-users] Monitoring extra files on server?
On Tue, 2018-05-08 at 21:58 -0400, Teddy Brown wrote: > Hi, > I want to monitor several PHP files on my server. We've had issues with > malware getting in via a couple Joomla installs. I've reinstalled our CMS > software and we're confident things are in a clean state. > > Ideally we'd use rkhunter to monitor any PHP files for changes. There will > be other changes expected in these directories (such as images) but PHP files > will be managed manually now. > > I was thinking this might do it, but I'm not sure how long it will take to > run but when I run rkhunter -C it runs for a long time without knowing if it > is working or now > > Am I oversimplifying this? > > GLOBSTAR=1 > USER_FILEPROP_FILES_DIRS=/var/www/**/*.php > Hi, Rkhunter is just a script, so it's not the fastest thing in the world. The time taken will probably depend on how many of those PHP files you have. If you run something like 'top' while 'rkhunter -C' is running, then you should see it doing something. John. -- John Horne | Senior Operations Analyst | Technology and Information Services University of Plymouth | Drake Circus | Plymouth | Devon | PL4 8AA | UK [http://www.plymouth.ac.uk/images/email_footer.gif]<http://www.plymouth.ac.uk/worldclass> This email and any files with it are confidential and intended solely for the use of the recipient to whom it is addressed. If you are not the intended recipient then copying, distribution or other use of the information contained is strictly prohibited and you should not rely on it. If you have received this email in error please let the sender know immediately and delete it from your system(s). Internet emails are not necessarily secure. While we take every care, Plymouth University accepts no responsibility for viruses and it is your responsibility to scan emails and their attachments. Plymouth University does not accept responsibility for any changes made after it was sent. Nothing in this email or its attachments constitutes an order for goods or services unless accompanied by an official order form. -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot ___ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users
Re: [Rkhunter-users] confusion on propupd
On Tue, 2018-04-03 at 14:50 +, Mark Stosberg wrote: > Chip, > > It looks like `rkhunter` stores it's files under `/var/lib/rkhunter`, so copy > the known-good files from this directory to the questionable server. Expect > some amount of differences to be reported. For example, the host name will be > detected as changed. > You'll probably get a warning about most files since the inode will (most likely) have changed. John. > Mark > > On Tue, Apr 3, 2018 at 10:47 AM Chip <jeffsch...@gmail.com> wrote: > > That actually sounds like a good idea - I hadn't thought of the VM > > approach! Thank you. > > > > Could I do as you suggested and then rather than compare signature by > > signature which would be onerous, somehow export the signatures from the > > known-good to the considered-bad? And if so, what would be the process for > > that? > > > > On 04/03/2018 10:42 AM, Mark Stosberg wrote: > > > That is outside of the scope of rkhunter. The recommended practice is to > > > start using rkhunter on a known-good system. > > > > > > If you want the correct signatures for a known-good Ubuntu 16.04 server, > > > you can spin one one in a VM, fully patch it, and then compare file > > > signatures between that server and yours. > > > > > > If you are concerned your box is compromised, there is always the safe > > > approach of rebuilding it from a known-good state. > > > > > > Mark > > > > > > On Tue, Apr 3, 2018 at 9:24 AM Chip <jeffsch...@gmail.com> wrote: > > > > New to rkhunter. > > > > > > > > What is the logic behind using propupd with a system that is already or > > > > potentially compromised? > > > > > > > > It would seem that a lot of people arrive at rkhunter suspicious that > > > > their system has already been compromised. > > > > > > > > So how does someone actually update with propupd against *known* good > > > > signatures that reside *outside* their box? > > > > > > > > Thank you. > > > > > > > > - > > > > - > > > > Check out the vibrant tech community on one of the world's most > > > > engaging tech sites, Slashdot.org! http://sdm.link/slashdot > > > > ___ > > > > Rkhunter-users mailing list > > > > Rkhunter-users@lists.sourceforge.net > > > > https://lists.sourceforge.net/lists/listinfo/rkhunter-users > > > > > > > -- > > > Mark Stosberg > > > > > > Senior Systems Engineer | RideAmigos | 765-277-1916 | m...@rideamigos.co > > > m > > -- > Mark Stosberg > Senior Systems Engineer | RideAmigos | 765-277-1916 | m...@rideamigos.com > --- > --- > Check out the vibrant tech community on one of the world's most > engaging tech sites, Slashdot.org! http://sdm.link/slashdot > ___ > Rkhunter-users mailing list > Rkhunter-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/rkhunter-users -- John Horne | Senior Operations Analyst | Technology and Information Services University of Plymouth | Drake Circus | Plymouth | Devon | PL4 8AA | UK [http://www.plymouth.ac.uk/images/email_footer.gif]<http://www.plymouth.ac.uk/worldclass> This email and any files with it are confidential and intended solely for the use of the recipient to whom it is addressed. If you are not the intended recipient then copying, distribution or other use of the information contained is strictly prohibited and you should not rely on it. If you have received this email in error please let the sender know immediately and delete it from your system(s). Internet emails are not necessarily secure. While we take every care, Plymouth University accepts no responsibility for viruses and it is your responsibility to scan emails and their attachments. Plymouth University does not accept responsibility for any changes made after it was sent. Nothing in this email or its attachments constitutes an order for goods or services unless accompanied by an official order form. -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot ___ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users
Re: [Rkhunter-users] The file permissions have changed
On Tue, 2018-04-03 at 09:47 -0300, marcos sr wrote: > 2018-04-03 6:46 GMT-03:00 John Horne <john.ho...@plymouth.ac.uk>: > > >That's because you are using the package manager. Running rkhunter won't > > change > > >the output from the package manager, and it is that which is telling you > > that > > >your file permissions have changed. You will need to find out why the file > > >permissions have changed. > > But after i run rkhunter --propupd i get the same errors. The propupd don't > update de database with current file permissions? > The results of the package manager are used for any warnings. rkhunter will update its local database with the results from the package manager, but if you rerun rkhunter it will get the same result (from the package manager) and issue the same warning again. Using a package manager doesn't do any 'comparison' with what rkhunter has stored, it just uses the result from the package manager. John. -- John Horne | Senior Operations Analyst | Technology and Information Services University of Plymouth | Drake Circus | Plymouth | Devon | PL4 8AA | UK [http://www.plymouth.ac.uk/images/email_footer.gif]<http://www.plymouth.ac.uk/worldclass> This email and any files with it are confidential and intended solely for the use of the recipient to whom it is addressed. If you are not the intended recipient then copying, distribution or other use of the information contained is strictly prohibited and you should not rely on it. If you have received this email in error please let the sender know immediately and delete it from your system(s). Internet emails are not necessarily secure. While we take every care, Plymouth University accepts no responsibility for viruses and it is your responsibility to scan emails and their attachments. Plymouth University does not accept responsibility for any changes made after it was sent. Nothing in this email or its attachments constitutes an order for goods or services unless accompanied by an official order form. -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot ___ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users
Re: [Rkhunter-users] The file permissions have changed
On Mon, 2018-04-02 at 16:36 -0300, marcos sr wrote: > Hello > > When I scan my server for the first time i receive those alerts > > Warning: Package manager verification has failed: > File: /bin/XXX (lots of files) > The file permissions have changed > > > And even if I run "rkhunter --propupd" the errors remain. > That's because you are using the package manager. Running rkhunter won't change the output from the package manager, and it is that which is telling you that your file permissions have changed. You will need to find out why the file permissions have changed. John. -- John Horne | Senior Operations Analyst | Technology and Information Services University of Plymouth | Drake Circus | Plymouth | Devon | PL4 8AA | UK [http://www.plymouth.ac.uk/images/email_footer.gif]<http://www.plymouth.ac.uk/worldclass> This email and any files with it are confidential and intended solely for the use of the recipient to whom it is addressed. If you are not the intended recipient then copying, distribution or other use of the information contained is strictly prohibited and you should not rely on it. If you have received this email in error please let the sender know immediately and delete it from your system(s). Internet emails are not necessarily secure. While we take every care, Plymouth University accepts no responsibility for viruses and it is your responsibility to scan emails and their attachments. Plymouth University does not accept responsibility for any changes made after it was sent. Nothing in this email or its attachments constitutes an order for goods or services unless accompanied by an official order form. -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot ___ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users
Re: [Rkhunter-users] RkHunter 1.4.6: Globstar Error
