Bug#662128: rkhunter: "Check for suspicious files" message triggers "warnings found" e-mail

Thomas Lamy thomas.lamy at netwake.de
Sun Mar 4 10:33:50 UTC 2012 

Package: rkhunter
Version: 1.3.6-4
Severity: normal


After configuring rkhunter, filtering false positives etc, I get this daily report:

---
Warning: Checking for files with suspicious contents [ Warning ]

One or more warnings have been found while checking the system.
Please check the log file (/var/log/rkhunter.log)
---

I guess the check message has wrong severity, so it also triggers the other daily mail:

---
Subject: [rkhunter] Warnings found for <machine>
Message-Id: <20120304052955.0C3B31000088 at XXXXXXXXXXXX>
Date: Sun,  4 Mar 2012 06:29:55 +0100 (CET)
From: root at XXXXXXXXXXX (root)

Please inspect this machine, because it may be infected.
---


Thanks for considering
Thomas



-- System Information:
Debian Release: 6.0.4
  APT prefers stable
  APT policy: (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.32-5-amd64 (SMP w/8 CPU cores)
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)
Shell: /bin/sh linked to /bin/dash

Versions of packages rkhunter depends on:
ii  binutils               2.20.1-16         The GNU assembler, linker and bina
ii  debconf [debconf-2.0]  1.5.36.1          Debian configuration management sy
ii  file                   5.04-5            Determines file type using "magic"
ii  net-tools              1.60-23           The NET-3 networking toolkit
ii  perl                   5.10.1-17squeeze3 Larry Wall's Practical Extraction 
ii  postfix [mail-transpor 2.7.1-1+squeeze1  High-performance mail transport ag

Versions of packages rkhunter recommends:
ii  curl                 7.21.0-2.1+squeeze1 Get a file from an HTTP, HTTPS or 
ii  iproute              20100519-3          networking and traffic control too
ii  lsof                 4.81.dfsg.1-1       List open files
ii  perl [libdigest-sha- 5.10.1-17squeeze3   Larry Wall's Practical Extraction 
ii  unhide               20100201-1          Forensic tool to find hidden proce
ii  wget                 1.12-2.1            retrieves files from the web

Versions of packages rkhunter suggests:
ii  bsd-mailx          8.1.2-0.20100314cvs-1 simple mail user agent
ii  tripwire           2.4.2-9               file and directory integrity check

-- debconf information:
  rkhunter/apt_autogen: false
  rkhunter/cron_daily_run:
  rkhunter/cron_db_update:

More information about the forensics-devel mailing list