Re: [Rkhunter-users] [Fwd: iceman hacks me]
Brought to you by:
dogsbody
From: <un...@hu...> - 2008-02-20 13:35:12
|
On Sat, 16 Feb 2008 22:51:15 +0100 John Horne <joh...@pl...> wrote: >On Thu, 2008-02-07 at 09:09 +0100, fs...@sy... wrote: >> Hi all, >> it seems that my first mail has not reached the list, maybe the >tar >> file was too big. I try again with a smaller file (I add just >scripts >> in .t directory. Note : I have replaced my real site name with >> "website.fr") >> My question is : is rkhunter able to detect this attack with >some >> configuration adjustment ? >> >If you run RKH with the suspscan test ('rkhunter --enable >suspscan) then >it may detect it. (I haven't tried it so cannot say for sure.) I've commented the issue in our bugtracker but since it is posted here I'll reply here as well. I have tested RKH before releasing against similar malware. Running suspscan with your file set it marks 48 of them as suspicious. It is not that RKH can't detect them but how you configured SUSPSCAN_DIRS in rkhunter.conf. When you enable suspscan to look for files in the context of say Apache HTTPd you should consider adding all directories the user Apache runs as has write access to to the list. So if it can write to /var/www and /var/log/httpd you should add those too. (I've added this in CVS as a remark in rkhunter.conf). Regards, unSpawn -- Need cash? Click to get a cash advance. http://tagline.hushmail.com/fc/Ioyw6h4dP5IgKRilinSIrvtxRxRWbf5rib5eVDdLawN3R2k9TkKh92/ |