Re: [Rkhunter-users] howto requested: eliminate Dica-Kit Rootkit

have been replaced with scripts, which I believe to be normal. Since I joined this list to find answers to many of the other findings you had, I think I'll stop here and let others contribute what they know. -Al- -- Al Varnell Mountain View, CA

Re: [Rkhunter-users] Please test rkhunter-CVS.tar.gz

guessing I can ignore this one. I've got some thoughts, but I'll save them for a separate email and if I run into any further issues I'll be back. -Al- -- Al Varnell Mountain View, CA -- The Next 800 Companies to Lead

[Rkhunter-users] Boonana Trojan

, but as an email attachment. Hopefully you folks have better access to details than I do, but this one should be a challenge for any platform running Java today. -Al- -- Al Varnell Mountain View, CA -- The Next 800 Companies

Re: [Rkhunter-users] Please test rkhunter-CVS.tar.gz

Final report. I seem to have everything under control now, so barring any additional changes I'll wind up my testing. See resolution of crontab issue below. On 11/9/10 4:00 AM, Al Varnell alvarn...@mac.com wrote: On 11/9/10 3:17 AM, John Horne john.ho...@plymouth.ac.uk wrote: On Tue, 2010

Re: [Rkhunter-users] Warning: Application 'gpg', version '1.4.10', is out of date, and possibly a security risk.

to the RKH DB in conjunction with the rollout of the new version. You do know that v1.3.8 is out, right? Lots of good new stuff. Sent from Janet's iPad -Al- -- Al Varnell -- Beautiful is writing same markup. Internet

Re: [Rkhunter-users] Warning: Application 'gpg', version '1.4.10', is out of date, and possibly a security risk.

On Nov 19, 2010, at 8:03 PM, Chris cpoll...@embarqmail.com wrote: On Fri, 2010-11-19 at 19:38 -0800, Al Varnell wrote: On Nov 19, 2010, at 5:21 PM, Chris cpoll...@embarqmail.com wrote: RKhunter V1.3.6, this apparently started yesterday on my morning rkhunter cronjob. It also reports

Re: [Rkhunter-users] Warning: Application 'gpg', version '1.4.10', is out of date, and possibly a security risk.

On 11/20/10 3:19 PM, Chris cpoll...@embarqmail.com wrote: On Fri, 2010-11-19 at 19:38 -0800, Al Varnell wrote: On Nov 19, 2010, at 5:21 PM, Chris cpoll...@embarqmail.com wrote: RKhunter V1.3.6, this apparently started yesterday on my morning rkhunter cronjob. It also reports: Checking

Re: [Rkhunter-users] Warning: Application 'gpg', version '1.4.10', is out of date, and possibly a security risk.

On 11/20/10 3:26 PM, Robert Holtzman hol...@cox.net wrote: On Fri, Nov 19, 2010 at 07:38:03PM -0800, Al Varnell wrote: On Nov 19, 2010, at 5:21 PM, Chris cpoll...@embarqmail.com wrote: RKhunter V1.3.6, this apparently started yesterday on my morning rkhunter cronjob. It also reports

Re: [Rkhunter-users] Warning: Application 'gpg', version '1.4.10', is out of date, and possibly a security risk.

On 11/20/10 3:50 PM, Al Varnell alvarn...@mac.com wrote: On 11/20/10 3:26 PM, Robert Holtzman hol...@cox.net wrote: On Fri, Nov 19, 2010 at 07:38:03PM -0800, Al Varnell wrote: On Nov 19, 2010, at 5:21 PM, Chris cpoll...@embarqmail.com wrote: RKhunter V1.3.6, this apparently started

Re: [Rkhunter-users] installed RKH on mac os x 10.6.6 possible RK?

of the /etc/ssh/sshd_config most other OSes use? Yes, I have it in my USER_FILEPROP_FILES_DIRS and RTKT_FILE_WHITELIST lists in a rkhunter.conf.local file running Mac OS X 10.5.8. -Al- -- Al Varnell Mountain View, CA

