Re: [Rkhunter-users] rkhunter Daily Run: where's the warning?

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 454-5900

It is the cron job that comes packaged with the latest version of 
rkhunter. I'll paste it below...

Quinn

[root@two]$cat /etc/cron.daily/01-rkhunter 
#!/bin/sh
# 01-rkhunter  A shell script to update and run rkhunter via CRON

XITVAL=0

# Get a secure tempfile
TMPFILE1=`/bin/mktemp -p /var/rkhunter/tmp rkhcronlog.XXXXXXXXXX` || 
exit 1

if [ ! -e /var/lock/subsys/rkhunter ]; then

  # Try to keep the SysInit boot scan from colliding with us (highly 
unlikely)
  /bin/touch /var/lock/subsys/rkhunter

  # Source system configuration parameters.
  if [ -e /etc/sysconfig/rkhunter ] ; then
    . /etc/sysconfig/rkhunter
  else
    MAILTO=root@localhost
  fi

  # If a diagnostic mode scan was requested, setup the parameters
  if [ "$DIAG_SCAN" == "yes" ]; then
    RKHUNTER_FLAGS="
    --checkall
    --run-application-check
    --skip-keypress
    --nocolors
    --quiet
    --append-log $TMPFILE1
  "
  else
    RKHUNTER_FLAGS="
    --cronjob
  "
  fi

  # Set a few critical parameters
  RKHUNTER=/usr/bin/rkhunter
  LOGFILE=/var/log/rkhunter.log

  # Run RootKit Hunter if available
  if [ -x $RKHUNTER ]; then
    /bin/echo -e "\n--------------------- Start Rootkit Hunter Update 
---------------------" \
      > $TMPFILE1
    /bin/nice -n 10 $RKHUNTER --update 2>&1 >> $TMPFILE1
    /bin/echo -e "\n---------------------- Start Rootkit Hunter Scan 
----------------------" \
      >> $TMPFILE1
    /bin/nice -n 10 $RKHUNTER $RKHUNTER_FLAGS 2>&1 >> $TMPFILE1
    XITVAL=$?
    /bin/echo -e "\n----------------------- End Rootkit Hunter Scan 
-----------------------" \
      >> $TMPFILE1
    /bin/cat $TMPFILE1 | /bin/mail -s 'rkhunter Daily Run' $MAILTO
    /bin/cat $TMPFILE1 >> $LOGFILE
  fi

  # Delete the gating lockfile
  /bin/rm -f /var/lock/subsys/rkhunter
fi

# Delete the secure tempfile
/bin/rm -f $TMPFILE1

exit $XITVAL

################################

On Wed, 13 Sep 2006 15:36:03 +0200 (CEST), unspawn wrote:
> On Wed, 13 Sep 2006, Quinn Comendant wrote:
> 
>> Hello!
>> 
>> I have rkhunter running via cron.daily. Every day I receive a message
>> stating "[rkhunter] Warnings found for two.strangecode.com." I can't
>> seem to find why it is triggering.
> 
> Me neither, though that doesn't mean I see everything.
> What's the contents of the cronjob?
> 
> 
> Cheers, unSpawn