Re: [Rkhunter-users] Running processes false warning?
On Mon, 2010-09-13 at 14:14 +0300, Nerijus Baliunas wrote: On Mon, 13 Sep 2010 11:56:03 +0100 John Horne john.ho...@plymouth.ac.uk wrote: I have similar problem with wine. When there are no wine apps running, I get no warning, but with wine running I get the warning. I made a diff of lsof output with wine running and not - it seems the following opened directory is guilty: +n/mnt/d/winnt4nowin/windows/system Is it possible to whitelist it somehow? Yes, use the rootkit file whitelist option. Hello, I have looked into this further, and actually noticed what the problem was. The test should only be listing out files, not directories. I have corrected this for the next release. So in this instance you should not need to whitelist anything. John. -- John Horne, University of Plymouth, UK Tel: +44 (0)1752 587287Fax: +44 (0)1752 587001 -- Nokia and ATT present the 2010 Calling All Innovators-North America contest Create new apps games for the Nokia N8 for consumers in U.S. and Canada $10 million total in prizes - $4M cash, 500 devices, nearly $6M in marketing Develop with Nokia Qt SDK, Web Runtime, or Java and Publish to Ovi Store http://p.sf.net/sfu/nokia-dev2dev ___ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users
Re: [Rkhunter-users] Running processes false warning?
On Mon, 13 Sep 2010 11:56:03 +0100 John Horne john.ho...@plymouth.ac.uk wrote: I have similar problem with wine. When there are no wine apps running, I get no warning, but with wine running I get the warning. I made a diff of lsof output with wine running and not - it seems the following opened directory is guilty: +n/mnt/d/winnt4nowin/windows/system Is it possible to whitelist it somehow? Yes, use the rootkit file whitelist option. If I use RTKT_FILE_WHITELIST=/mnt/d/winnt4nowin/windows/system rkhunter says Whitelisted rootkit file does not exist: /mnt/d/winnt4nowin/windows/system If I use RTKT_DIR_WHITELIST=/mnt/d/winnt4nowin/windows/system (as it is a directory), I still get the warning. Regards, Nerijus -- Start uncovering the many advantages of virtual appliances and start using them to simplify application deployment and accelerate your shift to cloud computing http://p.sf.net/sfu/novell-sfdev2dev ___ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users
Re: [Rkhunter-users] Running processes false warning?
On Mon, 2010-09-13 at 14:14 +0300, Nerijus Baliunas wrote: On Mon, 13 Sep 2010 11:56:03 +0100 John Horne john.ho...@plymouth.ac.uk wrote: I have similar problem with wine. When there are no wine apps running, I get no warning, but with wine running I get the warning. I made a diff of lsof output with wine running and not - it seems the following opened directory is guilty: +n/mnt/d/winnt4nowin/windows/system Is it possible to whitelist it somehow? Yes, use the rootkit file whitelist option. If I use RTKT_FILE_WHITELIST=/mnt/d/winnt4nowin/windows/system rkhunter says Whitelisted rootkit file does not exist: /mnt/d/winnt4nowin/windows/system If I use RTKT_DIR_WHITELIST=/mnt/d/winnt4nowin/windows/system (as it is a directory), I still get the warning. In which case probably not much can be done about this for the current release. The next release does allow for files/dirs to exist or not-exist with certain tests, but I'm not sure we would want to do that for known rootkit files. I'll have to think about this. John. -- John Horne Tel: +44 (0)1752 587287 University of Plymouth, UK Fax: +44 (0)1752 587001 -- Start uncovering the many advantages of virtual appliances and start using them to simplify application deployment and accelerate your shift to cloud computing http://p.sf.net/sfu/novell-sfdev2dev ___ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users
Re: [Rkhunter-users] Running processes false warning?
On Thu, 09 Sep 2010 10:21:56 +0100 John Horne john.ho...@plymouth.ac.uk wrote: The test is for complete files names, not partial matches - so '.../system' matches, but '.../system_bus_socket' will not. Without seeing the lsof output, which has obviously changed by now, it is impossible to say what was matched. I have similar problem with wine. When there are no wine apps running, I get no warning, but with wine running I get the warning. I made a diff of lsof output with wine running and not - it seems the following opened directory is guilty: +n/mnt/d/winnt4nowin/windows/system Is it possible to whitelist it somehow? I tried to change rkhunter binary like this: --- rkhunter.orig 2009-11-29 15:05:09.0 +0200 +++ rkhunter2010-09-13 02:48:20.524209918 +0300 @@ -6384,7 +6384,6 @@ ras2xm:Unknown rootkit vobiscum:Unknown rootkit sshd3:Unknown rootkit -system:Unknown rootkit t0rnsb:T0rn t0rns:T0rn t0rnp:T0rn but then I get a warning: [02:54:07] /usr/bin/rkhunter [ Warning ] [02:54:07] Warning: Package manager verification has failed: [02:54:07] File: /usr/bin/rkhunter [02:54:07] The file hash value has changed [02:54:07] The file size has changed [02:54:07] The file modification time has changed The warning remains even after running rkhunter --propupd, why? Ah, it's because of Package manager verification. Regards, Nerijus -- Start uncovering the many advantages of virtual appliances and start using them to simplify application deployment and accelerate your shift to cloud computing http://p.sf.net/sfu/novell-sfdev2dev ___ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users
Re: [Rkhunter-users] Running processes false warning?
On Thu, 2010-09-09 at 09:51 +0200, John Bond wrote: I have an RKHunter 1.3.6 job running, which more or less often returns a warning on the running processes check. The log says that a file named backdoor, adore.o, mod_rootme.so, phide_mod.o, lbk.ko, vlogger.o, cleaner.o, cleaner, ava, tzava, mod_klgr.o, hydra, hydra.restore, ras2xm, vobiscum, sshd3, system, t0rnsb, t0rns, t0rnp, rx4u, rx2me, crontab, sshdu, glotzer, holber, xhide, xh, emech, psybnc, mech, httpd.bin, mh, xl, write, Phantasmagoria.o, lkt.o, nlkt.o has been found and must be verified with lsof -F n -w -n. Lsof runs ran immediately (without any latency) after rkhunter don't show any match, if not partial matches of appropriate files, like: n/var/run/dbus/system_bus_socket Whiche starts with 'system'. The test is for complete files names, not partial matches - so '.../system' matches, but '.../system_bus_socket' will not. Without seeing the lsof output, which has obviously changed by now, it is impossible to say what was matched. The test has been improved for the next release in that it will tell you exactly which filename matched. John. -- John Horne, University of Plymouth, UK Tel: +44 (0)1752 587287Fax: +44 (0)1752 587001 -- This SF.net Dev2Dev email is sponsored by: Show off your parallel programming skills. Enter the Intel(R) Threading Challenge 2010. http://p.sf.net/sfu/intel-thread-sfd ___ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users
