est and then see if RKH finishes. If it does,
then you can test using just suspscan if you want (using the command
'rkhunter --enable suspscan').
John.
--
John Horne, University of Plymouth, UK
Tel: +44 (0)1752 587287Fax: +44 (0)1752 587001
-
On Thu, 2011-06-30 at 15:29 -0400, Tanstaafl wrote:
> On 2011-06-28 3:40 PM, John Horne wrote:
> > Correct. So when you then run 'rkhunter --propupd' again it compares the
> > time value in the rkhunter database against that on the file itself. If
> > both are
On Thu, 2011-06-30 at 16:06 -0400, Tanstaafl wrote:
> On 2011-06-30 3:36 PM, John Horne wrote:
> > You'll need to check your system - perhaps with something like 'locate'
> > - to see if RKH has been installed more than once.
>
> Nope, there's only one r
On Fri, 2011-07-01 at 08:03 -0400, Tanstaafl wrote:
> On 2011-07-01 6:27 AM, John Horne wrote:
> > I'll need to see the output from '--debug' then or perhaps the (whole)
> > log file when you run 'rkhunter --propupd' and from when the system run
> >
On Fri, 2011-07-01 at 09:05 -0400, Tanstaafl wrote:
> On 2011-07-01 6:27 AM, John Horne wrote:
> > I'll need to see the output from '--debug' then or perhaps the (whole)
> > log file when you run 'rkhunter --propupd' and from when the system run
> >
l itself. E.g 'touch
fred{1}abc' creates the file 'fred{1}abc'. But 'touch fred{1,2}abc'
creates 2 files - 'fred1abc' and 'fred2abc'. Not allowing braces in a
filename was a bug.
The correction for the 'file' command output problem was the
supposed to be,
then you don't need to whitelist them as such but can use the
SCRIPTWHITELIST option in your config file. Despite its name it doesn't
whitelist them, it simply allows them to be scripts. The commands will
still be subjected to all the usual checks.
John.
--
John Horne, Un
eans that I might be *very*
> wrong with all what I just said
>
What can I say?? Yup, you were wrong :-) However, don't feel bad about
it. I have to admit that it doesn't actually *say* what the option is
for in the config file. It is mentioned in the CHANGELOG file though.
I'll
t; RTKT_FILE_WHITELIST="/etc/rc.d/rc.sysinit:hdparm"
>
> But recently I was very wrong about something else - I would say to wait
> for John to answer on that.
>
What you have put there should work fine :-)
John.
--
John Horne Tel: +44 (0)1752 5872
safe. The file will
still be checked as part of the password and groups file checks to see
if users entries have changed or not.
John.
--
John Horne, University of Plymouth, UK
Tel: +44 (0)1752 587287Fax: +44 (0)1752 587001
-
debug. Run: rkhunter --debug --enable rootkits
Then email me the output file created in /tmp.
John.
--
John Horne, University of Plymouth, UK
Tel: +44 (0)1752 587287Fax: +44 (0)1752 587001
--
Magic Quadrant
On Wed, 2011-07-20 at 08:30 +1000, Vincent McIntyre wrote:
> Hi
>
> running 1.3.6 on Linux.
>
Upgrade to 1.3.8. It will then tell you which entry was actually found.
John.
--
John Horne, University of Plymouth, UK
Tel: +44 (0)1752 587287Fax: +44 (0
scan' test which
is not enabled by default because it is cpu intensive and may produce
false-positives. There is no mechanism (that I can think of) for
whitelisting entries from that test.
You could, of course, disable the test. Alternatively you could set the
maximum threshold score below 23
s relies on certain output from
certain commands, and if that output changes then the program can fail.
Needless to say we try and make the check generic enough such that not
all output changes cause a problem, but sometimes, as in this case, the
command output has changed enough to cause a proble
On Thu, 2011-07-21 at 00:47 +0300, Nerijus Baliunas wrote:
> On Wed, 20 Jul 2011 14:23:46 +0100 John Horne
> wrote:
>
> > It is unfortunate, but unavoidable really, that the current version of
> > RKH (1.3.8 or earlier) has hit a problem which will affect all Fedora 15
resent.