On Tue, 2018-03-27 at 15:07 -0500, John Curcio wrote: > It is using Dash. > As it says in rkhunter.conf for the GLOBSTAR setting: === # NOTE: This option is only valid for those shells which support the 'globstar' # option. Typically this will be 'bash' (version 4 and above) via the 'shopt' # command, and 'ksh' via the 'set' command. === As far as I am aware dash doesn't support globstar (or shopt). John. > On Tue, Mar 27, 2018 at 1:19 PM, John Curcio <johnn.cur...@gmail.com> wrote: > > Neither return anything useful. > > *:~$ man shopt > > No manual entry for shopt > > *:~$ which shopt > > *:~$ > > > > How do I check the shell it's using? > > > > On Tue, Mar 27, 2018 at 11:01 AM, John Horne <john.ho...@plymouth.ac.uk> > > wrote: > > > On Tue, 2018-03-27 at 10:03 -0500, John Curcio wrote: > > > > I am trying to get globstar to work but when I enable it and try to > > > > run rkhunter I receive the following > > > > > > > > :~$ sudo rkhunter --propupd > > > > /usr/local/bin/rkhunter: 3331: /usr/local/bin/rkhunter: shopt: not > > > > found > > > > [ Rootkit Hunter version 1.4.6 ] > > > > File updated: searched for 179 files, found 170, missing hashes 1 > > > > > > > > Output of shopt: > > > > > > > > > > What shell is RKH using? > > > Can you run something like 'which shopt' to see where the command is in > > > your > > > PATH? > > > Might need something like the manpage for 'shopt' as well. > > > > > > > > > > > > John. > > > > > > -- > > > John Horne | Senior Operations Analyst | Technology and Information > > > Services > > > University of Plymouth | Drake Circus | Plymouth | Devon | PL4 8AA | UK > > > > > > [http://www.plymouth.ac.uk/images/email_footer.gif]<http://www.plymouth.a > > > c.uk/worldclass>; > > > > > > This email and any files with it are confidential and intended solely for > > > the use of the recipient to whom it is addressed. If you are not the > > > intended recipient then copying, distribution or other use of the > > > information contained is strictly prohibited and you should not rely on > > > it. If you have received this email in error please let the sender know > > > immediately and delete it from your system(s). Internet emails are not > > > necessarily secure. While we take every care, Plymouth University accepts > > > no responsibility for viruses and it is your responsibility to scan > > > emails and their attachments. Plymouth University does not accept > > > responsibility for any changes made after it was sent. Nothing in this > > > email or its attachments constitutes an order for goods or services > > > unless accompanied by an official order form. > > > --- > > > --- > > > Check out the vibrant tech community on one of the world's most > > > engaging tech sites, Slashdot.org! http://sdm.link/slashdot > > > ___ > > > Rkhunter-users mailing list > > > Rkhunter-users@lists.sourceforge.net > > > https://lists.sourceforge.net/lists/listinfo/rkhunter-users > > > > > > > > -- > > Thanks For Your Time, > > John Curcio > > > -- John Horne | Senior Operations Analyst | Technology and Information Services University of Plymouth | Drake Circus | Plymouth | Devon | PL4 8AA | UK [http://www.plymouth.ac.uk/images/email_footer.gif]<http://www.plymouth.ac.uk/worldclass> This email and any files with it are confidential and intended solely for the use of the recipient to whom it is addressed. If you are not the intended recipient then copying, distribution or other use of the information contained is strictly prohibited and you should not rely on it. If you have received this email in error please let the sender know immediately and delete it from your system(s). Internet emails are not necessarily secure. While we take every care, Plymouth University accepts no responsibility for viruses and it is your responsibility to scan emails and their attachments. Plymouth University does not accept responsibility for any changes made after it was sent. Nothing in this email or its attachments constitutes an order for goods or services unless accompanied by an official order form. -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot ___ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users
Re: [Rkhunter-users] RkHunter 1.4.6: Globstar Error
On Tue, 2018-03-27 at 10:03 -0500, John Curcio wrote: > I am trying to get globstar to work but when I enable it and try to > run rkhunter I receive the following > > :~$ sudo rkhunter --propupd > /usr/local/bin/rkhunter: 3331: /usr/local/bin/rkhunter: shopt: not found > [ Rootkit Hunter version 1.4.6 ] > File updated: searched for 179 files, found 170, missing hashes 1 > > Output of shopt: > What shell is RKH using? Can you run something like 'which shopt' to see where the command is in your PATH? Might need something like the manpage for 'shopt' as well. John. -- John Horne | Senior Operations Analyst | Technology and Information Services University of Plymouth | Drake Circus | Plymouth | Devon | PL4 8AA | UK [http://www.plymouth.ac.uk/images/email_footer.gif]<http://www.plymouth.ac.uk/worldclass> This email and any files with it are confidential and intended solely for the use of the recipient to whom it is addressed. If you are not the intended recipient then copying, distribution or other use of the information contained is strictly prohibited and you should not rely on it. If you have received this email in error please let the sender know immediately and delete it from your system(s). Internet emails are not necessarily secure. While we take every care, Plymouth University accepts no responsibility for viruses and it is your responsibility to scan emails and their attachments. Plymouth University does not accept responsibility for any changes made after it was sent. Nothing in this email or its attachments constitutes an order for goods or services unless accompanied by an official order form. -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot ___ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users
Re: [Rkhunter-users] numfmt in rkhunter 1.4.6
On Thu, 2018-03-22 at 12:48 -0600, Andrew Duty wrote: > Yesterday I upgraded to rkhunter 1.4.6 on two CentOS 7.3 systems. I ran > > rkhunter --check > If you have just updated RKH then you should run 'rkhunter --propupd' first of all. > before and after, and was surprised to see a warning for the numfmt binary. > You will until you run RKH with '--propupd'. The 'numfmt' command is used in 1.4.6 just to display some large numbers in a human-readable format. John. -- John Horne | Senior Operations Analyst | Technology and Information Services University of Plymouth | Drake Circus | Plymouth | Devon | PL4 8AA | UK [http://www.plymouth.ac.uk/images/email_footer.gif]<http://www.plymouth.ac.uk/worldclass> This email and any files with it are confidential and intended solely for the use of the recipient to whom it is addressed. If you are not the intended recipient then copying, distribution or other use of the information contained is strictly prohibited and you should not rely on it. If you have received this email in error please let the sender know immediately and delete it from your system(s). Internet emails are not necessarily secure. While we take every care, Plymouth University accepts no responsibility for viruses and it is your responsibility to scan emails and their attachments. Plymouth University does not accept responsibility for any changes made after it was sent. Nothing in this email or its attachments constitutes an order for goods or services unless accompanied by an official order form. -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot ___ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users
Re: [Rkhunter-users] Version 1.4.6 released
On Tue, 2018-02-20 at 08:57 +, Dogsbody wrote: > Hi John, > > This didn't appear to get sent to rkhunter-announce :-/ > > It's not in the archives either... >https://sourceforge.net/p/rkhunter/mailman/rkhunter-announce/ > > Just wanted to let you know. > Yes, thanks. Lots of problems with that list for some reason. I'll see if I can force a message out to it. John. -- John Horne | Senior Operations Analyst | Technology and Information Services University of Plymouth | Drake Circus | Plymouth | Devon | PL4 8AA | UK [http://www.plymouth.ac.uk/images/email_footer.gif]<http://www.plymouth.ac.uk/worldclass> This email and any files with it are confidential and intended solely for the use of the recipient to whom it is addressed. If you are not the intended recipient then copying, distribution or other use of the information contained is strictly prohibited and you should not rely on it. If you have received this email in error please let the sender know immediately and delete it from your system(s). Internet emails are not necessarily secure. While we take every care, Plymouth University accepts no responsibility for viruses and it is your responsibility to scan emails and their attachments. Plymouth University does not accept responsibility for any changes made after it was sent. Nothing in this email or its attachments constitutes an order for goods or services unless accompanied by an official order form. -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot ___ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users
Re: [Rkhunter-users] rkhunter: 14795 unexpected operator
On Sat, 2018-02-24 at 14:32 -0500, Chip wrote: > Version Rootkit Hunter 1.4.6 on Ubuntu 16.04 > > I apologize in advance for the number of questions. > > 1) What does the number after /usr/local/bin/rkhunter: signify? process > number? some other code number? > It's the line number in the code. > > 2) After running sudo rkhunter -c and seeing the following, what are the > best practices for solving this? > /usr/local/bin/rkhunter: 14795: [: /usr/lib/x86_64-linux-gnu/notify-osd: > unexpected operator > /usr/local/bin/rkhunter: 14795: [: /usr/bin/compiz: unexpected operator > /usr/local/bin/rkhunter: 14795: [: /usr/bin/nautilus: unexpected operator > /usr/local/bin/rkhunter: 14795: [: > /usr/lib/gnome-terminal/gnome-terminal-server: unexpected operator > Download the 1.4.6 release file from sourceforge again. It contains a fix for the bug. (An email about this has been sent to the list, but sourceforge have had email problems.) John. -- John Horne | Senior Operations Analyst | Technology and Information Services University of Plymouth | Drake Circus | Plymouth | Devon | PL4 8AA | UK [http://www.plymouth.ac.uk/images/email_footer.gif]<http://www.plymouth.ac.uk/worldclass> This email and any files with it are confidential and intended solely for the use of the recipient to whom it is addressed. If you are not the intended recipient then copying, distribution or other use of the information contained is strictly prohibited and you should not rely on it. If you have received this email in error please let the sender know immediately and delete it from your system(s). Internet emails are not necessarily secure. While we take every care, Plymouth University accepts no responsibility for viruses and it is your responsibility to scan emails and their attachments. Plymouth University does not accept responsibility for any changes made after it was sent. Nothing in this email or its attachments constitutes an order for goods or services unless accompanied by an official order form. -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot ___ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users
[Rkhunter-users] Version 1.4.6 - re-released
Hello, Version 1.4.6 of rkhunter has been re-released. The files on sourceforge have been updated. (This was actually about 4 days ago now, but there have been problems with the sourceforge email system.) The re-release was to cater for a bug in which the '==' operator was used in an 'if' statement. The '==' operator is not portable, and has been replaced with '=' (which is portable). In addition the RPM spec file (rkhunter.spec) was not updated at the initial 1.4.6 release. This too has now been corrected. The re-released version will still show the version number of 1.4.6. However, the git repository on sourceforge will show a tag of version 1.4.6a for the re- released version. Apologies for the confusion, but the bug was sufficiently serious that the version should be re-released. John. -- John Horne | Senior Operations Analyst | Technology and Information Services University of Plymouth | Drake Circus | Plymouth | Devon | PL4 8AA | UK [http://www.plymouth.ac.uk/images/email_footer.gif]<http://www.plymouth.ac.uk/worldclass> This email and any files with it are confidential and intended solely for the use of the recipient to whom it is addressed. If you are not the intended recipient then copying, distribution or other use of the information contained is strictly prohibited and you should not rely on it. If you have received this email in error please let the sender know immediately and delete it from your system(s). Internet emails are not necessarily secure. While we take every care, Plymouth University accepts no responsibility for viruses and it is your responsibility to scan emails and their attachments. Plymouth University does not accept responsibility for any changes made after it was sent. Nothing in this email or its attachments constitutes an order for goods or services unless accompanied by an official order form. -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot ___ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users
