Daniel González Gasull wrote:
[about hidden directories]
> I think they are legit, but I'm not a security expert and I don't know
> the purpose of every single file and directory in my system. How do
> you decide if a file or directory is legit?
You consult your system documentation, or call yo
Nuno Dias wrote:
> Yes I know, but I was searching for something like
> ALLOWPROCDELFILE=/usr/bin/gnome-keyring-daemon.* but don't work :(
You are asking a lot of the tool. You are asking it to
do regular expression matching on its own. It can't rely
on the globbing provided by the shell.
Mike
Sportsman wrote:
> First let me start off by saying I'm a complete newbie to the dedicated
> server field, ssh and security. I have paid configserver to install a
> security package and root kit hunter was part of it. I'm afraid I don't
> know what command to use to find my log files or even my c
Al G wrote:
> I just joined your list, and I've got some problems with my computer.
Ok, there are some people here who would like to help. However,
what you describe is pretty vague. When you say "problems",
what do you mean? In other words, you do X, and you expect Y
to happen, but instead you se
Al G wrote:
> I just joined your list, and I've got some problems with my computer.
BTW, it's a good idea to use more than one hunter. Another good
one is chkrootkit. Frisk also provides fprot which is rather
resource intensive on Linux, but which seems to do a fairly good
job. I also run tripwire
Mark Misulich wrote:
> Hi,
> I used rkhunter a couple of days ago by running in terminal as root
> "rkhunter -c --sk" and came up with multiple file warnings, including
> that there was a key logger installed. I had no indications of a
Where is the key logger warning? I looked at your report, and
Mark Misulich wrote:
> Hi,
> Actually, the system looks pretty clean to me. The four files
> /usr/bin/groups, /usr/bin/ldd, /sbin/chkconfig, and /sbin/ifup
> are very slightly concerning. As I mentioned, they may simply
> be scripts on your system, and informing rkhunter about your
> package manage
Mark Misulich wrote:
> On Thu, 2008-12-04 at 11:49 +, John Horne wrote
>> You need to look in the log file to see why the warnings occur.
>
> Here is all the log file says about this:
I suggest you also get a copy of chkrootkit and run it.
You don't need to post the results here, except if it
Mark Misulich wrote:
> On Thu, 2008-12-04 at 11:49 +, John Horne wrote
>> You need to look in the log file to see why the warnings occur.
>
> Here is all the log file says about this:
>
> Warning: Suspicious file types found
> in /dev:
Boyd Lynn Gerber wrote:
> On Thu, 4 Dec 2008, Mark Misulich wrote:
>> to all who replied to my posts a couple of days ago on a different
>> thread, thanks for your replies. I have been traveling for the last
>> couple of days and didn't have opportunity to continue the discussion.
>
> I am runnin
Boyd Lynn Gerber wrote:
Did you intend to reply only to me? I got this off list.
> On Fri, 5 Dec 2008, Mike McCarty wrote:
>> Boyd Lynn Gerber wrote:
>>>
>>> I am running openSUSE 11.0 with the same version of rkhunter.
>>>
>>>> I am using rk
Thanks for the new version. After a few little tweaks (like tracking
down the move of the .conf file) and a propupd seems wonderful.
Except...
I had all tests enabled, and now it seemingly hangs. The display
gets to this point:
Performing additional rootkit checks
Suckit Rookit additiona
John Horne wrote:
> On Mon, 2009-01-12 at 12:21 -0600, Mike McCarty wrote:
>> Thanks for the new version. After a few little tweaks (like tracking
>> down the move of the .conf file) and a propupd seems wonderful.
>>
>> Except...
>>
>> I had all tests e
[name withheld] wrote:
[...]
> The machine that got rooted has since been given to my mom with XP
> (spit) installed (talk about the ultimate rootkit).
May I respectfully request that the particpants here refrain
from making off topic personally opinionated comments? I read
this echo in order to
Brian McKee wrote:
> Hi All
>
> I have rkhunter running on a bunch of Ubuntu 8.04 machines.
