On Thu, 09 Sep 2010 10:21:56 +0100 John Horne <[email protected]> wrote:
> The test is for complete files names, not partial matches - so
> '.../system' matches, but '.../system_bus_socket' will not. Without
> seeing the lsof output, which has obviously changed by now, it is
> impossible to say what was matched.
I have similar problem with wine. When there are no wine apps running,
I get no warning, but with wine running I get the warning.
I made a diff of lsof output with wine running and not - it seems the following
opened directory is guilty:
+n/mnt/d/winnt4nowin/windows/system
Is it possible to whitelist it somehow?
I tried to change rkhunter binary like this:
--- rkhunter.orig 2009-11-29 15:05:09.000000000 +0200
+++ rkhunter 2010-09-13 02:48:20.524209918 +0300
@@ -6384,7 +6384,6 @@
ras2xm:Unknown rootkit
vobiscum:Unknown rootkit
sshd3:Unknown rootkit
- system:Unknown rootkit
t0rnsb:T0rn
t0rns:T0rn
t0rnp:T0rn
but then I get a warning:
[02:54:07] /usr/bin/rkhunter [ Warning ]
[02:54:07] Warning: Package manager verification has failed:
[02:54:07] File: /usr/bin/rkhunter
[02:54:07] The file hash value has changed
[02:54:07] The file size has changed
[02:54:07] The file modification time has changed
The warning remains even after running rkhunter --propupd, why?
Ah, it's because of "Package manager verification".
Regards,
Nerijus
------------------------------------------------------------------------------
Start uncovering the many advantages of virtual appliances
and start using them to simplify application deployment and
accelerate your shift to cloud computing
http://p.sf.net/sfu/novell-sfdev2dev
_______________________________________________
Rkhunter-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/rkhunter-users