[Rkhunter-users] Version 1.4.6 released
Hello, Version 1.4.6 of rootkit hunter has now been released. Details of the changes in this release can be found in the CHANGELOG file, or online at https://sourceforge.net/p/rkhunter/rkh_code/ci/master/tree/files/CHANGELOG John. -- John Horne | Senior Operations Analyst | Technology and Information Services University of Plymouth | Drake Circus | Plymouth | Devon | PL4 8AA | UK [http://www.plymouth.ac.uk/images/email_footer.gif]<http://www.plymouth.ac.uk/worldclass> This email and any files with it are confidential and intended solely for the use of the recipient to whom it is addressed. If you are not the intended recipient then copying, distribution or other use of the information contained is strictly prohibited and you should not rely on it. If you have received this email in error please let the sender know immediately and delete it from your system(s). Internet emails are not necessarily secure. While we take every care, Plymouth University accepts no responsibility for viruses and it is your responsibility to scan emails and their attachments. Plymouth University does not accept responsibility for any changes made after it was sent. Nothing in this email or its attachments constitutes an order for goods or services unless accompanied by an official order form. -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot ___ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users
Re: [Rkhunter-users] Check for Kernel Symbols skipped
On Mon, 2018-02-05 at 10:05 +, Stefan Wolber wrote: > Sorry to molest you but I want my system to be malware free. I searched for > this topic about 2 hours in the internet but couldn´t find an answer. > I have a linux server at server4you (administration by Plesk) with debian > wheezy (7) and rkhunter 1.4.4. > I am little bit confused why rkhunter is skipping the checks for kernel > symbols like “Checking for kernel symbol 'heroin' [ Skipped ]”. > rkhunter does that numerous times. > This is because rkhunter cannot find either the /proc/ksyms or /proc/kallsyms file. Looking at one of our Debian 7 servers, I can see that it has the '/proc/kallsyms' file. The test will be run for each rootkit that uses kernel symbols, that is why it appears so often. I can only think that perhaps some hardening software is preventing access to it? > I did specify in the rkhunter.conf.local DISABLE_TESTS=os_specific)? > Why? There are specific test for Linux systems, so why not run them. John. -- John Horne | Senior Operations Analyst | Technology and Information Services University of Plymouth | Drake Circus | Plymouth | Devon | PL4 8AA | UK [http://www.plymouth.ac.uk/images/email_footer.gif]<http://www.plymouth.ac.uk/worldclass> This email and any files with it are confidential and intended solely for the use of the recipient to whom it is addressed. If you are not the intended recipient then copying, distribution or other use of the information contained is strictly prohibited and you should not rely on it. If you have received this email in error please let the sender know immediately and delete it from your system(s). Internet emails are not necessarily secure. While we take every care, Plymouth University accepts no responsibility for viruses and it is your responsibility to scan emails and their attachments. Plymouth University does not accept responsibility for any changes made after it was sent. Nothing in this email or its attachments constitutes an order for goods or services unless accompanied by an official order form. -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot ___ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users
Re: [Rkhunter-users] Error reaching updates
On Fri, 2018-01-19 at 15:03 +, John Lorenz wrote: > Al of my servers last night received the following running the update > command, did something change with rkhunter. Yes I know I have an old > version we run centos5 for now. > [04:18:12] Warning: Download of 'mirrors.dat' failed: Unable to determine the > latest version number. > [04:18:12] Checking file mirrors.dat [ Update failed > ] > [04:18:12] Info: Executing download command '/usr/bin/wget -q -O > /var/lib/rkhunter/rkhunter.upd.sSpZoQV446 http://rkhunter.sourceforge.net/1.3 > /programs_bad.dat 2>/dev/null', > Seems like everything is running slow today as I've only just received this email. The problem seems to have been with sourceforge running slow. John. -- John Horne | Senior Operations Analyst | Technology and Information Services University of Plymouth | Drake Circus | Plymouth | Devon | PL4 8AA | UK [http://www.plymouth.ac.uk/images/email_footer.gif]<http://www.plymouth.ac.uk/worldclass> This email and any files with it are confidential and intended solely for the use of the recipient to whom it is addressed. If you are not the intended recipient then copying, distribution or other use of the information contained is strictly prohibited and you should not rely on it. If you have received this email in error please let the sender know immediately and delete it from your system(s). Internet emails are not necessarily secure. While we take every care, Plymouth University accepts no responsibility for viruses and it is your responsibility to scan emails and their attachments. Plymouth University does not accept responsibility for any changes made after it was sent. Nothing in this email or its attachments constitutes an order for goods or services unless accompanied by an official order form. -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot ___ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users
Re: [Rkhunter-users] Warning: Found preloaded shared library: libesets_pac.so
On Wed, 2018-01-03 at 10:19 +, Bernie Elbourn wrote:
> Hi,
>
> Warning: Found preloaded shared library: libesets_pac.so
>
> I think this warning relates to:
>
> cat /etc/ld.so.preload
> libesets_pac.so
>
> ...caused by the installation of Eset antivirus.
>
> ldconfig -p | grep esets
> libesets_pac.so (libc6,x86-64) => /usr/lib/libesets_pac.so
> libesets_pac.so (libc6) => /usr/lib32/libesets_pac.so
>
> I have ...
>
> cat /etc/rkhunter.conf.local
> SHARED_LIB_WHITELIST=libesets_pac.so
> USER_FILEPROP_FILES_DIRS=/usr/lib/libesets_pac.so
> USER_FILEPROP_FILES_DIRS=/usr/lib32/libesets_pac.s
>
Is that a typo above? The pathname ends in '.s' instead of '.so'.
> but rkhunter -C throws an error:
>
> Invalid SHARED_LIB_WHITELIST configuration option: Simple filename:
> libesets_pac.so
>
> Is there a way to white list this libesets_pac.so please?
>
The test ('shared_libs') expects pathnames in the ld.so.preload file. Seeing a
simple filename it treats it as an error. I suppose really RKH should check the
standard /lib and /lib64 directories if a simple filename is seen.
> or should I be nagging Eset to use full pathnames?
>
Well they may have opted for a simple filename in order to allow differing
system to work out the actual pathname. This makes some sense.
I can only suggest either disabling the test completely, or modifying your
/etc/ld.so.preload file to use pathnames (ldconfig has shown you what these
are). You would then need to add a SHARED_LIB_WHITELIST RKH config line for
each of the shared library pathnames.
IF (a big if) I get time, I'll see about getting the test to search for simple
filenames.
John.
--
John Horne | Senior Operations Analyst | Technology and Information Services
University of Plymouth | Drake Circus | Plymouth | Devon | PL4 8AA | UK
[http://www.plymouth.ac.uk/images/email_footer.gif]<http://www.plymouth.ac.uk/worldclass>
This email and any files with it are confidential and intended solely for the
use of the recipient to whom it is addressed. If you are not the intended
recipient then copying, distribution or other use of the information contained
is strictly prohibited and you should not rely on it. If you have received this
email in error please let the sender know immediately and delete it from your
system(s). Internet emails are not necessarily secure. While we take every
care, Plymouth University accepts no responsibility for viruses and it is your
responsibility to scan emails and their attachments. Plymouth University does
not accept responsibility for any changes made after it was sent. Nothing in
this email or its attachments constitutes an order for goods or services unless
accompanied by an official order form.
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
Rkhunter-users mailing list
Rkhunter-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/rkhunter-users
Re: [Rkhunter-users] rkhunter and ipc_shared_mem bug
On Sat, 2017-12-16 at 10:50 -0800, Kevin Fenzi wrote: > On 12/13/2017 02:45 AM, John Horne wrote: > > On Tue, 2017-12-12 at 11:08 -0800, Kevin Fenzi wrote: > > > Greetings. > > > > > > From downstream bug: https://bugzilla.redhat.com/show_bug.cgi?id=1524456 > > > > > > Basically the user is seeing a ipc_shared_mem wanrning, but it's not > > > ever noted at the log/summary as a warning. > > > > > > > Yup, a known bug. The return code during the IPC memory test can be lost, > > so a warning could be issued then forgotten about when the program ends. > > The warning is valid; the 'summary' at the end of the program run is not > > (in this instance). > > It is fixed in the next release and the current development version. > > Cool. Is there a commit to backport, > I'm afraid not really. It's all a bit mixed in with other changes. The lost error code was caused by piping into a 'while read' statement, and that had to be changed completely. Commits 0a0ddb2080c258fad21ebf9aec6b3ed3760ea6dd and 6b6109949b7c71c9ba1004dd310239425c1977bc (in that order) do most of the work, but it may not apply cleanly. I think it requires updates to the language file too. > or is there a new release planned soon? > Again, not too likely I'm afraid. Lack of time, and still a few things that should be done to the code. John. -- John Horne | Senior Operations Analyst | Technology and Information Services University of Plymouth | Drake Circus | Plymouth | Devon | PL4 8AA | UK [http://www.plymouth.ac.uk/images/email_footer.gif]<http://www.plymouth.ac.uk/worldclass> This email and any files with it are confidential and intended solely for the use of the recipient to whom it is addressed. If you are not the intended recipient then copying, distribution or other use of the information contained is strictly prohibited and you should not rely on it. If you have received this email in error please let the sender know immediately and delete it from your system(s). Internet emails are not necessarily secure. While we take every care, Plymouth University accepts no responsibility for viruses and it is your responsibility to scan emails and their attachments. Plymouth University does not accept responsibility for any changes made after it was sent. Nothing in this email or its attachments constitutes an order for goods or services unless accompanied by an official order form. -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot ___ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users
Re: [Rkhunter-users] rkhunter and ipc_shared_mem bug