You may want to try running a later version of unhide. I currently have
version 20110113 from http://www.unhide-forensics.info
John.
--
John Horne, University of Plymouth, UK
Tel: +44 (0)1752 587287Fax: +44 (0)1752 587001
re all the output into a file. Use the
'unhide' command rather than 'unhide-tcp' as 'unhide-tcp' does not look
for the program name associated with a found PID.
Of course you could also try running strace on one of the found PIDs.
Eg: strace -p 900
John.
--
Joh
t.d/.depend.boot"
or
RTKT_FILE_WHITELIST="/etc/init.d/hdparm /etc/init.d/.depend.boot"
John.
--
John Horne, University of Plymouth, UK
Tel: +44 (0)1752 587287Fax: +44 (0)1752 587001
--
Got Inp
a colon (:). The main config file (rkhunter.conf) has an
example:
#ALLOWPROCDELFILE="/sbin/cardmgr /usr/sbin/gpm:/etc/X11/abc"
So any files used by 'cardmgr' are whitelisted, but only '/etc/x11/abc'
used by 'gpm' is whitelisted.
In your case any f
.local file.
>
> My brain hurts...
>
Mine too, so I'm off to lunch :-)
First thing I guess is can you email me (not the list) the rkhunter.log
log file please.
John.
--
John Horne Tel: +44 (0)1752 587287
University of Plymouth, UK Fax: +44 (0)1752 587001
--
TeCg
> Process: /usr/libexec/mysqldPID: 1278File: /tmp/ibNuqKo8
>
Doh! I should have remembered. There is a bug with the current deleted
files test which uses the ALLOWPROCDELFILE option. I'll email you a
fixed version of 'rkhunter'.
John.
--
John Horne,
On Tue, 2011-08-02 at 00:46 +0100, Arthur Dent wrote:
> On Mon, 2011-08-01 at 20:53 +0100, John Horne wrote:
> > On Sat, 2011-07-30 at 14:12 +0100, Arthur Dent wrote:
> > > I know you are probably going to (gently) remind me that this is
> > > probably an issue for the
r remove the wildcarding so that you just
whitelist bash and gawk or specify the exact filenames. However,
depending on how often the /tmp file change that may not work too well.
John.
--
John Horne, University of Plymouth, UK
Tel: +44 (0)1752 587287Fax: +44 (0)1752 587001
---
will be used: /var/lib/rkhunter/db
These should be set in the config file and not have to default. As such
it is seen as an error to allow it to default, but it is not used to
stop RKH from running.
John.
--
John Horne, University of Plymouth, UK
Tel: +44 (0)1752 587287Fax: +44 (0
unning, but if
you only run RKH after *you* have installed something then you may not
be aware of the changes for some time. If the change is that someone has
hacked into your PC, then your PC will have been compromised for
potentially a long time. (Before you ask, I run RKH once an hour.)
John.
On Wed, 2011-09-14 at 20:11 -0700, Kingsley G. Morse Jr. wrote:
> Hello unspawn,
>
> Thank you for sharing your thoughts on why RKH
> might report files were moved to new inodes.
>
Possibly prelinking moved them?
John.
--
John Horne, University of Plymouth, UK
Tel: +44
7;s inode.
>
See: http://en.wikipedia.org/wiki/Prelink
As far as I remember prelinking is forced every couple of weeks on
RedHat systems (no idea about other systems). As such the inodes will
change every so often.
John.
--
John Horne, University of Plymouth, UK
Tel:
something like glocate (just 'locate' or mlocate,
slocate on other systems). It sounds like your cron system is picking up
one version of RKH, whereas when run interactively you are getting a
different one (or the same version but different data files).
