On 05/01/10 22:51, John Horne wrote:
>
> On Wed, 2010-01-06 at 00:29 +0200, Nerijus Baliunas wrote:
>> On Tue, 5 Jan 2010 21:41:39 +0100 Jens Schuessler<[email protected]> wrote:
>>
>>> I only wanna know what causes the rkhunter message, Wouldn't it be
>>> better if rkhunter tells me exactly which of this susp files he had found,
>>> rather than a list of possible files?
>>
>> for RKHTMPVAR in ${SUSP_FILES_INFO}; do
>> RKHTMPVAR=`echo ${RKHTMPVAR} | sed -e 's/^[ ]*//'`
>>
>> FILENAME=`echo ${RKHTMPVAR} | cut -d: -f1 | sed -e
>> 's/\./\\\./g'`
>> SUSP_FILES="${SUSP_FILES}|${FILENAME}"
>> done
>>
>> Here instead of adding files to SUSP_FILES the grep itself should run -
>> it will take more time to complete, but it really would be more convenient.
>>
> As far as I remember the problem was that the lsof command could produce
> a lot of output. As such RKH only runs it once and tests the output once
> directly. We could still run lsof once, but it would probably be better
> to store the output in a file rather than a variable (in case that
> causes the shell a problem). Hence we would need to change the code a
> bit. I'll make a note of it.
>
>
>
>
> John.
>
Just to note, even something as common as:
$ crontab -e
causes:
Warning: Checking running processes for suspicious files [ Warning ]
Warning: One or more of these files were found: backdoor, adore.o,
mod_rootme.so, phide_mod.o, lbk.ko, vlogger.o,
cleaner.o, cleaner, ava, tzava, mod_klgr.o, hydra, hydra.restore, ras2xm,
vobiscum, sshd3, system, t0rnsb, t0rns, t0rnp,
rx4u, rx2me, crontab, sshdu, glotzer, holber, xhide, xh, emech, psybnc, mech,
httpd.bin, mh, xl, write,
Phantasmagoria.o, lkt.o, nlkt.o
Check the output of the lsof command 'lsof -F n -w -n'
Can I suggest just changing the hint to be a pointer to a website with a hint
how to run a loop to scan for each case. e.g.
elbournb@red:~$ for i in backdoor, adore.o, mod_rootme.so, phide_mod.o, lbk.ko,
vlogger.o, cleaner.o, cleaner, ava,
tzava, mod_klgr.o, hydra, hydra.restore, ras2xm, vobiscum, sshd3, system,
t0rnsb, t0rns, t0rnp, rx4u, rx2me, crontab,
sshdu, glotzer, holber, xhide, xh, emech, psybnc, mech, httpd.bin, mh, xl,
write, Phantasmagoria.o, lkt.o, nlkt.o; do
sudo lsof -F n -w -n |egrep "/(${i//,/})\$"; done
n/usr/bin/crontab
The list of files is a simple copy and paste from the rkhunter email. YMMV :-)
--
"Confidence is what you have before you understand a problem" - Woody Allen
------------------------------------------------------------------------------
This SF email is sponsosred by:
Try Windows Azure free for 90 days Click Here
http://p.sf.net/sfu/sfd2d-msazure
_______________________________________________
Rkhunter-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/rkhunter-users
