Hello Troy, On Tue, 02 Jan 2007 23:24:41 +0100 Troy Telford <[EMAIL PROTECTED]> wrote: >I've found what I believe is a new rootkit/trojan/worm/something. >It >appears to be a self-propogating ssh scanner; I found it in >/var/tmp/... >/zmeu > >rkhunter didn't find it; chkrootkit didn't find it. I only found >it due to >a problem with a backup and some file permissions... I'm a bit >uncomfortable with simply attatching it and sending it to the >mailing list, >so where should I send an archive of it?
RKH currently does not scan temp dirs for anomalies. With all the PHP-related upload malarky maybe we should, but I don't know if RKH would be the "best" tool for it. OTOH it's stuff a lot of AV won't pick up and I have been working on a tempdir-based string scanner to pick up anomalies, maybe I'll release it to the list just like "hashupd" at the time. Anyway. There's two ways to reach developers: make a SF tracker entry and upload an archive or send me a D/L location I can fetch it from. If you make a tracker entry please password the archive and send me the pass in a separate email. TIA Regards, unSpawn Concerned about your privacy? Instantly send FREE secure email, no account required http://www.hushmail.com/send?l=480 Get the best prices on SSL certificates from Hushmail https://www.hushssl.com?l=485 ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT & business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV _______________________________________________ Rkhunter-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/rkhunter-users