[Rkhunter-users] OSX Togroot Rootkit

, the variants of OSX Inqtana all seem to be user files, with none installed in the system. -Al- -- Al Varnell Mountain View, CA -- October Webinars: Code for Performance Free Intel webinars can help you accelerate

[Rkhunter-users] ClamAV Signatures in v1.4.2

I stumbled across a set of ClamAV signatures in the 1.4.2 tar file that were not installed in my /private/var/lib/rkhunter/db/. Under what circumstances should they be copied over? -Al- -- Al Varnell Mtn View, CA iMac OS X 10.9.2

Re: [Rkhunter-users] Linux/Ebury

processes for suspicious files”. I also note that the following two ClamAV® signature files are included if you are using them for ClamAV® scans: RKH_libkeyutils.ldb RKH_libkeyutils1.ldb -Al- -- Al Varnell Mountain View, CA

[Rkhunter-users] False Positive

at the strings in the file and the signature it would appear that embedded words in the file match sub signatures 6, 7 8. -Al- -- Al Varnell Mountain View, CA -- Learn Graph Databases - Download FREE O'Reilly Book Graph

Re: [Rkhunter-users] verification has failed : File: /etc/rkhunter.conf

On Sun, May 11, 2014 at 12:05 AM, Al Varnell wrote: On Sat, May 10, 2014 at 10:45 PM, ellanios82 wrote: On 05/11/2014 01:16 AM, John Horne wrote: On Sat, 2014-05-10 at 13:04 +0300, ellanios82 wrote: Hello List, - on my home PC , am running rkhunter-1.4.0-8.1.2.x86_64 on Linux

Re: [Rkhunter-users] verification has failed : File: /etc/rkhunter.conf

that rkhunter is at version 1.4.2 now, so unless you must rely on you package manager for updates, you might as well install the latest version. -Al- -- Al Varnell Mountain View, CA -- Is your legacy SCM system holding you

Re: [Rkhunter-users] Rkhunter configuration

simple, actually. -Al- -- Al Varnell Mountain View, CA -- Slashdot TV. Video for Nerds. Stuff that matters. http://tv.slashdot.org/ ___ Rkhunter-users mailing list

Re: [Rkhunter-users] Possible Rootkit: Dica-Kit Rootkit

If you are absolutely sure it’s clean then whitelist it in rkhunter.conf.local. # # The following two options can be used to whitelist files and directories # that would normally be flagged with a warning during the various rootkit # and malware checks. If the file or directory name contains a

Re: [Rkhunter-users] System logging daemon check

updated to 1.4.2, released 6 weeks ago What? 1.4.2 was released on 24 February 2014, so it’s been in use by many of us for almost fifteen months now. I think we have the right to assume that questions here won’t be about three year old versions. -Al- -- Al Varnell Mountain View, CA

Re: [Rkhunter-users] SourceForge

From everything I read, the SourceForge issue only involved GIMP, which had been abandoned. This posting from yesterday indicates that SourceForge blinked and will only be offering Opt-Ins from now on: https://sourceforge.net/blog/third-party-offers-will-be-presented-with-opt-in-projects-only/

Re: [Rkhunter-users] RK Definition Updates mirror location for 1.4 version

Well that would certainly explain my earlier assumption that the programs_bad database was no longer being maintained. -Al- On Mon, May 25, 2015 at 01:37 AM, Henry wrote: Hi, during weekly update the log report that root of the current used mirror is: http://rkhunter.sourceforge.net/1.3/ on

Re: [Rkhunter-users] Results of RKhunter

I doubt it, but if you don’t know enough about Ubuntu to know whether or not those files should be found, then perhaps RKHunter isn’t the right tool for you to be using. -Al- On Sun, Jan 17, 2016 at 01:45 PM, sok wrote: > > > Dear frients, > this is the first time I am running Rkhunter. > I