On Tue, 2017-12-12 at 11:08 -0800, Kevin Fenzi wrote: > Greetings. > > From downstream bug: https://bugzilla.redhat.com/show_bug.cgi?id=1524456 > > Basically the user is seeing a ipc_shared_mem wanrning, but it's not > ever noted at the log/summary as a warning. > Yup, a known bug. The return code during the IPC memory test can be lost, so a warning could be issued then forgotten about when the program ends. The warning is valid; the 'summary' at the end of the program run is not (in this instance). It is fixed in the next release and the current development version. John. -- John Horne | Senior Operations Analyst | Technology and Information Services University of Plymouth | Drake Circus | Plymouth | Devon | PL4 8AA | UK [http://www.plymouth.ac.uk/images/email_footer.gif]<http://www.plymouth.ac.uk/worldclass> This email and any files with it are confidential and intended solely for the use of the recipient to whom it is addressed. If you are not the intended recipient then copying, distribution or other use of the information contained is strictly prohibited and you should not rely on it. If you have received this email in error please let the sender know immediately and delete it from your system(s). Internet emails are not necessarily secure. While we take every care, Plymouth University accepts no responsibility for viruses and it is your responsibility to scan emails and their attachments. Plymouth University does not accept responsibility for any changes made after it was sent. Nothing in this email or its attachments constitutes an order for goods or services unless accompanied by an official order form. -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot ___ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users
Re: [Rkhunter-users] 1.4.2 not updating
On Tue, 2017-12-12 at 03:17 -0800, Al Varnell wrote: > On Tue, Dec 12, 2017 at 12:57 AM, Al Varnell wrote: > > On Mon, Dec 11, 2017 at 08:16 PM, Pete Schaefers wrote: > > > But can anyone explain the logic of versioncheck and it's output being... > > > > > > Checking rkhunter version... > > > This version : 1.4.2 > > > Latest version: 1.4.2 > > > > > > I would expect latest version to read 1.4.4, unless I am misinterpreting > > > that as well. > > > > sudo rkhunter --versioncheck and then check the rkhunter.log for details. > > > > It supposed to find the current version at <http://rkhunter.sourceforge.net > > /1.4/rkhunter_latest.dat> which does show 1.4.4, so is version 1.4.2 > > looking in the correct location and what, if anything, does it find? > > > > -Al- > > OK, I see the problem. Version 1.4.2 is looking in the wrong place <http://rk > hunter.sourceforge.net/1.3/rkhunter_latest.dat> which shows 1.4.2. Should be > an easy fix to just change that page to read "1.4.4". > Just changed the file. So try using '--versioncheck' again. John. -- John Horne | Senior Operations Analyst | Technology and Information Services University of Plymouth | Drake Circus | Plymouth | Devon | PL4 8AA | UK [http://www.plymouth.ac.uk/images/email_footer.gif]<http://www.plymouth.ac.uk/worldclass> This email and any files with it are confidential and intended solely for the use of the recipient to whom it is addressed. If you are not the intended recipient then copying, distribution or other use of the information contained is strictly prohibited and you should not rely on it. If you have received this email in error please let the sender know immediately and delete it from your system(s). Internet emails are not necessarily secure. While we take every care, Plymouth University accepts no responsibility for viruses and it is your responsibility to scan emails and their attachments. Plymouth University does not accept responsibility for any changes made after it was sent. Nothing in this email or its attachments constitutes an order for goods or services unless accompanied by an official order form. -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot ___ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users
Re: [Rkhunter-users] 1.4.2 not updating
On Mon, 2017-12-11 at 17:07 -0800, Pete Schaefers wrote: > I initially installed RKH 1.4.2 a follows: > ./installer.sh --layout default --install > > It's been running the check and update in a CRON as: > /root/rkhunter-1.4.2/files/rkhunter --versioncheck --update > > But according to the RKH site the latest version is 1.4.4 > > The mirror seems fine: > cat /var/lib/rkhunter/db/mirrors.dat > Version:2007060601 > mirror=http://rkhunter.sourceforge.net > > Manual version check reports: > /root/rkhunter-1.4.2/files/rkhunter --versioncheck > [ Rootkit Hunter version 1.4.2 ] > > Checking rkhunter version... >This version : 1.4.2 >Latest version: 1.4.2 > > Does anyone know why it has not updated? > Read the man page. It only updates the data files, not the software. John. -- John Horne | Senior Operations Analyst | Technology and Information Services University of Plymouth | Drake Circus | Plymouth | Devon | PL4 8AA | UK [http://www.plymouth.ac.uk/images/email_footer.gif]<http://www.plymouth.ac.uk/worldclass> This email and any files with it are confidential and intended solely for the use of the recipient to whom it is addressed. If you are not the intended recipient then copying, distribution or other use of the information contained is strictly prohibited and you should not rely on it. If you have received this email in error please let the sender know immediately and delete it from your system(s). Internet emails are not necessarily secure. While we take every care, Plymouth University accepts no responsibility for viruses and it is your responsibility to scan emails and their attachments. Plymouth University does not accept responsibility for any changes made after it was sent. Nothing in this email or its attachments constitutes an order for goods or services unless accompanied by an official order form. -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot ___ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users
[Rkhunter-users] Rkhunter source code now in git
Hello, For your information: The project developers were asked by sourceforge to move the project code from CVS to either an SVN or Git repository. This had to be done by the end of November 2017. I have now moved the code to git on sourceforge. Although the files have moved across to git, there is still work to be done. Some of the documentation refers to CVS, and this needs to be changed. There are currently two git branches. The 'master' branch contains the latest stable release (currently 1.4.4). The 'version-1.4.4' tag also refers to this code. At the next release the master branch will be updated, and a 'version- 1.4.6' tag created (and so on for future releases). The 'develop' branch contains the current development code (aka version 1.4.5). John. -- John Horne | Senior Operations Analyst | Technology and Information Services University of Plymouth | Drake Circus | Plymouth | Devon | PL4 8AA | UK [http://www.plymouth.ac.uk/images/email_footer.gif]<http://www.plymouth.ac.uk/worldclass> This email and any files with it are confidential and intended solely for the use of the recipient to whom it is addressed. If you are not the intended recipient then copying, distribution or other use of the information contained is strictly prohibited and you should not rely on it. If you have received this email in error please let the sender know immediately and delete it from your system(s). Internet emails are not necessarily secure. While we take every care, Plymouth University accepts no responsibility for viruses and it is your responsibility to scan emails and their attachments. Plymouth University does not accept responsibility for any changes made after it was sent. Nothing in this email or its attachments constitutes an order for goods or services unless accompanied by an official order form. -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot ___ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users
Re: [Rkhunter-users] ALLOWIPCPROC=/usr/lib/x86_64-linux-gnu/notify-osd not working
On Fri, 2017-11-10 at 15:09 +, Mark Stosberg wrote: > I'm using rkhunter 1.4.4. > > I added several whitelists for ALLOWIPCPROC exceptions to > rkhunter.conf.local, and they all work but this one: > > ALLOWIPCPROC=/usr/lib/x86_64-linux-gnu/notify-osd > > I continue to daily "shared segment" warnings about this one: > Hello, I'm wondering if perhaps you have a control character stuck in there somewhere, so causing the pathname not to match. Try running 'cat -vet rkhunter.conf.local | grep IPC' and check the output to see if it shows anything unusual. John. -- John Horne | Senior Operations Analyst | Technology and Information Services University of Plymouth | Drake Circus | Plymouth | Devon | PL4 8AA | UK [http://www.plymouth.ac.uk/images/email_footer.gif]<http://www.plymouth.ac.uk/worldclass> This email and any files with it are confidential and intended solely for the use of the recipient to whom it is addressed. If you are not the intended recipient then copying, distribution or other use of the information contained is strictly prohibited and you should not rely on it. If you have received this email in error please let the sender know immediately and delete it from your system(s). Internet emails are not necessarily secure. While we take every care, Plymouth University accepts no responsibility for viruses and it is your responsibility to scan emails and their attachments. Plymouth University does not accept responsibility for any changes made after it was sent. Nothing in this email or its attachments constitutes an order for goods or services unless accompanied by an official order form. -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot ___ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users
Re: [Rkhunter-users] Filename is not in the "rkhunter.dat" file
On Sat, 2017-10-28 at 13:09 +0300, Nerijus Baliunas via Rkhunter-users wrote: > Hello, > > I installed telnet on the system, and got: > Warning: The file '/usr/bin/telnet' exists on the system, but it is not > present in the 'rkhunter.dat' file. > > Tried to run: > # rkhunter --propupd /usr/bin/telnet > Filename is not in the "rkhunter.dat" file: /usr/bin/telnet > > I had to run rkhunter --propupd. I propose to make > rkhunter --propupd /usr/bin/telnet > work, i.e. to be able to add file to the rkhunter.dat > even if it does not exist in the database. > You added something new to the system, so you must use just '--propupd'. Specifying a pathname aswell assumes that the entry already exists in the database, and can be used when just that particular file changes. John. -- John Horne | Senior Operations Analyst | Technology and Information Services University of Plymouth | Drake Circus | Plymouth | Devon | PL4 8AA | UK [http://www.plymouth.ac.uk/images/email_footer.gif]<http://www.plymouth.ac.uk/worldclass> This email and any files with it are confidential and intended solely for the use of the recipient to whom it is addressed. If you are not the intended recipient then copying, distribution or other use of the information contained is strictly prohibited and you should not rely on it. If you have received this email in error please let the sender know immediately and delete it from your system(s). Internet emails are not necessarily secure. While we take every care, Plymouth University accepts no responsibility for viruses and it is your responsibility to scan emails and their attachments. Plymouth University does not accept responsibility for any changes made after it was sent. Nothing in this email or its attachments constitutes an order for goods or services unless accompanied by an official order form. -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot ___ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users
Re: [Rkhunter-users] scanning a snapshot of another system, mounted read-only