>
> On all of them but one, when system updates are done via the package
> manager, rkhunter's info gets updated too - e.g. when cron was recently
> updated, rkhunter never issued a warning because the n
Dick Gevers wrote:
> On Tue, 16 Jun 2009 10:59:17 -0400, Brian McKee wrote about
> [Rkhunter-users] aptitude updates file properties automatically on one
> system but not another:
>
>> I have rkhunter running on a bunch of Ubuntu 8.04 machines.
>>
>> On all of them but one, when system updates are
Dick Gevers wrote:
> On Tue, 16 Jun 2009 13:46:53 -0500, Mike McCarty wrote about Re:
> [Rkhunter-users] aptitude updates file properties automatically on one
> system but not another:
[...]
>> I use RPM, so I can't say what happens about Ubuntu, which I believe
>> us
Tom Twaro wrote:
> Thank you for the response, Mike. Yes, you are correct that I am running
> this on CentOS. This is what I get when I run with the --pkgmgr RPM
> parameter added:
>
> Warning: Checking for prerequisites [ Warning ]
> All file hash checks will be skipped b
Brenton Taylor wrote:
> Hello,
> Every time I run rkhunter I get a message that says something like:
>
> [1]+ Stopped /usr/local/bin/rkhunter
>
> and when I run rkhunter --check it get up to [Press to
> continue] and I press the Enter key and it doesn't complete
Jarek wrote:
> Hi all!
>
> I've found undetected rootkit. It looks like some modification of
> SHV4/SHV5.
> (Checked with Rootkit Hunter 1.2.9).
>
> Unfortunetely I've removed some part of its files, but some remains
> (attached).
> Rootkit was installed in /etc/inittab as a call to:
>
> /
Brent Clark wrote:
> Hiya
>
> Would anyone be so kind as to tell me how I can whitelist /usr/bin/lsof.
What does rkhunter complain about?
Mike
--
p="p=%c%s%c;main(){printf(p,34,p,34);}";main(){printf(p,34,p,34);}
Oppose globalization and One World Governments like the UN.
This message made from
Sportsman wrote:
> Hello all, just thought I'd let the users know that I was able to resolve
> the PermitRootLogin issues that I was experiencing with some valuable
> guidance from John and Unspawn. It seems that I have two rkhunter.conf
> files on my server. One is under /usr/local/etc/rkhunter.
david _el_rey wrote:
> From: david_el_...@hotmail.com
> To: david_el_...@hotmail.com; rkhunter-users@lists.sourceforge.net
> Subject: español spanish
> Date: Sat, 7 Nov 2009 18:53:58 +0100
>
> hola mi correo electronico es david_el_...@hotmail.com, creo que mi
> ordenador esta infectado uso li
Dick Gevers wrote:
[...]
> My STARTUP_PATHS includes /etc/rc.d in which the file rc.sysinit contains
> the word 'hdparm', which causes a warning by rkh:
>
> Found string 'hdparm' in file '//etc/rc.d/rc.sysinit'. Possible rootkit:
> Xzibit Rootkit
>
> But rpm finds the file to be in order.
>
>
John Horne wrote:
> On Mon, 2009-11-30 at 12:33 -0600, Mike McCarty wrote:
[...]
>> Perhaps the tool could be made smart enough to notice that the
>> string occurs in a comment.
>>
> Those last two occurrences aren't comments though, so the test is valid.
I missed tha
Tanstaafl wrote:
[...]
> So, I'm wondering... what checks do others run? Which are the most
> reliable/effective, but minimize false positives?
Well, Mr. "No Free Lunch", that's sort of a personal decision.
The thing is to understand exactly what the test you run is
checking for. As with any tes
When I went to the sourceforge page to download 1.3.6, it caused
Mozilla to abort, closing the window it was running in. Tried
again with same results. And again. The page mostly loads, so I
can see what is selectable, but before it finishes, it causes
the program to blow up.