John
--
John Horne, University
On Tue, 2011-09-20 at 12:47 +0200, Daniel Polombo wrote:
> Le 20 sept. 2011 à 12:03, John Horne a écrit :
> > On Mon, 2011-09-19 at 16:46 +0200, dan...@polombo.fr wrote:
> >> Greetings,
> >>
> >> I've been testing Rootkit Hunter 1.3.8 on a handful of S
xist).
However, the default directory list includes /usr/bin. As such the files
should always be seen, unless you have modified BINDIR in the config
file, or used the '--bindir' option on the command line.
> Warning: The kernel modules directory '/lib/modules' is missi
file size has changed
> The file modification time has changed
>
> so, what do I need?
>
How did you update it?
John.
--
John Horne, Plymouth University, UK
Tel: +44 (0)1752 587287Fax: +44 (0)1752 587001
--
though I would prefer to be able to skip some to reduce
> scanning time)?
>
There is no specific test for SUID files. However, you could enable the
'suspscan' test and set the suspscan_dir (I think) to /var. The test can
be CPU-intensive and give false positives, but it may do wh
er is found from it, and to see
where it thinks the config file is located. Again, check that this is
the correct config file.
John.
--
John Horne Tel: +44 (0)1752 587287
Plymouth University, UK Fax: +44 (0)1752 587001
--
what PATH
to use. I suggest you comment this out again.
John.
--
John Horne, Plymouth University, UK
Tel: +44 (0)1752 587287Fax: +44 (0)1752 587001
--
All the data continuously generated in your IT infrastr
rkhunter.conf file (for ALLOW_SSH_ROOT_USER):
However, if a value has not been set in the SSH configuration
file, then a value here of 'unset' can be used to avoid warning
messages.
John.
--
John Horne, Plymouth University, UK
Tel: +44 (0)1752
that
(and vice-versa). However, neither cater for a symbolic link to a
directory.
I have put a fix into the CVS code so that ALLOWHIDDENFILE should work
correctly.
I will email you (off list) a fixed 'rkhunter' program with this fix,
which you should be able to just use as a drop-in rep
s.
John.
--
John Horne Tel: +44 (0)1752 587287
Plymouth University, UK Fax: +44 (0)1752 587001
--
RSA(R) Conference 2012
Save $700 by Nov 18
Register now
http://p.sf.net/sfu/rsa-
; # rpm -qf /bin/basename
> coreutils-8.4-9.el6.i686
>
> I'd suggest yum reinstall coreutils.
>
You may also want to install the EPEL repository and then run 'yum
update' so you get the 1.3.8 version of rkhunter.
http://fedoraproject.org/wiki/EPEL
John.
--
John
e the inode number.
(However I would have thought running 'rkhunter --propupd' as part of
the post-installation during installation would have been best.)
You could try running 'rkhunter --propupd' to ensure the file properties
file is up to date.
John.
--
John Horne, Plymo
hen run: rkhunter --debug --enable hidden_ports
and email me the debug file created in the /tmp directory. Hopefully it
will show the problem too.
Thanks,
John.
--
John Horne, Plymouth University, UK
Tel: +44 (0)1752 587287Fax: +44 (0)1752 587001
---
he warnings for this are annoying.
>
It is a bug. The 'ports' test uses the PORT_WHITELIST config option, but
the 'hidden_ports' test does not. Oops! I'll see about fixing it.
Jo
ter performs is to compare various current
file properties of various commands, against those it has previously
stored. This command option causes rkhunter to update its data file
of stored values with the current values.
John.
--
John Horne, Plymouth U
On Tue, 2012-01-03 at 13:39 -0500, Tim Evans wrote:
> On 01/03/2012 01:35 PM, John Horne wrote:
> > On Tue, 2012-01-03 at 11:54 -0500, Tim Evans wrote:
> >> Don't see this in the FAQ, or in the last year or so's worth of archived
> >> messages, so...