On Mon, 2017-10-02 at 14:31 -0700, Florin Andrei wrote: > An OSSEC warning was triggered yesterday on an AWS instance. I made a > snapshot of the root volume of that instance. > > On a separate, clean instance, I've mounted the snapshot as a read-only > volume. I am trying to analyze that volume. But I can't seem to find a > way to tell rkhunter "here, this is the image of another system, please > scan it for malware". > > rkhunter used to have the -r option, but if I try it, it simply says > "The '-r' option is now deprecated." with no further explanation. > Because it is not really possible to set up RKH to scan other system types. When the option was available it did not work at all well, so it was best to remove it. John. -- John Horne | Senior Operations Analyst | Technology and Information Services University of Plymouth | Drake Circus | Plymouth | Devon | PL4 8AA | UK [http://www.plymouth.ac.uk/images/email_footer.gif]<http://www.plymouth.ac.uk/worldclass> This email and any files with it are confidential and intended solely for the use of the recipient to whom it is addressed. If you are not the intended recipient then copying, distribution or other use of the information contained is strictly prohibited and you should not rely on it. If you have received this email in error please let the sender know immediately and delete it from your system(s). Internet emails are not necessarily secure. While we take every care, Plymouth University accepts no responsibility for viruses and it is your responsibility to scan emails and their attachments. Plymouth University does not accept responsibility for any changes made after it was sent. Nothing in this email or its attachments constitutes an order for goods or services unless accompanied by an official order form. -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot ___ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users
Re: [Rkhunter-users] False positive due to prelink
On Mon, 2017-10-02 at 14:01 +, Dimitri Yioulos wrote: > Thank you for the response. Yes, of course, I'm familiar with -- > propupd. However, I run rkhunter via a cron job every hour (0 * * * * > /bin/rkhunter --cronjob --rwo --noappend-log). Having to run --propupd prior > to it, or any time I do a check when no system changes have been made, > doesn't make sense to me. I've gone through /etc/sysconfig/prelink, and > changed some settings there, and will see if they make a difference. But, I > don't recall having had to do that when I was running RKhunter version 1.4.2. > Check your /etc directory to see if you have anything left relating to prelink. In particular a prelink.cache file. If you are not using prelink, then delete the cache file. John. > > -Original Message- > From: ellanios82 [mailto:ellanio...@gmail.com] > Sent: Monday, October 02, 2017 9:50 AM > To: rkhunter-users@lists.sourceforge.net > Subject: Re: [Rkhunter-users] False positive due to prelink > > On 02/10/17 16:17, Dimitri Yioulos wrote: > > > > [09:00:03]You may need to re-run rkhunter with the '--propupd' option. > > > > As I recall, I didn't get this error with version 1.4.2.Any idea what > > I need to do to get this resolved? > > > > as root , run : > > > # rkhunter --propupd > > > regards > > > > --- > --- > Check out the vibrant tech community on one of the world's most engaging tech > sites, Slashdot.org! http://sdm.link/slashdot > ___ > Rkhunter-users mailing list > Rkhunter-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/rkhunter-users > > --- > --- > Check out the vibrant tech community on one of the world's most > engaging tech sites, Slashdot.org! http://sdm.link/slashdot > _______ > Rkhunter-users mailing list > Rkhunter-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/rkhunter-users -- John Horne | Senior Operations Analyst | Technology and Information Services University of Plymouth | Drake Circus | Plymouth | Devon | PL4 8AA | UK [http://www.plymouth.ac.uk/images/email_footer.gif]<http://www.plymouth.ac.uk/worldclass> This email and any files with it are confidential and intended solely for the use of the recipient to whom it is addressed. If you are not the intended recipient then copying, distribution or other use of the information contained is strictly prohibited and you should not rely on it. If you have received this email in error please let the sender know immediately and delete it from your system(s). Internet emails are not necessarily secure. While we take every care, Plymouth University accepts no responsibility for viruses and it is your responsibility to scan emails and their attachments. Plymouth University does not accept responsibility for any changes made after it was sent. Nothing in this email or its attachments constitutes an order for goods or services unless accompanied by an official order form. -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot ___ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users
Re: [Rkhunter-users] Mailing lists at sourceforge
On Thu, 2017-08-03 at 11:37 +0100, Dogsbody wrote: > > > > From a coding point of view it would be nice to move to github. > > > > I would love to see this project move to GitHub and I consider the > issues functionally way more useful than a mailing list as you can > receive emails if you wish but being able to have a threaded view with > links actual code and dependencies is wonderful. > The 'issues' part would replace the sourceforge (SF) 'tickets' system. So reporting bugs etc should not be a problem. My concern though is that currently RKH allows users to update the data files via SF (using 'rkhunter --update'). Moving to github would basically remove that functionality. Users could manually update the files by downloading them from github, but I suspect that would not go down too well! An alternative is to remove that functionality from RKH, and only provide static data at each release. Again, not ideal, however the data files themselves do rarely change. John. -- John Horne | Senior Operations Analyst | Technology and Information Services University of Plymouth | Drake Circus | Plymouth | Devon | PL4 8AA | UK [http://www.plymouth.ac.uk/images/email_footer.gif]<http://www.plymouth.ac.uk/worldclass> This email and any files with it are confidential and intended solely for the use of the recipient to whom it is addressed. If you are not the intended recipient then copying, distribution or other use of the information contained is strictly prohibited and you should not rely on it. If you have received this email in error please let the sender know immediately and delete it from your system(s). Internet emails are not necessarily secure. While we take every care, Plymouth University accepts no responsibility for viruses and it is your responsibility to scan emails and their attachments. Plymouth University does not accept responsibility for any changes made after it was sent. Nothing in this email or its attachments constitutes an order for goods or services unless accompanied by an official order form. -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot ___ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users
Re: [Rkhunter-users] False positives - forgot the list
On Mon, 2017-07-24 at 15:59 -0400, drohde wrote: > AjaKit Rootkit > Adore Rootkit > BOBKit Rootkit > I think we would need to see the actual output from using rkhunter, or the relevant output from the log file. John. -- John Horne | Senior Operations Analyst | Technology and Information Services University of Plymouth | Drake Circus | Plymouth | Devon | PL4 8AA | UK [http://www.plymouth.ac.uk/images/email_footer.gif]<http://www.plymouth.ac.uk/worldclass> This email and any files with it are confidential and intended solely for the use of the recipient to whom it is addressed. If you are not the intended recipient then copying, distribution or other use of the information contained is strictly prohibited and you should not rely on it. If you have received this email in error please let the sender know immediately and delete it from your system(s). Internet emails are not necessarily secure. While we take every care, Plymouth University accepts no responsibility for viruses and it is your responsibility to scan emails and their attachments. Plymouth University does not accept responsibility for any changes made after it was sent. Nothing in this email or its attachments constitutes an order for goods or services unless accompanied by an official order form. -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot ___ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users
Re: [Rkhunter-users] link in claimed SourceForge message safe?
On Mon, 2017-07-10 at 19:45 -0600, William via Rkhunter-users wrote: > Is an effort being made to find a new "home" for Rkhunter and its users > list? > For the mailing list(s) I couldn't say. For rkhunter code itself there was a push from sourceforge some time ago to move from CVS to using GIT instead. I don't think this is anything to do with that though. John. -- John Horne | Senior Operations Analyst | Technology and Information Services University of Plymouth | Drake Circus | Plymouth | Devon | PL4 8AA | UK [http://www.plymouth.ac.uk/images/email_footer.gif]<http://www.plymouth.ac.uk/worldclass> This email and any files with it are confidential and intended solely for the use of the recipient to whom it is addressed. If you are not the intended recipient then copying, distribution or other use of the information contained is strictly prohibited and you should not rely on it. If you have received this email in error please let the sender know immediately and delete it from your system(s). Internet emails are not necessarily secure. While we take every care, Plymouth University accepts no responsibility for viruses and it is your responsibility to scan emails and their attachments. Plymouth University does not accept responsibility for any changes made after it was sent. Nothing in this email or its attachments constitutes an order for goods or services unless accompanied by an official order form. -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot ___ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users
Re: [Rkhunter-users] Skip new user/new group check
On Fri, 2017-07-07 at 19:58 +, Dimitri Yioulos wrote: > Hello, all. > > Believe it or not, my manager wants rkhunter to skip checking whether a new > user and/or new group has been created on a system. I see nothing in the > config file that specifically relates to this. I think it’s an intrinsic > check, but I could be wrong. Is there any way to prevent those two specific > checks? > Hi, Disable the 'group_changes' and 'passwd_changes' tests. John. -- John Horne | Senior Operations Analyst | Technology and Information Services University of Plymouth | Drake Circus | Plymouth | Devon | PL4 8AA | UK [http://www.plymouth.ac.uk/images/email_footer.gif]<http://www.plymouth.ac.uk/worldclass> This email and any files with it are confidential and intended solely for the use of the recipient to whom it is addressed. If you are not the intended recipient then copying, distribution or other use of the information contained is strictly prohibited and you should not rely on it. If you have received this email in error please let the sender know immediately and delete it from your system(s). Internet emails are not necessarily secure. While we take every care, Plymouth University accepts no responsibility for viruses and it is your responsibility to scan emails and their attachments. Plymouth University does not accept responsibility for any changes made after it was sent. Nothing in this email or its attachments constitutes an order for goods or services unless accompanied by an official order form. -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot ___ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users
Re: [Rkhunter-users] GPG key for release signatures
