On Fri, 2008-02-22 at 22:42 +0800, Uwe Dippel wrote: > On Fri, Feb 22, 2008 at 7:30 PM, <[EMAIL PROTECTED]> wrote: > > > AFAIK GNU/Linux-only (haven't got this kit in my repo) and password > > entry probably not much use without dev/dev/gaskit/.*. Wrt entry > > itself, if it is in pwd.db it should be in master.* as well, right? > > Not quite. > This is what I see in /etc/pwd.db, when I grep for sshdd: > 00004fc0 1b 00 00 00 1b 00 00 00 00 00 00 00 00 73 73 68 |.............ssh| > 00004fd0 64 20 70 72 69 76 73 65 70 00 2f 76 61 72 2f 65 |d privsep./var/e| > 00004fe0 6d 70 74 79 00 2f 73 62 69 6e 2f 6e 6f 6c 6f 67 |mpty./sbin/nolog| > 00004ff0 69 6e 00 00 00 00 00 00 00 00 00 31 73 73 68 64 |in.........1sshd| > 00005000 64 00 f8 0f aa 0f a2 0f 5b 0f 54 0f 11 0f 0a 0f |d.�.�.�.[.T.....| > I'm wondering if this is just a false-positive caused by looking in a binary file. As unSpawn has said the /dev/dev directory should be present as well. I suspect you have modified your rkhunter.conf (SYSTEM_RC_DIR) to look in /etc, whereas usually RKH only looks for startup files (scripts) typically in /etc/rc.d or /etc/init.d - not actual system/db files in /etc.
John. -- --------------------------------------------------------------- John Horne, University of Plymouth, UK Tel: +44 (0)1752 233914 E-mail: [EMAIL PROTECTED] Fax: +44 (0)1752 233839 ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/ _______________________________________________ Rkhunter-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/rkhunter-users
