On Sat, 16 Feb 2008 22:51:15 +0100 John Horne
<[EMAIL PROTECTED]> wrote:
>On Thu, 2008-02-07 at 09:09 +0100, [EMAIL PROTECTED] wrote:
>> Hi all,
>> it seems that my first mail has not reached the list, maybe the
>tar
>> file was too big. I try again with a smaller file (I add just
>scripts
>> in .t directory. Note : I have replaced my real site name with
>> "website.fr")
>> My question is : is rkhunter able to detect this attack with
>some
>> configuration adjustment ?
>>
>If you run RKH with the suspscan test ('rkhunter --enable
>suspscan) then
>it may detect it. (I haven't tried it so cannot say for sure.)
I've commented the issue in our bugtracker but since it is posted
here I'll reply here as well. I have tested RKH before releasing
against similar malware. Running suspscan with your file set it
marks 48 of them as suspicious. It is not that RKH can't detect
them but how you configured SUSPSCAN_DIRS in rkhunter.conf. When
you enable suspscan to look for files in the context of say Apache
HTTPd you should consider adding all directories the user Apache
runs as has write access to to the list. So if it can write to
/var/www and /var/log/httpd you should add those too. (I've added
this in CVS as a remark in rkhunter.conf).
Regards, unSpawn
--
Need cash? Click to get a cash advance.
http://tagline.hushmail.com/fc/Ioyw6h4dP5IgKRilinSIrvtxRxRWbf5rib5eVDdLawN3R2k9TkKh92/
-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2008.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
_______________________________________________
Rkhunter-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/rkhunter-users
