Bug#662128: rkhunter: "Check for suspicious files" message triggers "warnings found" e-mail

Thomas Lamy thomas.lamy at netwake.de
Sun Mar 4 17:42:19 UTC 2012


Am 04.03.2012 12:49, schrieb Julien Valroff:
> Hi Thomas,
>
> Le dimanche 04 mars 2012 à 11:33:50 (+0100 CET), Thomas Lamy a écrit :
> [...]
>> After configuring rkhunter, filtering false positives etc, I get this daily report:
>>
>> ---
>> Warning: Checking for files with suspicious contents [ Warning ]
> And what triggers this warning? You can check this in /var/log/rkhunter.log
>
> I guess you have missed a file in your whitelist or something like that.
>
> Cheers,
> Julien
>

 From the log:
[06:27:59]   Performing check of files with suspicious contents
[06:27:59] Info: Starting test name 'suspscan'
[06:27:59]     Directories to check are: /tmp /var/tmp
[06:27:59]     Temporary directory to use: /dev/shm
[06:27:59]     Maximum file size to check (in bytes): 10240000
[06:27:59]     Score threshold is set to: 200
[06:29:20]     Checking directory: '/tmp'
[06:29:20]       File checked: Name: '/tmp/mysql-30seconds.png' Score: 10
[06:29:20]       File checked: Name: '/tmp/lav-3day.png' Score: 20
[06:29:20]       File checked: Name: '/tmp/mem-3day.png' Score: 20
[....]
[06:29:21]       File checked: Name: '/tmp/mailq-3day.png' Score: 20
[06:29:21]       File checked: Name: '/tmp/mysql-3day.png' Score: 31
[06:29:21]       File ignored: empty: '/tmp/#sql_365a_0.MYD'
[06:29:21]       File checked: Name: '/tmp/service.lock' Score: 0
[06:29:21]       File ignored: empty: '/tmp/fileonso16'
[06:29:21]       File ignored: empty: '/tmp/fileAu7HQu'
[06:29:21]       File ignored: empty: '/tmp/fileaE9yRm'
[06:29:21]     Checking directory: '/var/tmp'
[06:29:21] Warning: Checking for files with suspicious contents [ Warning ]
[06:29:21]

None of the files have score >= 200.
....
[06:29:27] System checks summary
[06:29:27] =====================
[06:29:27]
[06:29:27] File properties checks...
[06:29:27] Files checked: 131
[06:29:27] Suspect files: 0
[06:29:27]
[06:29:27] Rootkit checks...
[06:29:27] Rootkits checked : 244
[06:29:27] Possible rootkits: 0
[06:29:27]

Even from rkh's log I would not expect to get a warning mail; everything 
is whitelisted and/or below reporting thresholds.

Unfotunately, the level of shell scripting needed to track this down is 
beyond my skills...

Sincerly
Thomas







More information about the forensics-devel mailing list