Hello list! I'm suspicious about one of my debian lenny machines. rkhunter scan output several file sha1 hash mismatches (and only that), and there also was some strange behaviour (lost python modules), so my paranoia fired up few hours ago.
Now i resolved rkhunter output (there was updates), and also resolved python problem (long day, my personal user error), but one question still begging me. when i use `unhide proc` or `unhide sys` it outputs some PIDs, different every time, even in single mode! unhide-tcp shows no unusial network ports, full nmap scan from another clean machine and also tcpdumping all packets from switch confirms that everything is ok. Chkrootkit check also found nothing unusual. But whats up with unhide? `Uhide brute` shows _no_ PIDs though. Debian version is Lenny Unhide version is 20071102-2 System is dual core (maybe there's a clue?) Kernel version is 2.6.24.2, (vm disabled ;-) Everything is up to date. May this PIDs be just pieces of unhide itself? Is it normal? On my other PIDs are ranging from 30000+, ie looks like normal numbers for newly started processes now. I'll provide any additional info if needed. Also, is there some way to check md5/sha1 hashes for all files in installed packages? I can craft a script, but haven't found list of individual file sums on official debian servers (only sums of packages). regards, if -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
