Re: [Rkhunter-users] rkhunter actually running commands in the files check section
Brought to you by:
dogsbody
From: Mike M. <Mik...@sb...> - 2010-07-15 16:18:33
|
John Horne wrote: > On Wed, 2010-07-14 at 21:05 -0500, Mike McCarty wrote: >> Robert Fields wrote: >>> Does anyone know what would cause rkhunter to actually execute the >>> commands for all the system binaries and scripts it checks? >>> >>> I had never seen this behavior before but a coworker showed it to me >>> in the rkhunter.log file on a machine she admins. >>> >>> For example: >>> >>> [05:10:06] /sbin/lsmod [Warning] >>> [05:10:06] Warning: The file properties have changed: >>> [05:10:06] File: /sbin/lsmod >>> [05:10:06] Current hash: Module >>> ipv6 >>> nf_conntrack_ipv4 >> These entries are warning you that the properties of the executable >> file have changed in some way, not that it ran the program. >> > But the output certainly looks as if the program ran. The 'lsmod' > command starts with a header line containing 'Module', and 'ipv6' and > 'nf_conntrack_ipv4' are certainly module names. Hmm. You are right, and That's Puzzling. > What I would like to see is the rkhunter log file for this, or better > still output from a run when the '--debug' was used. > > I have looked through the code but cannot see how such output could be > produced. Weird. That would be interesting to see, indeed. Mike -- p="p=%c%s%c;main(){printf(p,34,p,34);}";main(){printf(p,34,p,34);} Oppose globalization and One World Governments like the UN. This message made from 100% recycled bits. You have found the bank of Larn. I speak only for myself, and I am unanimous in that! |