On Fri, 2017-07-07 at 14:45 +0200, Lukas Fleischer wrote: > Hello, > > The most recent release (1.4.4) is signed using the RSA key > E9C5DC50D13AAA83 which does not seem to exist on the usual key servers. > Doh! Forgot to export the key. I have now done that, so it should be making its way around the servers. John. -- John Horne | Senior Operations Analyst | Technology and Information Services University of Plymouth | Drake Circus | Plymouth | Devon | PL4 8AA | UK [http://www.plymouth.ac.uk/images/email_footer.gif]<http://www.plymouth.ac.uk/worldclass> This email and any files with it are confidential and intended solely for the use of the recipient to whom it is addressed. If you are not the intended recipient then copying, distribution or other use of the information contained is strictly prohibited and you should not rely on it. If you have received this email in error please let the sender know immediately and delete it from your system(s). Internet emails are not necessarily secure. While we take every care, Plymouth University accepts no responsibility for viruses and it is your responsibility to scan emails and their attachments. Plymouth University does not accept responsibility for any changes made after it was sent. Nothing in this email or its attachments constitutes an order for goods or services unless accompanied by an official order form. -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot ___ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users
[Rkhunter-users] Rootkit Hunter release 1.4.4
Hello, The Rootkit Hunter project team is pleased to announce the release of version 1.4.4. For details please see the CHANGELOG (http://rkhunter.cvs.sourceforge.net/viewvc/*checkout*/rkhunter/rkhunter/files/ CHANGELOG) file. Thanks to the team and all contributors who made this release possible by providing code, submitting ideas, bugs, fixes, documentation, helping out on the rkhunter-users mailing list and promoting Rootkit Hunter. For more details please see the ACKNOWLEDGMENTS file. Rootkit Hunter release 1.4.4 obsoletes all previous releases. Thanks, John. -- John Horne | Senior Operations Analyst | Technology and Information Services University of Plymouth | Drake Circus | Plymouth | Devon | PL4 8AA | UK [http://www.plymouth.ac.uk/images/email_footer.gif]<http://www.plymouth.ac.uk/worldclass> This email and any files with it are confidential and intended solely for the use of the recipient to whom it is addressed. If you are not the intended recipient then copying, distribution or other use of the information contained is strictly prohibited and you should not rely on it. If you have received this email in error please let the sender know immediately and delete it from your system(s). Internet emails are not necessarily secure. While we take every care, Plymouth University accepts no responsibility for viruses and it is your responsibility to scan emails and their attachments. Plymouth University does not accept responsibility for any changes made after it was sent. Nothing in this email or its attachments constitutes an order for goods or services unless accompanied by an official order form. -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot ___ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users
Re: [Rkhunter-users] Next release - this week
On Thu, 2017-06-29 at 00:57 -0700, Al Varnell wrote: > On Sun, Jun 25, 2017 at 03:36 PM, John Horne wrote: > > > > > > On Sun, 2017-06-25 at 15:24 -0700, Al Varnell wrote: > > > CVS version at <https://sourceforge.net/p/rkhunter/wiki/cvs/> appears to > > > still be 1.4.3? > > > > > > > Correct. CVS versions are odd, the live version will be even (1.4.4). > > The CVS version is fully functional though. > > > > > > John > > Thanks. I've been using 1.4.3 for over two years, may have used a CVS at > least once before and never noticed that. > > In any case, I've successfully used it with OS X 10.9, 10.10 and 10.11 with > no issues. > > But a word of warning to other users. It's always been my practice to compare > the new rkhunter.conf file with the previous version to see if I need to make > any adjustments to my settings. But this time there are hundreds of changes, > almost all of which are cosmetic in nature to better explain an option or to > conform with recent changes to the use of quote marks and delimiters. > Those changes were made in 1.4.2. This release has several changes but not hundreds. John. -- John Horne | Senior Operations Analyst | Technology and Information Services University of Plymouth | Drake Circus | Plymouth | Devon | PL4 8AA | UK [http://www.plymouth.ac.uk/images/email_footer.gif]<http://www.plymouth.ac.uk/worldclass> This email and any files with it are confidential and intended solely for the use of the recipient to whom it is addressed. If you are not the intended recipient then copying, distribution or other use of the information contained is strictly prohibited and you should not rely on it. If you have received this email in error please let the sender know immediately and delete it from your system(s). Internet emails are not necessarily secure. While we take every care, Plymouth University accepts no responsibility for viruses and it is your responsibility to scan emails and their attachments. Plymouth University does not accept responsibility for any changes made after it was sent. Nothing in this email or its attachments constitutes an order for goods or services unless accompanied by an official order form. -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot ___ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users
[Rkhunter-users] Next release - this week
Hello, I am hoping that version 1.4.4 of rkhunter will be released this week. If anyone wants to test it out beforehand then the CVS version is available from sourceforge. Details of the new release are in the CHANGELOG file, but some main points to be aware of are: 1) The file properties hash function now defaults to SHA-256. 2) The 'apps' test is now disabled by default in the config file. 3) The DISABLE_UNHIDE config option has been removed. 4) The 'other_malware' test name has been removed (or rather replaced). John. -- John Horne | Senior Operations Analyst | Technology and Information Services University of Plymouth | Drake Circus | Plymouth | Devon | PL4 8AA | UK [http://www.plymouth.ac.uk/images/email_footer.gif]<http://www.plymouth.ac.uk/worldclass> This email and any files with it are confidential and intended solely for the use of the recipient to whom it is addressed. If you are not the intended recipient then copying, distribution or other use of the information contained is strictly prohibited and you should not rely on it. If you have received this email in error please let the sender know immediately and delete it from your system(s). Internet emails are not necessarily secure. While we take every care, Plymouth University accepts no responsibility for viruses and it is your responsibility to scan emails and their attachments. Plymouth University does not accept responsibility for any changes made after it was sent. Nothing in this email or its attachments constitutes an order for goods or services unless accompanied by an official order form. -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot ___ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users
Re: [Rkhunter-users] Jun.Thu.22 -- 13:09 Re:: man page vs.
On Thu, 2017-06-22 at 13:28 -0500, stvr_8...@comcast.net wrote: > --[0622171309-1498154961-173] > > > I might suggest that you consider updating the 'man' > pages to reflect the use of and significance of the > 'dot.local' file. > > I have yet to find, see or understand how to make changes > to the configuration file itself and then have the file's > hash update so as to not cause 'Warnings'. > If the installer sees an 'rkhunter.conf.local' file then it will add the filename itself into the 'rkhunter.conf' config file as part of the file properties test. (That is, it adds 'USER_FILEPROP_FILES_DIRS=rkhunter.conf.local') So, whenever the file is changed you must run 'rkhunter --propupd' afterwards. Otherwise rkhunter will report that the file has changed. If the file did not exist at installation time, and is created afterwards, then rkhunter will not report any changes made to it unless you tell it to do so. > I'm in the process of testing the 'dot.local' file and if > that actually solves my problem ... it does say at the > top of file that you can make modifications to the 'conf' > file ... if that is the case, then how do you distinguish > between my alterations and those of a rogue; because my > changes are never updated with --propupd [file].?? > As mentioned above, check that the local config file is itself listed in the main config file. Any changes should then get reported unless you run 'rkhunter --propupd'. John. -- John Horne | Senior Operations Analyst | Technology and Information Services University of Plymouth | Drake Circus | Plymouth | Devon | PL4 8AA | UK [http://www.plymouth.ac.uk/images/email_footer.gif]<http://www.plymouth.ac.uk/worldclass> This email and any files with it are confidential and intended solely for the use of the recipient to whom it is addressed. If you are not the intended recipient then copying, distribution or other use of the information contained is strictly prohibited and you should not rely on it. If you have received this email in error please let the sender know immediately and delete it from your system(s). Internet emails are not necessarily secure. While we take every care, Plymouth University accepts no responsibility for viruses and it is your responsibility to scan emails and their attachments. Plymouth University does not accept responsibility for any changes made after it was sent. Nothing in this email or its attachments constitutes an order for goods or services unless accompanied by an official order form. -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot ___ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users
Re: [Rkhunter-users] RkHunter disable system logging daemon check
On Thu, 2017-06-22 at 13:34 +0200, Anthony Hausman wrote: > Good thing. > So I just test with "system_configs_syslog" on rkhunter v1.4.3. > It's working but that is not exactly what I need. > > I want to check syslog configurations but only without check if the > daemon process is running. > Not possible. The two tests are dependent on each other for information. John. -- John Horne | Senior Operations Analyst | Technology and Information Services University of Plymouth | Drake Circus | Plymouth | Devon | PL4 8AA | UK [http://www.plymouth.ac.uk/images/email_footer.gif]<http://www.plymouth.ac.uk/worldclass> This email and any files with it are confidential and intended solely for the use of the recipient to whom it is addressed. If you are not the intended recipient then copying, distribution or other use of the information contained is strictly prohibited and you should not rely on it. If you have received this email in error please let the sender know immediately and delete it from your system(s). Internet emails are not necessarily secure. While we take every care, Plymouth University accepts no responsibility for viruses and it is your responsibility to scan emails and their attachments. Plymouth University does not accept responsibility for any changes made after it was sent. Nothing in this email or its attachments constitutes an order for goods or services unless accompanied by an official order form. -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot ___ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users
Re: [Rkhunter-users] Question about DbSecuritySpt (not sure if it is a rootkit or something else).