> >
On Tue, 2012-01-03 at 16:54 -0500, Tim Evans wrote:
> On 01/03/2012 02:55 PM, John Horne wrote:
> > On Tue, 2012-01-03 at 13:39 -0500, Tim Evans wrote:
> >> On 01/03/2012 01:35 PM, John Horne wrote:
> >>> On Tue, 2012-01-03 at 11:54 -0500, Tim Evans wrote:
> >
what 'policy' I want, and then set
the config file options. I don't use the command-line options that much.
That way rkhunter should be consistent whether I run it via cron or from
the command-line.
John.
--
John Horne Tel: +44 (0)1752 587287
Plymouth Universi
no line terminators
> /dev/shm/php_session/f/1/sess_f13ce52a2c77e5d2603a4ec701034b96:
> ASCII text, with no line terminators
>
>
Are you running the 'suspscan' test? If so, you cannot whitelist the
entrie
s there way to generally tell rkhunter not to obsess over
> unresolvable symbolic links or do I need to completely whitelist the
> file (which seems overkill)?
>
I'll take a look and see what's going on.
John.
--
John
On Thu, 2012-01-26 at 10:50 +, John Horne wrote:
> On Wed, 2012-01-25 at 15:53 -0800, Brian C. Hill wrote:
> > Hello,
> >
> > I use /usr/local as a big symbolic link tree, many of the links which
> > may not actually point anywhere depending upon the host.
> &g
warnings for this are annoying.
>
FYI - this has now been fixed in the CVS version of RKH.
John.
--
John Horne, Plymouth University, UK
Tel: +44 (0)1752 587287Fax: +44 (0)1752 587001
--
Try before you b
p prelink /var/log/rkhunter.log', and
if there are only a few files mentioned then just manually prelink them:
prelink /bin/bash /bin/cash /bin/more...
then run 'rkhunter --propupd'. If there has been an update to
'glibc' (typically) then you may find loads of files reporting
336
Pathname: /usr/bin/crontab
Possible Rootkit: Unknown rootkit
John.
--
John Horne Tel: +44 (0)1752 587287
Plymouth University, UK Fax: +44 (0)1752 587001
--
This SF email is sponso
iles (RTKT_FILE_WHITELIST), so doing that
should work. It's is not, obviously, recommended though.
John.
--
John Horne, Plymouth University, UK
Tel: +44 (0)1752 587287Fax: +44 (0)1752 587001
--
This SF emai
On Wed, 2012-04-04 at 17:34 +0200, unsp...@hushmail.com wrote:
> On Sun, 01 Apr 2012 02:15:49 +0200 John Horne
> wrote:
> >On Sat, 2012-03-31 at 17:08 -0600, Kevin Fenzi wrote:
> >> It would be nice if it could see if /lib is a link and bypass
> >> this test? Or i
at will change the checksum. Even if you use a package manager, the
checksum may be different if not all servers are updated at the same
time.
John.
--
John Horne, Plymouth University, UK
Tel: +44 (0)1752 587287Fax: +44 (0)1752 587001
--
currently
> there isn't).
>
Using 'RTKT_DIR_WHITELIST=/lib/java' will work (just tested it).
(Although I think we should be able to provide a better solution.)
John.
--
John Horne, Plymouth University, UK
Tel: +44 (0)1752 587287Fax: +44 (0)1752 587001
--
uld have been whitelisted but weren't
because they weren't present when RKH started. (Follow that? :-) )
I had the same problem many times at work. This has been fixed for the
next release.
John.
--
John Horne, Plymou
be in the rkhunter log file. By default the
previous log file will also be kept. So, assuming default paths are
used, you could look in /var/log/rkhunter.log
or /var/log/rkhunter.log.old if you want to see the reported change.
John.
--
John Horne Tel: +44 (0)1752 587287
Pl
On Tue, 2012-04-17 at 07:14 -0600, Kevin Fenzi wrote:
> On Mon, 09 Apr 2012 19:49:07 +0100
> John Horne wrote:
>
> > On Sat, 2012-03-31 at 17:08 -0600, Kevin Fenzi wrote:
> > > Greetings.
