Re: [Rkhunter-users] hidden process false positives
Brought to you by:
dogsbody
From: <un...@hu...> - 2010-03-12 06:39:53
|
On Thu, 11 Mar 2010 23:27:56 +0100 William Maddler <ne...@ma...> wrote: >The point is that smtp and lmtp aren't supposed to be hidden processes :) Then (unless anyone can confirm this is OK behaviour) please check: - '\ps axfwwwe' output for all Postfix processes and check their UID and GID matches, - 'lsof -Pwn' output for all Postfix processes and check the (/proc/PID/exe) smtp and lmtp executable locations match those of the others, - hashes of all components in use match those already known (debsums or better: "known good" package contents), - system and daemon logs for any anomalies. ... and if necessary attach (text file) details like relevant excerpts of rkhunter.log, output of running 'unhide(-linux26?)' and list host details like if it's using virtualization (VPS?). Regards, unSpawn --- |