On Thu, 2017-06-15 at 14:01 +1000, Michael D. Setzer II wrote: > > Later I found the crontab had a line that would run a script gcc.sh from the > /etc/cron.hourly folder. > Yes, you've been infected (the cronjob name was the clue). It's DDoS malware. It probably runs some /usr/lib library file (which again is not usual). I was looking into a report of this a few days ago, but there was little info I could find. Initial attack may have been through brute force SSH access (as reported by others). I would at this point urge people to use RKH to monitor their cron (and 'at') systems. Monitoring something like '/var/spool/cron/*' and in particular the '/etc/crontab', '/etc/cron.d/*', '/etc/cron.daily/*, '/etc/cron.hourly/*' etc files and directories will help alert you to these sort of things soon after they happen (depending on how often you run RKH). John. -- John Horne | Senior Operations Analyst | Technology and Information Services University of Plymouth | Drake Circus | Plymouth | Devon | PL4 8AA | UK [http://www.plymouth.ac.uk/images/email_footer.gif]<http://www.plymouth.ac.uk/worldclass> This email and any files with it are confidential and intended solely for the use of the recipient to whom it is addressed. If you are not the intended recipient then copying, distribution or other use of the information contained is strictly prohibited and you should not rely on it. If you have received this email in error please let the sender know immediately and delete it from your system(s). Internet emails are not necessarily secure. While we take every care, Plymouth University accepts no responsibility for viruses and it is your responsibility to scan emails and their attachments. Plymouth University does not accept responsibility for any changes made after it was sent. Nothing in this email or its attachments constitutes an order for goods or services unless accompanied by an official order form. -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot ___ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users
Re: [Rkhunter-users] rkhunter ALLOWDEVFILE false positives
On Thu, 2017-05-04 at 17:57 +, Braesicke, Carl wrote: > Hello, > > In mailing list article > https://sourceforge.net/p/rkhunter/mailman/message/29140071/ regarding > rkhunter 1.3.8, the problem "rkhunter ignores wildcard in ALLOWDEVFILE" was > ascribed to a "race-condition". ... > > I believe I am experiencing this problem in rkhunter 1.4.2. Has there been a > regression? > Not that I can see from the CHANGELOG. John. -- John Horne | Senior Operations Analyst | Technology and Information Services Plymouth University | Drake Circus | Plymouth | Devon | PL4 8AA | UK [http://www.plymouth.ac.uk/images/email_footer.gif]<http://www.plymouth.ac.uk/worldclass> This email and any files with it are confidential and intended solely for the use of the recipient to whom it is addressed. If you are not the intended recipient then copying, distribution or other use of the information contained is strictly prohibited and you should not rely on it. If you have received this email in error please let the sender know immediately and delete it from your system(s). Internet emails are not necessarily secure. While we take every care, Plymouth University accepts no responsibility for viruses and it is your responsibility to scan emails and their attachments. Plymouth University does not accept responsibility for any changes made after it was sent. Nothing in this email or its attachments constitutes an order for goods or services unless accompanied by an official order form. -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot ___ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users
Re: [Rkhunter-users] Large filesystems filling tmp
On Fri, 2017-02-10 at 15:10 +, Matt Mofrad wrote: > Hi. > > We have a series of NFS boxes connected to various systems in our > infrastructure, some of these shares are 300T+ which causes the tmp > dir to fill with sort files when scanning these systems, is there a > way for us to ignore any mounted shares when running rkhunter as a > cronjob? > What's on the shares? RKH is only going to look at them if there is something on them that it has been configured to look at. John. -- John Horne Tel: +44 (0)1752 587287 Plymouth University, UK [http://www.plymouth.ac.uk/images/email_footer.gif]<http://www.plymouth.ac.uk/worldclass> This email and any files with it are confidential and intended solely for the use of the recipient to whom it is addressed. If you are not the intended recipient then copying, distribution or other use of the information contained is strictly prohibited and you should not rely on it. If you have received this email in error please let the sender know immediately and delete it from your system(s). Internet emails are not necessarily secure. While we take every care, Plymouth University accepts no responsibility for viruses and it is your responsibility to scan emails and their attachments. Plymouth University does not accept responsibility for any changes made after it was sent. Nothing in this email or its attachments constitutes an order for goods or services unless accompanied by an official order form. -- Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot ___ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users
Re: [Rkhunter-users] RKHunter keeps sending warnings email but no warnings generated
On Mon, 2016-09-19 at 13:12 +, lanceh1412-busin...@yahoo.co.uk wrote: > Hi, > > I've got RKHunter running on three independent servers. Just > recently, over the last week or so, I've started receiving email > warnings that my servers may be infected. However, when i look in the > logs there are no warnings and when I run rkhunter manually from the > command line everything seems OK. Any one had a similar problem or > know what may have caused this? > Hi, I would say check the log file for the configuration file being used. Then check that whatever is producing the emails (from cron I assume) is using the same config file. You may want to look at the COPY_LOG_ON_ERROR option to see if you can capture what is going on. To be honest it sounds like you may have 2 instances of rkhunter running - one from cron which gives errors, one from the command-line which does not. John. -- John Horne Tel: +44 (0)1752 587287 Plymouth University, UK [http://www.plymouth.ac.uk/images/email_footer.gif]<http://www.plymouth.ac.uk/worldclass> This email and any files with it are confidential and intended solely for the use of the recipient to whom it is addressed. If you are not the intended recipient then copying, distribution or other use of the information contained is strictly prohibited and you should not rely on it. If you have received this email in error please let the sender know immediately and delete it from your system(s). Internet emails are not necessarily secure. While we take every care, Plymouth University accepts no responsibility for viruses and it is your responsibility to scan emails and their attachments. Plymouth University does not accept responsibility for any changes made after it was sent. Nothing in this email or its attachments constitutes an order for goods or services unless accompanied by an official order form. -- ___ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users
Re: [Rkhunter-users] R: Re: R: Re: R: Re: R: Re: Question about prelink
On Fri, 2016-08-12 at 15:25 +0300, Nerijus Baliūnas wrote: > 2016-08-12 14:44, John Horne rašė: > > > > On Fri, 2016-08-12 at 13:32 +0200, absolutely_f...@libero.it wrote: > > > > > > Ok, why --propupd it is not fixing this? > > > > > Because it is your RPM package manager that is reporting that your > > files have changed. rkhunter just reports that back to you. It does > > not 'fix' anything. > > > > > > > > Should I change PKGMGR from RPM to NONE? > > > > > You can do, but I think you are then just hiding the problem. You > > need > > to find out why the files have changed. > Files changed because they are still prelinked, and prelink is > uninstalled. > You either have to unprelink them or reinstall affected packages (yum > reinstall kmod for example). > Oh, so the files weren't unprelinked before removing the package. Yes, that would cause the problem. I would have thought reinstalling prelink, and then unprelinking everything before removing it again would be the easiest way. John. -- John Horne Tel: +44 (0)1752 587287 Plymouth University, UK [http://www.plymouth.ac.uk/images/email_footer.gif]<http://www.plymouth.ac.uk/worldclass> This email and any files with it are confidential and intended solely for the use of the recipient to whom it is addressed. If you are not the intended recipient then copying, distribution or other use of the information contained is strictly prohibited and you should not rely on it. If you have received this email in error please let the sender know immediately and delete it from your system(s). Internet emails are not necessarily secure. While we take every care, Plymouth University accepts no responsibility for viruses and it is your responsibility to scan emails and their attachments. Plymouth University does not accept responsibility for any changes made after it was sent. Nothing in this email or its attachments constitutes an order for goods or services unless accompanied by an official order form. -- What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic patterns at an interface-level. Reveals which users, apps, and protocols are consuming the most bandwidth. Provides multi-vendor support for NetFlow, J-Flow, sFlow and other flows. Make informed decisions using capacity planning reports. http://sdm.link/zohodev2dev ___ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users
Re: [Rkhunter-users] R: Re: R: Re: R: Re: R: Re: Question about prelink
On Fri, 2016-08-12 at 13:32 +0200, absolutely_f...@libero.it wrote: > Ok, why --propupd it is not fixing this? > Because it is your RPM package manager that is reporting that your files have changed. rkhunter just reports that back to you. It does not 'fix' anything. > Should I change PKGMGR from RPM to NONE? > You can do, but I think you are then just hiding the problem. You need to find out why the files have changed. John. -- John Horne Tel: +44 (0)1752 587287 Plymouth University, UK [http://www.plymouth.ac.uk/images/email_footer.gif]<http://www.plymouth.ac.uk/worldclass> This email and any files with it are confidential and intended solely for the use of the recipient to whom it is addressed. If you are not the intended recipient then copying, distribution or other use of the information contained is strictly prohibited and you should not rely on it. If you have received this email in error please let the sender know immediately and delete it from your system(s). Internet emails are not necessarily secure. While we take every care, Plymouth University accepts no responsibility for viruses and it is your responsibility to scan emails and their attachments. Plymouth University does not accept responsibility for any changes made after it was sent. Nothing in this email or its attachments constitutes an order for goods or services unless accompanied by an official order form. -- What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic patterns at an interface-level. Reveals which users, apps, and protocols are consuming the most bandwidth. Provides multi-vendor support for NetFlow, J-Flow, sFlow and other flows. Make informed decisions using capacity planning reports. http://sdm.link/zohodev2dev ___ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users
Re: [Rkhunter-users] R: Re: R: Re: Question about prelink
On Fri, 2016-08-12 at 09:47 +0200, absolutely_f...@libero.it wrote: > Hi John, > > thank you very much. I followed your suggestion, I still have > warnings: > ... > /sbin/insmod [Warning ] ? So what happens if you run 'rpm -Vf /sbin/insmod'? John. -- John Horne Tel: +44 (0)1752 587287 Plymouth University, UK [http://www.plymouth.ac.uk/images/email_footer.gif]<http://www.plymouth.ac.uk/worldclass> This email and any files with it are confidential and intended solely for the use of the recipient to whom it is addressed. If you are not the intended recipient then copying, distribution or other use of the information contained is strictly prohibited and you should not rely on it. If you have received this email in error please let the sender know immediately and delete it from your system(s). Internet emails are not necessarily secure. While we take every care, Plymouth University accepts no responsibility for viruses and it is your responsibility to scan emails and their attachments. Plymouth University does not accept responsibility for any changes made after it was sent. Nothing in this email or its attachments constitutes an order for goods or services unless accompanied by an official order form. -- What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic patterns at an interface-level. Reveals which users, apps, and protocols are consuming the most bandwidth. Provides multi-vendor support for NetFlow, J-Flow, sFlow and other flows. Make informed decisions using capacity planning reports. http://sdm.link/zohodev2dev ___ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users
Re: [Rkhunter-users] R: Re: Question about prelink