> > >
> > > With Fedora 17, Fedora is moving many top level
ipt to do this, but you could use the
MAIL-ON-WARNING configuration option to email the admin if there are any
warnings.
John.
--
John Horne Tel: +44 (0)1752 587287
Plymouth University, UK Fax: +44 (0)1752 587001
no avail.
>
> Can anyone please tell me how to suppress these warnings?
>
Something like:
ALLOWDEVFILE=/dev/.udev/db/block*
ALLOWDEVFILE=/dev/.udev/db/class*
ALLOWDEVFILE=/dev/.udev/uevent_seqnum
John.
--
John Horne, Plymouth University, UK
Tel: +44 (0)1752 587287Fax:
ched its copy.
>
I don't run Ubuntu myself, but I would have said that perhaps asking on
an Ubuntu list as to whether the file is valid or not would have been
better.
John.
--
John Horne Tel: +44 (0)1752 587287
Plymouth University, UK Fax: +44 (0)1752 587001
On Sat, 2012-05-12 at 18:48 +0200, Tomas Ligursky wrote:
> 2012/5/9 John Horne:
> > On Tue, 2012-05-08 at 15:37 +0200, Tomas Ligursky wrote:
> > > Hello,
> > >
> > > I am new to rkhunter and would like to ask for a help. I use Kubuntu
> > > 11.10 an
ail...
Was this problem resolved? You should be able to use
RTKT_FILE_WHITELIST=/bin/ad in the config file to whitelist the file.
John.
--
John Horne, Plymouth University, UK
Tel: +44 (0)1752 587287Fax: +44 (0)1752 587001
"/dev/.udev/db/platform:Fixed MDIO bus.0"
>
Replace the spaces with the '%' character.
John.
--
John Horne, Plymouth University, UK
Tel: +44 (0)1752 587287Fax: +44 (0)1752 587001
--
Live
g that into "x2f" and
> so the match wasn't made. I changed the line to
>
> FNAMEGREP=`echo "${RKHTMPVAR}" | sed -e 's///g' | sed -e
> 's/\./\\\./g'`
>
Hi,
Thanks for this. I have add
On Fri, 2012-08-10 at 14:05 +, Tony Schreiner wrote:
> On Aug 9, 2012, at 2:57 PM, John Horne wrote:
>
> > On Fri, 2012-06-15 at 09:30 -0400, Tony Schreiner wrote:
> >>
> >> I've tried adding quotes around the path, and also adding the lines
> >>
On Tue, 2012-08-14 at 12:05 -0600, Kevin Fenzi wrote:
> On Thu, 09 Aug 2012 19:48:04 +0100
> John Horne wrote:
>
> >
> > Catching up with old mail...
> > Was this problem resolved? You should be able to use
> > RTKT_FILE_WHITELIST=/bin/ad in the config file
led inetd service: /usr/sbin/tcpd
> Warning: Found enabled inetd service: /usr/sbin/tcpd
>
Look at the INETD_ALLOWED_SVC option.
John.
--
John Horne, Plymouth University, UK
Tel: +44 (0)1752 587287Fax: +44 (0)1752 587001
-
l the files, and this is visible when you
> look at the .dat file.
>
When you run 'rkhunter --propupd' does it report that there are hashes
missing? For example, something like:
File updated: searched for 166 files, found 144, missing hashes 1
John.
--
John Horne
On Tue, 2012-11-20 at 13:27 +, Bendtsen, Jon wrote:
> On 2011-11-11 12.22, John Horne wrote:
>
> > It is proposed that at the next release of rkhunter the '-r'
> > command-line option and the ROOTDIR config file option will be
> > deprecated.
> >
>
ld obviously not work. Expand that to other systems and other
tests, so the problem becomes large.
John.
--
John Horne Tel: +44 (0)1752 587287
Plymouth University, UK Fax: +44 (0)1752 587001
---
t requires time which I no longer have.
