Bug#704816: rkhunter: Spurious hidden processes warning with new (20121229) C unhide program

Jacek Politowski jp at jp.pl.eu.org
Sat Apr 6 09:21:46 UTC 2013

Package: rkhunter
Version: 1.4.0-3
Severity: normal
Tags: patch, upstream

Dear Maintainer,

When rkhunter uses C unhide program (e.g. with option DISABLE_UNHIDE=0) daily
cron job generates spurious warning about found hidden processes:

Warning: Hidden processes found:
         Copyright © 2012 Yago Jesus & Patrick Gouin
         License GPLv3+ : GNU GPL version 3 or later
         NOTE : This version of unhide is for systems using Linux >= 2.6
         Used options:

This happens due to changes in unhide's output format/data in new version of
the program (20121229).

I'm attaching my patch (using reportbug's "--attach" option), which leaves
parsing of old format for versions lower than 20121229 and introduces changes
for versions >= 20121229.

Changes seem to work on my system (at least when there are no hidden processes
actually found).

-- System Information:
Debian Release: 7.0
  APT prefers unstable
  APT policy: (500, 'unstable'), (1, 'experimental')

Locale: LANG=pl_PL.UTF-8, LC_CTYPE=pl_PL.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages rkhunter recommends:
ii  unhide                                     20121229-1

-- Configuration Files:
/etc/default/rkhunter changed [not included]
/etc/rkhunter.conf changed [not included]

-- debsums errors found:
debsums: changed file /usr/bin/rkhunter (from rkhunter package)

Jacek Politowski
-------------- next part --------------
A non-text attachment was scrubbed...
Name: rkhunter-unhide_output.patch
Type: text/x-diff
Size: 840 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/forensics-devel/attachments/20130406/c58ff618/attachment.patch>

More information about the forensics-devel mailing list