On Thu, 2016-08-11 at 09:25 +0200, absolutely_f...@libero.it wrote: > Hi John, > > [04:25:57] Warning: Package manager verification has failed: > [04:25:57] /sbin/route > Check if '/etc/prelink.cache' exists. If it does, delete it. Then run 'rkhunter --propupd', and then 'rkhunter --enable properties'. John. ---- John Horne Tel: +44 (0)1752 587287 Plymouth University, UK [http://www.plymouth.ac.uk/images/email_footer.gif]<http://www.plymouth.ac.uk/worldclass> This email and any files with it are confidential and intended solely for the use of the recipient to whom it is addressed. If you are not the intended recipient then copying, distribution or other use of the information contained is strictly prohibited and you should not rely on it. If you have received this email in error please let the sender know immediately and delete it from your system(s). Internet emails are not necessarily secure. While we take every care, Plymouth University accepts no responsibility for viruses and it is your responsibility to scan emails and their attachments. Plymouth University does not accept responsibility for any changes made after it was sent. Nothing in this email or its attachments constitutes an order for goods or services unless accompanied by an official order form. -- What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic patterns at an interface-level. Reveals which users, apps, and protocols are consuming the most bandwidth. Provides multi-vendor support for NetFlow, J-Flow, sFlow and other flows. Make informed decisions using capacity planning reports. http://sdm.link/zohodev2dev ___ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users
Re: [Rkhunter-users] Question about prelink
On Wed, 2016-08-10 at 21:50 +0200, absolutely_f...@libero.it wrote: > Hi, > > I noticed this message in my last rkhunter log: > > Warning: The system has changed to not using prelinking since the > last run. > Because of the change(s) the file properties checks may give > some false-positive results. > You may need to re-run rkhunter with the '--propupd' option. > > I ran rkhunter --propupd but it seems I still have several alerts > about many binaries. > What alerts? John. -- ---- John Horne Tel: +44 (0)1752 587287 Plymouth University, UK [http://www.plymouth.ac.uk/images/email_footer.gif]<http://www.plymouth.ac.uk/worldclass> This email and any files with it are confidential and intended solely for the use of the recipient to whom it is addressed. If you are not the intended recipient then copying, distribution or other use of the information contained is strictly prohibited and you should not rely on it. If you have received this email in error please let the sender know immediately and delete it from your system(s). Internet emails are not necessarily secure. While we take every care, Plymouth University accepts no responsibility for viruses and it is your responsibility to scan emails and their attachments. Plymouth University does not accept responsibility for any changes made after it was sent. Nothing in this email or its attachments constitutes an order for goods or services unless accompanied by an official order form. -- What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic patterns at an interface-level. Reveals which users, apps, and protocols are consuming the most bandwidth. Provides multi-vendor support for NetFlow, J-Flow, sFlow and other flows. Make informed decisions using capacity planning reports. http://sdm.link/zohodev2dev ___ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users
Re: [Rkhunter-users] SSH PermitRootLogin forced-commands-only
On Fri, 2016-07-22 at 08:31 +, Protected wrote: > sshd_config: > > PermitRootLogin forced-commands-only > > > rkhunter.conf.local: > > ALLOW_SSH_ROOT_USER=forced-commands-only > Hi, They both look fine compared to the code. Could you run 'rkhunter --enable system_configs --debug' and email me the debug file produced in '/tmp' please. John. -- ---- John Horne Tel: +44 (0)1752 587287 Plymouth University, UK [http://www.plymouth.ac.uk/images/email_footer.gif]<http://www.plymouth.ac.uk/worldclass> This email and any files with it are confidential and intended solely for the use of the recipient to whom it is addressed. If you are not the intended recipient then copying, distribution or other use of the information contained is strictly prohibited and you should not rely on it. If you have received this email in error please let the sender know immediately and delete it from your system(s). Internet emails are not necessarily secure. While we take every care, Plymouth University accepts no responsibility for viruses and it is your responsibility to scan emails and their attachments. Plymouth University does not accept responsibility for any changes made after it was sent. Nothing in this email or its attachments constitutes an order for goods or services unless accompanied by an official order form. -- What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic patterns at an interface-level. Reveals which users, apps, and protocols are consuming the most bandwidth. Provides multi-vendor support for NetFlow, J-Flow, sFlow and other flows. Make informed decisions using capacity planning reports.http://sdm.link/zohodev2dev ___ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users
Re: [Rkhunter-users] SSH PermitRootLogin forced-commands-only
On Sat, 2016-07-16 at 09:19 +, Protected wrote: > Hello, > > Using latest rkhunter (1.4.2) on openSUSE 13.1. I'm getting some > weird > warning: > > Warning: The SSH and rkhunter configuration options should be the > same: > SSH configuration option 'PermitRootLogin': forced-commands- > only > Rkhunter configuration option 'ALLOW_SSH_ROOT_USER': > forced-commands-only > > > I've also double-checked both configurations for maybe some trailing > whitespace. Is "forced-commands-only" simply not supported by > rkhunter? > Hi, The check just compares what you have in your SSH config file against what you have in your rkhunter config file. It does not check for specific values, so you could put anything you like into the config files. (Obviously though SSH will probably complain if you don't use something it recognises!) Can you email the relevant option lines in your SSH config file, and your rkhunter config file please? I'm wondering if the format of one of the options is not what rkhunter is expecting. John. -- John Horne Tel: +44 (0)1752 587287 Plymouth University, UK [http://www.plymouth.ac.uk/images/email_footer.gif]<http://www.plymouth.ac.uk/worldclass> This email and any files with it are confidential and intended solely for the use of the recipient to whom it is addressed. If you are not the intended recipient then copying, distribution or other use of the information contained is strictly prohibited and you should not rely on it. If you have received this email in error please let the sender know immediately and delete it from your system(s). Internet emails are not necessarily secure. While we take every care, Plymouth University accepts no responsibility for viruses and it is your responsibility to scan emails and their attachments. Plymouth University does not accept responsibility for any changes made after it was sent. Nothing in this email or its attachments constitutes an order for goods or services unless accompanied by an official order form. -- What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic patterns at an interface-level. Reveals which users, apps, and protocols are consuming the most bandwidth. Provides multi-vendor support for NetFlow, J-Flow, sFlow and other flows. Make informed decisions using capacity planning reports.http://sdm.link/zohodev2dev ___ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users
Re: [Rkhunter-users] unable to turn off propupd
On Sun, 2016-06-12 at 22:14 +0200, Sam Ashley wrote: > I have set UPDT_ON_OS_CHANGE=0 but when I install or remove anything > rkhunter runs --propupd. Previously this wasn't happening, or I > should say that it was happening but explicitly setting that to 0 > stopped it. Now even with that set to 0 it always runs --propupd. How > can I turn this off?? > How do you know that '--propupd' is being run? John. -- John Horne Tel: +44 (0)1752 587287 Plymouth University, UK -- What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic patterns at an interface-level. Reveals which users, apps, and protocols are consuming the most bandwidth. Provides multi-vendor support for NetFlow, J-Flow, sFlow and other flows. Make informed decisions using capacity planning reports. https://ad.doubleclick.net/ddm/clk/305295220;132659582;e ___ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users
Re: [Rkhunter-users] Update error Warning: Download of 'i18n.ver' failed: Unable to determine the latest version number.
On Thu, 2016-06-09 at 12:10 -0400, Kristopher Moreau wrote: > While upgrading from version 1.3.8 to latest getting below error : > > Info: Executing download command '/usr/bin/wget -q -O > /var/lib/rkhunter/rkhunter.upd.8IsBNHTzvR > http://rkhunter.sourceforge.net/1.3/i18n/1.3.8/i18n.ver 2>/dev/null' > [11:44:24] Checking file i18n versions [ Update > failed ] > [11:44:24] Warning: Download of 'i18n.ver' failed: Unable to > determine the latest version number. > > URL http://rkhunter.sourceforge.net/1.3/i18n/1.3.8/i18n.ver has 404 > error. > That's a very old version. The files for it don't exist anymore. Secondly, it looks like you are trying to use 'rkhunter --update' to update it. That command only updates the data files, not the version of rkhunter. You will need to download the latest version from sourceforge. > I'm using using Fedora 14 > Wow! That is really old too. I would seriously suggest you update your PC/laptop/whatever. John. -- ---- John Horne Tel: +44 (0)1752 587287 Plymouth University, UK -- What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic patterns at an interface-level. Reveals which users, apps, and protocols are consuming the most bandwidth. Provides multi-vendor support for NetFlow, J-Flow, sFlow and other flows. Make informed decisions using capacity planning reports. https://ad.doubleclick.net/ddm/clk/305295220;132659582;e ___ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users
Re: [Rkhunter-users] rkhunter complains about prelink (while prelink is disabled)
On Thu, 2016-06-02 at 11:37 +0200, Kees de Jong wrote: > > I completely disabled prelink (in > /etc/sysconfig/prelink: PRELINKING=no) and I also ran the command > `prelink -au`. But still rkhunter thinks prelinking is enabled. I > configured the hashes to SHA512 instead of SHA1 and since then it > complains about this. I also reinstalled the files from Samba and > Firefox, no luck. Does anyone know how to fix this? > Delete the '/etc/prelink.cache' file. Then run 'rkhunter --propupd'. John. -- John Horne Tel: +44 (0)1752 587287 Plymouth University, UK -- What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic patterns at an interface-level. Reveals which users, apps, and protocols are consuming the most bandwidth. Provides multi-vendor support for NetFlow, J-Flow, sFlow and other flows. Make informed decisions using capacity planning reports. https://ad.doubleclick.net/ddm/clk/305295220;132659582;e ___ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users
Re: [Rkhunter-users] 15 suspect files.
On Fri, 2016-04-22 at 13:45 -0600, William wrote: > I'd like to be able to each Thursday, enter > > dnf upgrade > > and when that's done, enter > > rkhunter --check > > and know that it will check everything, including the things I was > warned on a week ago, but only see new warnings if something got > corrupted since the last rkhunter scan. If something was not touched > by this Thursday's "dnf upgrade", and was not changed since the last > rkhunter scan was done, I should not see another warning on that > item. Also, I should not see a warning on an item that "dnf upgrade" > did touch if that was done cleanly. > Hi, Take a look in the config file at the PKGMGR option. For Fedora, set it to RPM (and then run 'rkhunter --propupd'). John. -- John Horne Tel: +44 (0)1752 587287 Plymouth University, UK -- Find and fix application performance issues faster with Applications Manager Applications Manager provides deep performance insights into multiple tiers of your business applications. It resolves application problems quickly and reduces your MTTR. Get your free trial! https://ad.doubleclick.net/ddm/clk/302982198;130105516;z ___ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users
Re: [Rkhunter-users] R: Re: checkall option?
On Tue, 2016-03-22 at 14:52 +0100, absolutely_f...@libero.it wrote: > Hi John, > > thank you for your reply. > So, basically, the difference between: > > RKHUNTER_FLAGS="--checkall --skip-keypress --nocolors --quiet -- > appendlog --display-logfile" > > RKHUNTER_FLAGS="--cronjob --nocolors --report-warnings-only" > > doesn't affect the number of tests, but only report, correct? > Correct. John. -- John Horne Tel: +44 (0)1752 587287 Plymouth University, UK -- Transform Data into Opportunity. Accelerate data analysis in your applications with Intel Data Analytics Acceleration Library. Click to learn more. http://pubads.g.doubleclick.net/gampad/clk?id=278785351=/4140 ___ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users