Re: [Rkhunter-users] rkhunter and portsentry, possible false positives

hunter finds different possible rootkits. > I'm not completely sure, but I want to bring the rkhunter and portsentry > interaction to attention. Informed opinions appreciated. If it matters, this > is on FreeBSD 10.3. Thank you. -Al- -- Al Varnell Mountain View, CA smime.p7s D

Re: [Rkhunter-users] warnings in daily run report

false-positives? > 2. How I fix the actual problem, whether it is a genuine file corruption or a > false-positive? > 3. Are there troubleshooting steps I can follow to analyse the cause of this? > > I have applied all available yum updates to the system too, so maybe it's &

Re: [Rkhunter-users] Previously Unseen Warnings on macOS

Was hoping another macOS user would join us... I'll start with a little preamble concerning Rootkit Hunter's applicability to macOS. In the beginning it was meant as a tool for Unix admins to guard against rooting attempts. Other platforms have been added, as an afterthought, but never

Re: [Rkhunter-users] thanks

User support is great and needed here, but I was kind of hoping that John or UnSpawn would jump in and describe the kind of help wanted. Although programing would be of benefit, my guess is that that's the easiest part of keeping things up-to-date. I suspect there is a need for skills that

Re: [Rkhunter-users] project status?

See Ticket #154 Is The Project Still In Development? -Al- On Sun, Nov 13, 2016 at 04:00 AM, John wrote: > > > It's been over 2.5 years since the last release of rootkit hunter. Is the > project dead? smime.p7s Description: S/MIME

Re: [Rkhunter-users] Is There a Question Here?

les >>>>>>>>> File updated: searched for 178 > files, found 148 > > 2017-07-12 4:08 GMT+02:00 Al Varnell <alvarn...@mac.com > <mailto:alvarn...@mac.com>>: > On Jul 11, 2017, at 5:59 PM, Najib Mahfoud wrote: > > rkhunter --propupd > >

Re: [Rkhunter-users] Is There a Question Here?

On Jul 11, 2017, at 5:59 PM, Najib Mahfoud wrote: > rkhunter --propupd > [ Rootkit Hunter version 1.4.2 ] > File updated: searched for 178 files, found 148 Sent from Janet's iPad -Al- -- Al Varnell Mountain

Re: [Rkhunter-users] Next release - this week

On Sun, Jun 25, 2017 at 03:36 PM, John Horne wrote: > > > On Sun, 2017-06-25 at 15:24 -0700, Al Varnell wrote: >> CVS version at <https://sourceforge.net/p/rkhunter/wiki/cvs/> appears to >> still be 1.4.3? >> > Correct. CVS versions are odd, the live ver

Re: [Rkhunter-users] Configuration tips?

://lists.sourceforge.net/lists/listinfo/rkhunter-users> > -- > Check out the vibrant tech community on one of the world's most > engaging tech sites, Slashdot.org <http://slashdot.org/

Re: [Rkhunter-users] 1.4.2 not updating

On Tue, Dec 12, 2017 at 12:57 AM, Al Varnell wrote: > On Mon, Dec 11, 2017 at 08:16 PM, Pete Schaefers wrote: >> But can anyone explain the logic of versioncheck and it's output being... >> >> Checking rkhunter version... >> This version : 1.4.2 >> Latest ver

Re: [Rkhunter-users] Possible Rootkit

Didn't you get a section above the summary that looks something like this: Checking for rootkits... Performing check of known rootkit files and directories 55808 Trojan - Variant A [ Not found ] ADM Worm [

Re: [Rkhunter-users] Possible Rootkit

e: > Nope, nothing in the list of rootkits you referenced is written in red. They > are all tagged "not found" in green. Every rootkit check listed in the > /var/log/rkhunter.log is listed as not found. > > > > On Wed, 2018-05-09 at 15:13 -0700, Al Varnell wrote: >&

Re: [Rkhunter-users] Are mirrors having issues again

Note that there has only been one update to the rkhunter.dat file on 11 June since a few previous files were updated in February, so occasional network hiccups are extremely unlikely to impact anybody. -Al- On Sat, Jun 16, 2018 at 06:31 PM, Chris wrote: > On Sat, 2018-06-16 at 21:39 +,