I wonder what's up?
unsp...@hushmail.com wrote:
> On Fri, 04 Dec 2009 00:55:58 +0100 Mike McCarty
> wrote:
>> When I went to the sourceforge page to download 1.3.6, it caused
>> Mozilla to abort, closing the window it was running in. Tried
>> again with same results. And again. The page m
Thanks for a wonderful tool!
I find that I'm getting some false positives with Fedora Core
from 1.3.6. These are new ones. I've already been ignoring
some other false positives for some time. Now, I've got no
problem ignoring false positives, I'm reporting this just
for informative purposes. I als
Brian McKee wrote:
> On 4-Dec-09, at 12:59 PM, Tanstaafl wrote:
>
>> Ok, I tried adding the --nocolor option to the options set in the cron
>> job and reran it, but still got the same output:
>
>
> It's actually --nocolors plural - hope I didn't muck you up there...
You're right! I used the old
unsp...@hushmail.com wrote:
> On Fri, 04 Dec 2009 19:30:29 +0100 Mike McCarty
> wrote:
>> [11:55:06] Info: Starting test name 'possible_rkt_files'
>> (..)
>> [11:55:17] Found directory '/dev/ida'. Possible rootkit:
> Possible rootkit
Mark Misulich wrote:
> Hi,
> I recently installed rkhunter-1.3.6 on my laptop computer on two
> linux operating systems. On this laptop I have opensuse 11.1 and
> Elive development version 1.9.51 installed, along with Win7. I just
> purchased the laptop so both linux instalations are fresh install
Roberto wrote:
> Hello,
>
> We have received this warning, in all of our servers, since upgrade to
> rkhunter 1.3.6
>
> [04:14:08] Warning: Checking for prerequisites [ Warning ]
> [04:14:08] No output from the 'lsattr' command - all file
> immutable-bit
> checks will be
Roberto wrote:
> I have lsattr command installed from the package "e2fsprogs" version
> 1.39-23.el5
>
> in the last version of rkhunter 1.3.4 that i have used this warning not
> apears and
> i dont remove the lsattr command never.
That's odd. What does
$ which lsattr
show? Is it in your path?
gumper wrote:
> When running rkhunter I'm getting the following message:
>
> "Warning: The command '/usr/bin/rkhunter' has been replaced and is not a
> script: /usr/bin/rkhunter: a /bin/sh script text executable"
>
> Does this mean that my system has been compromised? I'm running Arch Linux
> and
Sean Carolan wrote:
> I've read the FAQ and searched quite a bit through the mailing list
> and Google archives, but not found anything related to my problem.
>
> On some of our older Red Hat 2.1AS hosts, the 'properties' check seems
> to fail due to not finding an inode value:
>
> [10:52:59] Inf
Helmut Hullen wrote:
> Hallo, Mike,
>
> Du meintest am 25.05.10 zum Thema Re: [Rkhunter-users] rkhunter/cron Red Hat
> Fedora Core 6 - ooops:
>
I tried to install rkhunter on my Redhat Fedora Core 6 virtual
server (GoDaddy). But what I get for email notification is:
>
>>> That's a ver
Duane Loftus wrote:
> OK, time for dumb questions.
>
> 1. John Horne says: It hasn't installed properly, try re-installing.
> The INSTALLDIR option must exist for RKH to run.
>
> Is there any guidance on re-installing? Obviously, whatever I did to
> initally "install" wasn't very successful.
John Horne wrote:
> On Tue, 2010-05-25 at 09:34 -0700, Duane Loftus wrote:
[...]
>> 3. How do I reply and keep this in the thread. Helmut Hullen points
>> out that I was not, "Please keep the traffic in the mailing list - thank
>> you."
>>
> This is one of those problems that crops up on mailin
Duane Loftus wrote:
>
> YEA! Ta Da ! WooHoo!
>
> The re-install worked! I have done --propupd and --update and run the
> first scan after making some mods in the rkhunter.conf file.
Congratulations!
> {Thank you all so very much.}
>
> I am pretty sure I have a trojan or resident spoofer i
George wrote:
> On 26/05/2010 5:34 AM, Mike McCarty wrote:
[...]
