Bug#704816: rkhunter: Spurious hidden processes warning with new (20121229) C unhide program

Sat, 06 Apr 2013 02:54:17 -0700 

Package: rkhunter
Version: 1.4.0-3
Severity: normal
Tags: patch, upstream

Dear Maintainer,

When rkhunter uses C unhide program (e.g. with option DISABLE_UNHIDE=0) daily
cron job generates spurious warning about found hidden processes:

"""
Warning: Hidden processes found:
         Copyright © 2012 Yago Jesus & Patrick Gouin
         License GPLv3+ : GNU GPL version 3 or later
         NOTE : This version of unhide is for systems using Linux >= 2.6
         Used options:
"""

This happens due to changes in unhide's output format/data in new version of
the program (20121229).


I'm attaching my patch (using reportbug's "--attach" option), which leaves
parsing of old format for versions lower than 20121229 and introduces changes
for versions >= 20121229.

Changes seem to work on my system (at least when there are no hidden processes
actually found).


-- System Information:
Debian Release: 7.0
  APT prefers unstable
  APT policy: (500, 'unstable'), (1, 'experimental')

Locale: LANG=pl_PL.UTF-8, LC_CTYPE=pl_PL.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages rkhunter recommends:
ii  unhide                                     20121229-1

-- Configuration Files:
/etc/default/rkhunter changed [not included]
/etc/rkhunter.conf changed [not included]

-- debsums errors found:
debsums: changed file /usr/bin/rkhunter (from rkhunter package)


-- 
Regards,
Jacek Politowski

--- rkhunter.orig	2013-02-17 09:36:30.000000000 +0100
+++ rkhunter	2013-04-06 10:35:20.021957973 +0200
@@ -12435,7 +12435,11 @@
 					fi
 
 					SEEN=1
-					FOUND_PROCS=`${UNHIDE_CMD} ${UNHIDE_OPTS} ${RKHTMPVAR} 2>&1 | egrep -v '^(Unhide |yjesus@|http:|\[\*\]|$)'`
+					if [ $UNHIDE_VERS -lt 20121229 ]; then
+						FOUND_PROCS=`${UNHIDE_CMD} ${UNHIDE_OPTS} ${RKHTMPVAR} 2>&1 | egrep -v '^(Unhide |yjesus@|http:|\[\*\]|$)'`
+					else
+						FOUND_PROCS=`${UNHIDE_CMD} ${UNHIDE_OPTS} ${RKHTMPVAR} 2>&1 | egrep -v '^(Unhide [0-9]{8}$|Copyright . [0-9]{4} Yago Jesus & Patrick Gouin$|License GPLv3\+ : GNU GPL version 3 or later$|http:\/\/www\.unhide-forensics\.info$|NOTE : This version of unhide is for systems using Linux >= 2\.6.*$|Used options:.*$|\[\*\]|$)'`
+					fi
 
 					if [ -z "${FOUND_PROCS}" ]; then
 						# Nothing found.

Reply via email to