I don't think I ever said I would 'rather give up', just that things
have changed so the coding will not be done in the short term (unless
anyone else wants to pick it up).
John.
--
John Horne Tel: +44 (0)1752 587287
Pl
7; to get the userid and compares that to '0' or 'root'. If
neither is true, then the program stops saying that you must be root to
run RKH.
John.
--
John Horne, Plymouth University, UK
Tel: +44 (0)1752 587287Fax: +44 (0)1752 587001
--
ault.
The other is the 'filesystem' test. You can either disable the entire
test (see DISABLE_TESTS in the config file), or run the test only on
files actually in '/dev' (not the sub-directories). To do this set
SCAN_MODE_DEV=LAZY in the config file.
John.
--
John Horne
never a package is updated.
The RPM package manager can check quite a few things, whereas the other
supported package managers generally only check the checksum of files.
RPM can check not only the checksums, but also file permissions, file
ownership, inode number, file size, modification time and so o
On Mon, 2013-01-14 at 21:01 +, John Horne wrote:
>
> 3) Do NOT uncomment the SCRIPTDIR setting, unless you are going to
> change it. The setting will be automatically determined by the
> installer, and the correct setting will be placed at the end of the
> configuratio
;
> debug output is
>
> RKHLSOF_FILE=/var/lib/rkhunter/tmp/lsofprocs.out.XiRMO9S1no
> + /usr/bin/lsof -wnlP +c 0
> + egrep -vO|V?DIR|IPv[46])
> sort
> + uniq
>
> anyone an idea why it stops here?
>
Hello,
Try running the commands separately from a console to see
> On 02/13/2013 07:12 PM, John Horne wrote:
> > On Wed, 2013-02-13 at 16:41 +0100, W Forum W wrote:
> > > hi,
> > >
> > > after a bit od debugging the script stops here
> > >
> > > ${LSOF_CMD} -wnlP +c 0 2>&1 | egrep -v ' (FIFO|V
) so I can't whitelist the file.
>
Hello,
Try adding 'EXISTWHITELIST=.vnc/hydra' to your config file.
John.
--
John Horne Tel: +44 (0)1752 587287
Plymouth University, UK Fax: +44 (0)1752 587001
-
eleted files:
> Process: httpdPID: 18361File:
> /usr/local/apache/logs/ssl_mutex
>
> How it's possible? What's wrong on my conf?
>
A couple of things to try:
ALLOWPROCDELFILE="/usr/local/apache/bin/apachectl"
or
ALLOWPROCDELFILE="
out this.
>
> I s there any other way I can tell rkhunter to not warn me, a –
> no-I’m-really-serious-don’t –warn-me flag after propupd maybe?
>
There is no way at the moment I'm afraid.
John.
--
John Horne, Plymouth University, UK
Tel: +44 (0)1752 587287Fax: +44
ould create a file in the /tmp directory. Could you email that to
me please (not to the mailing list).
Thanks,
John.
--
John Horne, Plymouth University, UK
Tel: +44 (0)1752 587287Fax: +44 (0)1752 587001
--
Min
On Wed, 2013-04-03 at 00:16 +0300, Nerijus Baliunas wrote:
> On Tue, 02 Apr 2013 20:25:24 +0100 John Horne
> wrote:
>
> > > I s there any other way I can tell rkhunter to not warn me, a –
> > > no-I’m-really-serious-don’t –warn-me flag after propupd maybe?
> > &g
On Wed, 2013-04-03 at 11:32 +0100, Nick Warr wrote:
> So, I just wanted a confirmation, if there are changes to the passwd
> or groups, I will get a single warning. If I there are "other" changes
> these will be continuously reported every time rkhunter runs?
>
Yes.
st is disabled. Or look in the rkhunter log file,
it will say if it is running the suspscan test or not.
John.
