Re: [Rkhunter-users] How to check that ....deleted files check....results are not false positives?

Thu, 06 Mar 2008 02:35:46 -0800 

On Thu, 06 Mar 2008 09:02:53 +0100 Gordy <[EMAIL PROTECTED]> 
wrote:
>How to confirm deleted files are false positive?

By inspecting them.

>[15:15:32] Warning: The following processes are using deleted 
>files:
>[15:15:32] Process: /usr/sbin/hald PID: 2834 File: 
>/tmp/init.riMOoa

You have the PID, so 'lsof -w -n -p $PID' or ls -al /proc/$PID/fd 
should show the deleted file still open on a file descriptor. Then 
cat or copy the file to another fs that's not /tmp. Run 'file' on 
it and then inspect using utilities like strings, ldd, objdump, AV 
or running it in a VM if it's some binary.


>So I tried again after a full reboot

A reboot destroys processes so if your intention is to investigate 
you'd better not disturb it like that.


>The idea did occur me to run a cut down tripwire or other checker 
>on /tmp only before or
>after.....but I will let the gurus decide if that is the correct 
>way.

The file integrity checking capabilities of Aide, Samhain or even 
tripwire are best used on *static* entities like those living in 
your system bin dirs. If you need to record volatile items you'll 
need something like Jedi's Eliott. If you need to inspect volatile 
items you'll need something that does or triggers on-access 
scanning based on Dazuko or "simple" inotify actions like 
inotifywait:

'while read line; do /some/path/checkingbinary "${line}" &
done < <(/usr/local/bin/inotifywait -m -r --format '%w%f' -e create 
/tmp)'

this creates a recursive monitor on /tmp watching for any create(). 
(It's part of a tarball I uploaded to one of the RKH bug tracker 
items to test a standalone version of suspscan.)


Regards, unSpawn

--
Right on time. Click now for great project management software!
http://tagline.hushmail.com/fc/Ioyw6h4dJ9PIoVGWJV08fs8oOyj8y9Vx09sseZREAlbpaNGeJiIBhO/


-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2008.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
_______________________________________________
Rkhunter-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/rkhunter-users

Reply via email to