>> Reply to all sometimes works, and sometimes not. With this list, it
>> seems to work (with Thunderbird, anyway). Just delete the originator,
>> and change the "CC:" to a "To:".
>&
Duane Loftus wrote:
>
> Here are some hidden files (those with the preceding dots - I think)
> that rkhunter "warned" about. I tried to unzip them but that didn't
Did you use "unzip" or did you use "gunzip". They aren't
the same.
> work. How can I determine if they should
> be there or not?
>
Duane Loftus wrote:
> On Wed, 2010-05-26 at 15:03 -0500, Mike McCarty wrote:
>> Duane Loftus wrote:
>>> Here are some hidden files (those with the preceding dots - I think)
>>> that rkhunter "warned" about. I tried to unzip them but that didn't
>> D
Helmut Hullen wrote:
> Hallo, Duane,
>
> Du meintest am 26.05.10:
>
>> -rw-r--r-- 1 root root 40 May 30 2007 ..1.gz
>> -rw-r--r-- 1 root root 40 May 30 2007 :.1.gz
>> -rw-r--r-- 1 root root 3806 May 30 2007 GET.1.gz
>> -rw-r--r-- 1 root root 3805 May 30 2007 HEAD.1.gz
>> lrwxr
Nerijus Baliunas wrote:
> Hello,
>
> Fedora 13 has openssh 5.4p1, which requires to explicitly enable ssh protocol
> 1:
>
> # The default requires explicit activation of protocol 1
> #Protocol 2
>
> But rkhunter displays a warning:
>
> Warning: The SSH configuration option 'Protocol' has not b
Nerijus Baliunas wrote:
> On Thu, 27 May 2010 07:17:39 -0500 Mike McCarty
> wrote:
>
>> I think it's asking a bit much to want a tool like rkhunter
>> to "know" what every host it may be run on has as its defaults
>> for everything. If you want the wa
Nerijus Baliunas wrote:
> On Thu, 27 May 2010 08:36:03 -0500 Mike McCarty
> wrote:
>
>> It would make sense that the rkhunter from the RPM supplied
>> by Red Hat might know about that default, but I'm not sure
>> that what you suggest is the best way. Doesn&#
Duane Loftus wrote:
> On Thu, 2010-05-27 at 15:33 +0100, John Horne wrote:
>> On Thu, 2010-05-27 at 07:06 -0700, Duane Loftus wrote:
>>> I went into rkhunter.conf and commented out the line:
>>>
>>> #BINDIR="/bin /usr/bin /sbin /usr/sbin /usr/local/bin /usr/local/sbin
>>> /usr/libexec /usr
>>> /lo
Duane Loftus wrote:
[...]
> [12:33:13] Checking /dev for suspicious file types [ Warning ]
> [12:33:13] Warning: Suspicious file types found in /dev:
> [12:33:13] /dev/shm/suspscan.32223.strings: ASCII English text
> [12:33:13] /dev/shm/suspscan.28538.strings: ASCII te
Subject: Re: [Rkhunter-users] rkhunter 1.3.6 / Red Hat Fedora
Date: Tue, 01 Jun 2010 17:12:15 -0500
From: Mike McCarty
To: Duane
References:
<1274986056.1629.58.ca...@loftus49-desktop><0d1dfa82511d482d9deaa778837a0...@owner4bd5767af>
<1275043656.29444.5.ca...@jhorne.csd
Robert Fields wrote:
> Does anyone know what would cause rkhunter to actually execute the commands
> for all the system binaries and scripts it checks?
>
> I had never seen this behavior before but a coworker showed it to me in the
> rkhunter.log file on a machine she admins.
>
> For example:
>
John Horne wrote:
> On Wed, 2010-07-14 at 21:05 -0500, Mike McCarty wrote:
>> Robert Fields wrote:
>>> Does anyone know what would cause rkhunter to actually execute the
>>> commands for all the system binaries and scripts it checks?
>>>
>>> I had n
52 matches
Mail list logo
