Hello,
I just wanted to report a broken link on the sourceforge FAQ page:
https://sourceforge.net/docman/display_doc.php?docid=35179group_id=155034
3.1) Rootkit Hunter tells me there is something wrong with my
system. What do I do?
A. Prior to any incident it is recommended that you have
Hello,
New to rkhunter, just installed 1.3.4 and had a question.
On the first run I had some of the normal false positives and fixed them
(whitelisted the 3 commands that are replaced by scripts on my system
(normal), and whitelisted the hidden .udev directory), but I want to be
sure about what
On 10/11/2009 5:30 PM, John Horne wrote:
I found a recommendation to disable the 'os_specific' check in
DISABLED_TESTS in rkhunter.conf to fix this
The config file provided by us makes no such recommendation.
Sorry, I was not clear... the recommendation I found was while googling...
Heh -
On 10/11/2009, John Horne (john.ho...@plymouth.ac.uk) wrote:
At that time the Linux os_specific test did just the one test, so
disabling 'os_specific' was valid at that time.
Gotcha... thanks again...
--
Come build
Hi everyone,
I'm still a bit new to rkhunter.
I've been running the apps test ever since I installed rkhunter, and the
only time I got a hit was after updating the core tools, which makes
sense, since those executables are updated, and a quick --propupd fixes it.
I also recently had a hit on
On 12/2/2009 2:11 PM, John Horne wrote:
Now, I am only apparently running two tests: File properties, and
rootkits.
You need to check your config file to see what tests have been
disabled.
Well, like I said before, I'm new to rkhunter, so I basically just left
it at the defaults. I'm using
On 12/3/2009, Brian McKee (m...@map-heb.com) wrote:
Look at the --cronjob option, which implies the --nocolors option.
Ah... cool, thanks. :)
--
Best regards,
Charles Marcus
I.T. Director
Media Brokers International, Inc.
678.514.6200 x224
678.514.6299 fax
On 12/3/2009 5:56 PM, John Horne wrote:
DISABLE_TESTS=apps deleted_files hidden_procs loaded_modules
packet_cap_apps suspscan
These are the default supplied disabled tests (apart from apps). So, it
means you are running the usual tests.
snip
I would say leave things as they are. You seem
On 12/4/2009 3:25 PM, Tanstaafl wrote:
# Default options - more options may be added depending on the
# configuration variables you set below
# --cronjob implies -c, --nocolor, --sk
RKHUNTER_OPTS=--nocolor --cronjob --summary
Oh - I also tried it with --nocolors AFTER --cronjob
RKHUNTER_OPTS
On 12/4/2009 7:09 PM, unsp...@hushmail.com wrote:
Warning: Network TCP port 2006 is being used by
/usr/sbin/couriertls.
Possible rootkit: CB Rootkit or w00tkit Rootkit SSH server
Netstat -tulnap shows a whole bunch of similar connections open, so
I think this is normal? Question then is why
On 12/5/2009, John Horne (john.ho...@plymouth.ac.uk) wrote:
You need to change the second line to 'rkhunter --update --nocolors'.
BINGO. Thanks John, that did the trick. :)
--
Best regards,
Charles
--
Join us
On 12/5/2009, John Horne (john.ho...@plymouth.ac.uk) wrote:
Again - is there anything special about port 2006 that makes
rkhunter single it out?
Yes, it is known to be used by the CB and w00tkit rootkits. That's
why RKH is warning you about it.
Ah, ok, now that makes sense. Thinking about
On 12/5/2009, John Horne (john.ho...@plymouth.ac.uk) wrote:
You can either whitelist the port itself (PORT_WHITELIST=TCP:2006),
or whitelist a particular application to use known bad ports
(PORT_WHITELIST=couriertls).
Ok, after a really bizarre ritual called 'reading the comments', I
Thanks for the response John...
On 2010-05-15 4:41 PM, John Horne wrote:
On Sat, 2010-05-15 at 11:55 -0400, Charles wrote:
Ok, 1.3.4 has been running daily for months, with no warnings. I just
updated to 1.3.6, and got a bunch or warnings... I'm hoping these are
just a result of the upgrade,
On 2010-05-17 5:19 PM, John Horne wrote:
On Sun, 2010-05-16 at 15:11 -0400, Tanstaafl wrote:
You can either whitelist the files or disable the 'immutable' test
completely.
I don't mind disabling the test completely if it isn't very useful (this
is what I was told about the 'applications
On 2010-05-17 5:23 PM, John Horne wrote:
No. That just removes them from the file properties check. They will
still be reported as infected.