Re: [Rkhunter-users] Filename is not in the "rkhunter.dat" file

In order to use your own local configuration, add the following file /etc/rkhunter.local that contains the following line: USER_FILEPROP_FILES_DIRS=/usr/bin/telnet -Al- On Sat, Oct 28, 2017 at 03:09 AM, Nerijus Baliunas via Rkhunter-users wrote: > > Hello, > > I installed telnet on the

Re: [Rkhunter-users] Rootkit infection on Mac? Please help?

By the way, all the other findings are normal for Macs with default settings. You really have to view the log to see what the actual findings are and it's not viewable to even an admin user without changing permissions on the log file. Sent from my iPad > On Dec 27, 2017, at 11:35 AM, Ms. Eva

Re: [Rkhunter-users] Check for Kernel Symbols skipped

ecause /proc/modules is empty and > /lib/modules not existing which are the only tests “os_specific” triggers. <> > > Thanks > > > Stefan > > Von: Al Varnell [mailto:alvarn...@mac.com <mailto:alvarn...@mac.com>] > Gesendet: Montag, 5. Februar 20

Re: [Rkhunter-users] FW: [rkhunter] Warnings found for tc16.teocloud.com

There cannot be a "False Positives" for "Possible" and "Warning" alerts. Such findings are routine events for RKHunter to report. They are simply alerts that the user should investigate further to determine if the reported behavior is malicious and if not to whitelist the finding. -Al- On

Re: [Rkhunter-users] Warning: Download of 'mirrors.dat' failed:

r > <http://rkhunter.sourceforge.net/1.4/i18n/1.4.4/i18n.ver> > > Is there and ETA as to when the migration will be finished? -Al- -- Al Varnell Mountain View, CA smime.p7s Description: S/MIME cryptographic signature ---

Re: [Rkhunter-users] Replaced by scripts, startup files, promiscuous interfaces, SSH and hidden file warnings

[22:33:46] Checking for hidden files and directories [ Warning ] > [22:33:46] Warning: Hidden file found: /usr/share/man/man5/.rhosts.5: troff > or preprocessor input text, ASCII text I can confirm that this is a legitimately hidden file, although I can't really imagine why

Re: [Rkhunter-users] unable to update to new version

The update command only updates the databases, not the binary. You have to download, configure, compile and install the new version. Sent from my iPad -Al- On Jan 1, 2019, at 08:37, bobby wrote: > I am trying to update from 1.4.2 to 1.4.6. When I run the update command, it > tells me there

Re: [Rkhunter-users] Rkhunter says : Invalid syslog facility name: none

What platform, OS and version are you running? Sent from my iPad -Al- macOS user > On Nov 23, 2018, at 11:19, Brent Clark wrote: > > Good day Guys > > I just installed rkhunter, but when I run it, I get the following message. > > Invalid syslog facility name: none > > For the likes of me,

Re: [Rkhunter-users] rkhunter daily report

In order for anybody to respond to your statement "I think it can be safely ignored." you need to tell us what OS you are running. The "ALLOWPROCDELFILE" statement must reference a file name, but you have indicated a directory name. I would have to guess, since this is a tmp directory, that

Re: [Rkhunter-users] Invalid USER_FILEPROP_FILES_DIRS in RKHunter > 1.4.0

My first reaction is why would you use anything older than version 1.4.6 which is the current supported version with many bug fixes and looks for current rootkits? Those two versions are five and seven years old now and probably won't find any RK's in use today. So you actually have a

Re: [Rkhunter-users] rkhunter daily report

mar 19 feb 2019 alle ore 10:05 Al Varnell ha scritto: > In order for anybody to respond to your statement "I think it can be safely > ignored." you need to tell us what OS you are running. > > The "ALLOWPROCDELFILE" statement must reference a file name, but you h

