Work at SourceForge, help us to make it a better place! We have an immediate need for a Support Technician in our San Francisco or Denver office.

Close

#22 Checking running processes for suspicious files

main
closed-fixed
unSpawn
Rkhunter (37)
5
2010-08-02
2010-01-27
No

Warning: Checking running processes for suspicious files [ Warning ]

Warning: One or more of these files were found: backdoor, adore.o, mod_rootme.so, phide_mod.o, lbk.ko, vlogger.o, cleaner.o, cleaner, ava, tzava, mod_klgr.o, hydra, hydra.restore, ras2xm, vobiscum, sshd3, system, t0rnsb, t0rns, t0rnp, rx4u, rx2me, crontab, sshdu, glotzer, holber, xhide, xh, emech, psybnc, mech, httpd.bin, mh, xl, write, Phantasmagoria.o, lkt.o, nlkt.o

Check the output of the lsof command 'lsof -F n -w -n'

I think it would be better to write exact suspicious process.

Discussion

  • unSpawn
    unSpawn
    2010-01-27

    • milestone: --> main
    • assigned_to: nobody --> unspawn
     
  • unSpawn
    unSpawn
    2010-01-27

    >I think it would be better to write exact suspicious process.
    What does (/var/log/)rkhunter.log show with respect to the malware check?

     
  • John Horne
    John Horne
    2010-08-02

    Fixed in CVS (version 1.3.7).
    Each found suspicious file is now displayed individually, along with the pid, uid etc.

     
  • John Horne
    John Horne
    2010-08-02

    • status: open --> closed-fixed