See Helmut Hullen's answer:
I had solved the Xzibit warnings with
RTKT_FILE_WHITELIST=/etc/init.d/boot.local
In your case use:
On 2010-05-17 6:25 PM, John Horne wrote:
On Mon, 2010-05-17 at 17:36 -0400, Tanstaafl wrote:
Ok - so, you're saying this (the 'immutable' test) is a *new* test
that didn't exist in 1.3.4? Remember, 1.3.4 was running for many
months without ever having one warning like this.
No. The test has
On 2010-05-18 3:58 PM, John Horne wrote:
On Tue, 2010-05-18 at 08:52 -0400, Tanstaafl wrote:
In my config file, for both 1.3.4 and now for 1.3.6, I had/have:
ENABLE_TESTS=all
DISABLE_TESTS=apps deleted_files hidden_procs loaded_modules
packet_cap_apps suspscan
So, with this config, should
On 2010-05-19 6:44 AM, John Horne wrote:
On Wed, 2010-05-19 at 06:25 -0400, Tanstaafl wrote:
Double hmmm since ianap and am not comfortable trying to debug this
myself, I guess I'm off to the gentoo forums to see if anyone there can
answer this...
All you have to do is run RKH
On 2010-05-19 8:39 AM, Helmut Hullen wrote:
I googled how to do that, but what I balked at was installing both
versions side by side...
It's quite simple!
Wow... thanks Helmut! That looks simple enough that even I can do it... ;)
Ooops - now I need the 1.3.4 version, and can't find it on the
On 2010-05-19 8:58 AM, John Horne wrote:
On Wed, 2010-05-19 at 08:51 -0400, Tanstaafl wrote:
Could someone point me to an official download link for 1.3.4?
I have a copy of 1.3.4 at home, will email it to you later today unless
someone else replies with a copy.
Cool, thanks John
On 2010-05-19 10:25 AM, Helmut Hullen wrote:
The machine is offline from 20 o'clock to 5 o'clock UTC. You have
more than 5 hours from now!
Thanks Helmut, I got it... :)
--
Hello,
I have had rkhunter installed for a long time, been working well, system
was reporting clean...
I installed a lot of system updates (gentoo linux), then the next
morning, got a report about 6 files whose properties had changed, and I
realized I forgot to run --propupd command, so I did -
Thanks for the help John...
On 2011-06-27 10:57 AM, John Horne wrote:
What version of rkhunter are you using?
1.3.8
Also can you show us the full log entry for one of the files with a
warning - that is, showing which file properties have changed?
[09:57:04] /usr/bin/logger
On 2011-06-30 3:36 PM, John Horne wrote:
You'll need to check your system - perhaps with something like 'locate'
- to see if RKH has been installed more than once.
Nope, there's only one rkhunter.dat:
myhost : Thu Jun 30, 16:03:07 : ~
# locate rkhunter.dat
/var/lib/rkhunter/db/rkhunter.dat
On 2011-07-01 9:57 AM, Tanstaafl wrote:
Ok - but again, I ran --propupd, and got the email warning about the
same 6 files, then went and grabbed the current .log and .log.old files...
Ok, I'm really not stupid, I promise, just had tunnel vision I guess...
I was running it from the cron
Hi all,
After a lot of updates on my gentoo system - one of which included a
REBUILD of rkhunter - and *after* running --propupd, I'm getting the
following Warning (this is the only one):
[07:40:01] /usr/sbin/rkhunter [ Warning ]
[07:40:01] Warning: The command
On 3/11/2014 11:34 AM, Wally wnow...@gmail.com wrote:
Warning: Checking for possible rootkit strings[ Warning ]Found
string 'aion' in file '/usr/sbin/sshd'. Possible rootkit: Trojaned SSH
daemon
$ strings sshd | grep aion
Vector Permutaion AES for x86_64/SSSE3, Mike Hamburg (Stanford
Hello,
Almost not worth mentioning, but...
Fyi, I just updated to 1.4.2 on one of my gentoo systems, and noted a
typo in the comments...
# The default value is '1024000'.
#
#SUSPSCAN_MAXSIZE=1024
There is one less zero in the comment for the default value than there
should be...
;)
On 10/2/2014 7:14 AM, John Horne john.ho...@plymouth.ac.uk wrote:
On Thu, 2014-10-02 at 06:35 -0400, Tanstaafl wrote:
Hello,
Almost not worth mentioning, but...
Fyi, I just updated to 1.4.2 on one of my gentoo systems, and noted a
typo in the comments...
# The default value is '1024000
Hello,
Been on rkhunter 1.4.2 for a while, no changes made to its config file,
runs nightly without any warnings...
I recently did some Gentoo updates after almost 2 months of no updates
(was out of town), and now, even after running --propupd, I continut to
get these warnings:
# grep Warning
31 matches
Mail list logo
