Re: [Rkhunter-users] RKH hangs forever malware check

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 454-5900

On 13/02/2013, at 14.17, W Forum W <wf...@gm...>
 wrote:

> txs
> 
> the last part I get with 
> trace -p PID
> 
> stat64("/usr/local/sbin/uniq", 0xbfd81c70) = -1 ENOENT (No such file or directory)
> stat64("/usr/local/bin/uniq", 0xbfd81c70) = -1 ENOENT (No such file or directory)
> stat64("/usr/sbin/uniq", 0xbfd81c70)    = -1 ENOENT (No such file or directory)
> stat64("/usr/bin/uniq", {st_mode=S_IFREG|0755, st_size=30592, ...}) = 0
> clone(child_stack=0, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0xb7620938) = 5921
> close(3)                                = 0
> close(-1)                               = -1 EBADF (Bad file descriptor)
> wait4(-1, 
> 
> and then its waiting forever, no idea why

Thanks for including a few lines above the "Bad file descriptor".

As you can see it looks for the uniq program. So I suggest that you read up on what a "Bad file descriptor" means and looks in the rkhunter script, probably /usr/bin/rkhunter and see if you can read up on what it is supposed to do right after looking for uniq. Maybe you can spot the problem.

My version of rkhunter is  1.4.0-1 from Debian Wheezy, and as far as I know, rkhunter was changed significantly between 1.3.x and 1.4.0, it actually lost a feature that I used to use all the time, namely the -r ROOTDIR= option, which I used to scan all the backups of my servers from a secured backup server. Occasionally I also used to boot up from a linux rescue CD and run rkhunter on the servers. Therefore I do not think it helps you much that I look in my 1.4.0-1 version how it uses uniq.

JonB