Re: [Rkhunter-users] Daily report & system updates

Process: /bin/run-partsPID: 6335File: /tmp/tmpfb2jk1P > Warning: File '/tmp/tmp.I5F2fmVFF6' (score: 220) contains some suspicious > content and should be checked. > Warning: Checking for files with suspicious contents [ Warning ] -Al- -- Al Varnell Mountain View, CA

Re: [Rkhunter-users] Broken link

Appears to be moved to: < https://sourceforge.net/p/rkhunter/wiki/browse_pages/>. Sent from my iPad -Al- > On Jun 24, 2019, at 16:14, Pascal via Rkhunter-users > wrote: > > The link to "Rootkit Hunter installation tutorial" at > http://rkhunter.sourceforge.net is broken. > > -Pascal

Re: [Rkhunter-users] Fwd: [clamav-users] LSD Malwares

I'm sure it could be added eventually, but Rkhunter doesn’t use a database of signatures for situations like this. Each search is hard coded into the main process with with many months between releases. About the best that could be done would be to patch the developer version so that you could

Re: [Rkhunter-users] rkhunter --propupd changes not recognized

It should be, but for whatever reason the OP must have intended to disable it. But his issue was why propupd didn't prevent warning. -Al- On Tue, Sep 10, 2019 at 15:05 PM, Stockwell, Steven [US] (MS) wrote: > Shouldn't curl be 755 or 700? Not 600 (not executable). > > S^2 > > -Original

Re: [Rkhunter-users] Signatures updates

Take a look at the release dates in the Change Log to see how often signatures are update: > -Al- macOS User > On Nov 21, 2019, at 07:47, rob

Re: [Rkhunter-users] Suspicious Shared Memory segments | warning per mail

On Mon, Oct 28, 2019 at 00:31 AM, Koblenz Thomas wrote: > Hello, > > I have a problem with a false-positive for Suspicious Shared Memory segments. > Since the last update of the Commvault Agent I always get warnings for > Suspicious Shared Memory segments. > > [08:18:25] Process:

Re: [Rkhunter-users] Signatures updates

On Nov 22, 2019, at 02:04, rob pearman wrote: > > I couldn't see anything useful in the changelog There is a date next to each new release. I was simply trying to give you a feel for how often signatures are updated in answer to your second question. The last was on 20/02/2018.

Re: [Rkhunter-users] Two things: (1) "support ticket" status; (2) should I worry about "Warning: User 'tcpdump' has been added to the passwd file"?

I might be able to address any Mac questions you still have. I have no experience with any other OS or with unhindered, so would only be guessing about such questions. Sent from my iPad -Al- > On Oct 5, 2020, at 15:05, vze1amckv--- via Rkhunter-users > wrote: > > Hello all, > > I

Re: [Rkhunter-users] Drovorub, a Russian malware suite that targets Linux

I think you might be better off with a mainstream anti-malware software product, rather than attempting to help update rkhunter to assist in a timely manner. I'll first point out that the current version was released over 2-½ years ago which is not all that unusual over it's lifetime. The first

Re: [Rkhunter-users] Difference?

The first is a place to open tickets for issues found or features requested. The second allows user to subscribe to these emails which seek help with use, problems encountered and other discussion topics. Sent from my iPad -Al- > On Oct 2, 2020, at 17:43, John Dodson wrote: > > What is

Re: [Rkhunter-users] Changes to sshd config files.

Confirmed and not an unusual length of time between releases. Sent from my iPad -Al- macOS User On Oct 2, 2020, at 17:27, John Dodson wrote: > Also, it seems that the last rkhunter release was 2018-02-20 - can anyone > confirm that is the case? smime.p7s Description: S/MIME cryptographic

Re: [Rkhunter-users] Changes to sshd config files.

Just a partial answer as I run on a different platform. v1.4.6 (2018-02-20) is the latest release version, although I see there's a 1.4.6a with some minor changes in the developer area. There would normally be a v1.4.7 version during the development process prior to a 1.4.8 release, but I