--
John Horne, Plymouth University, UK
Tel: +44 (0)1752 587287Fax: +44 (0)1752 587001
--
Precog
e shirt! http://p.sf.net/sfu/newrelic_d2d_apr
> ___
> Rkhunter-users mailing list
> Rkhunter-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/rkhunter-users
--
John Horne, Plymouth University, UK
Tel: +44 (0)1752 587
one - I tend to use something like 'date >/dev/dummyfile'. The
'filesystem' test will then report the file as being suspicious.
John.
--
John Horne, Plymouth University, UK
Tel: +44 (0)1752 587287Fax: +44 (0)1752 587001
-
t my strong
> point.
>
This is just shell script.
The cron job captures any output from RKH and then emails that using
msmtp. So I would leave the RKH setting MAIL_CMD as "", and let the cron
job handle the email.
I don't know about 'msmtp', but I as
;t an RKH problem but an msmtp one.
Why use msmtp instead of the basic 'mail' command?
John.
--
John Horne Tel: +44 (0)1752 587287
Plymouth University, UK Fax: +44 (0)1752 587001
--
T
ng the 'From:' header.
I assume you can, likewise, put the 'from' command in your /etc/mail.rc
if necessary.
John.
--
John Horne, Plymouth University, UK
Tel: +44 (0)1752 587287Fax: +44 (0)1752 587001
--
t;
> less .msmtp.log | grep rkhunter showed only posts to the list.
>
Okay, so what happens when you force RKH to produce an error. Does
anything get emailed?
John.
--
John Horne Tel: +44 (0)1752 587287
Pl
On Fri, 2013-05-03 at 10:29 -0700, Robert Holtzman wrote:
> On Fri, May 03, 2013 at 10:01:04AM +0100, John Horne wrote:
> > On Fri, 2013-05-03 at 00:29 -0700, Robert Holtzman wrote:
> > >
> > > > I don't know about 'msmtp', but I assume some log file i
7; but that currently doesn't work.
I'll need to think about it.
John.
--
John Horne, Plymouth University, UK
Tel: +44 (0)1752 587287Fax: +44 (0)1752 587001
--
Get 100% visibility into Java/.NET code with
On Mon, 2013-05-06 at 16:52 -0700, Erik Peterson wrote:
> ./rkhunter: line 15744: syntax error near unexpected token `('
>
What version of rkhunter are you running?
John.
--
John Horne Tel: +44 (0)1752 587287
Plymouth University, UK Fax: +44 (0)
se.
For 'egrep', I have the path '/bin/egrep'. Can you check that, as root,
the path is the same please. It should also just be a soft link to the
'grep' command.
John.
--
John Horne, Plymouth University, UK
Tel: +44 (0)1752 587287Fax: +44 (0)1752 587001
---
; indicates that your are running CentOS 5 not 4.
Can you run 'rkhunter --check --debug' and send me the file created in
'/tmp'.
Thanks,
John.
--
John Horne, Plymouth University, UK
Tel: +44 (0)1752 587287Fax: +44 (0)1752 587001
---
space in the name. So parsing over that
(which RKH currently does) causes a problem. We need to change this to
use 'for' instead, and then process each line of output.
Secondly is that this is all really part of the much larger problem of
allowing all options and the tests to handle pathnames
(this is your choice though) or
setting BINDIR explicitly in your rkhunter config file so that is
doesn't include the '.' path.
John.
--
John Horne, Plymouth University, UK
Tel: +44 (0)1752 587287Fax: +44 (0)1752 587001
-
'/home/angus...perl' above was found as the perl
command, then rkhunter will have to have detected that path (or had it
set in BINDIR).
John.
--
John Horne, Plymouth University, UK
Tel: +44 (0)1752 587287Fax: +44 (0)1752 587001
--
It's not crucial, but it
> is an annoyance, I'd like to have it so that I don't get false positives.
>
So the 'diff' is performed on the output displayed on the screen by RKH
rather than the log file?
John.
--
John Horne
601 - 700 of 926 matches
Mail list logo