Hi, > On Tue, 2008-12-09 at 16:29 -0800, Geoffrey Leach wrote: > > With the installation of rkhunter-1.3.2-5.fc10.noarch, my Daily Run > > email is being sent as a VDHL document (text/x-vdhl). I can't discover > > where this is being generated. A pointer would be appreciated. (BTW, > > this is not the WARNING mail) > > > Since RKH has no 'daily run' as such itself, I can only assume that the > mail message is being generated via cron (the fedora package having > created such a job). So you could look in the /etc/cron.daily directory > for the job running rkhunter and see if that is doing something odd. > However, both rkhunter and (as far as I know) cron simply use the 'mail' > command and would not do anything fancy such as creating attachments, > let alone x-vdhl whatever that is.
I also use the Fedora (epel) rkhunter version, it's just easier to manage but I also get that daily email which looks weird. The package I use in SL4 is: # rpm -qi rkhunter Name : rkhunter Relocations: (not relocatable) Version : 1.3.2 Vendor: Fedora Project <http://bugzilla.redhat.com/bugzilla> Release : 4.el4 Build Date: Wed 18 Jun 2008 05:25:06 EST Install Date: Tue 05 Aug 2008 16:42:15 EST Build Host: ppc2.fedora.redhat.com Group : Applications/System Source RPM: rkhunter-1.3.2-4.el4.src.rpm Size : 795506 License: GPLv2+ Signature : DSA/SHA1, Thu 19 Jun 2008 08:24:17 EST, Key ID 119cc036217521f6 Packager : Fedora Project <http://bugzilla.redhat.com/bugzilla> URL : http://rkhunter.sourceforge.net/ Summary : A host-based tool to scan for rootkits, backdoors and local exploits Description : Rootkit Hunter (RKH) is an easy-to-use tool which checks computers running UNIX (clones) for the presence of rootkits and other unwanted tools. and the script Fedora use is: # cat /etc/cron.daily/rkhunter #!/bin/sh # 01-rkhunter A shell script to update and run rkhunter via CRON XITVAL=0 # Get a secure tempfile TMPFILE1=`/bin/mktemp -p /var/run/rkhunter rkhcronlog.XXXXXXXXXX` || exit 1 if [ ! -e /var/lock/subsys/rkhunter ]; then # Try to keep the SysInit boot scan from colliding with us (highly unlikely) /bin/touch /var/lock/subsys/rkhunter # Source system configuration parameters. if [ -e /etc/sysconfig/rkhunter ] ; then . /etc/sysconfig/rkhunter else [EMAIL PROTECTED] fi # If a diagnostic mode scan was requested, setup the parameters if [ "$DIAG_SCAN" == "yes" ]; then RKHUNTER_FLAGS="--checkall --skip-keypress --nocolors --quiet --appendlog --display-logfile" else RKHUNTER_FLAGS="--cronjob --report-warnings-only" fi # Set a few critical parameters RKHUNTER=/usr/bin/rkhunter LOGFILE=/var/log/rkhunter/rkhunter.log # Run RootKit Hunter if available if [ -x $RKHUNTER ]; then /bin/echo -e "\n--------------------- Start Rootkit Hunter Update ---------------------" \ > $TMPFILE1 /bin/nice -n 10 $RKHUNTER --update 2>&1 >> $TMPFILE1 /bin/echo -e "\n---------------------- Start Rootkit Hunter Scan ----------------------" \ >> $TMPFILE1 /bin/nice -n 10 $RKHUNTER $RKHUNTER_FLAGS 2>&1 >> $TMPFILE1 XITVAL=$? /bin/echo -e "\n----------------------- End Rootkit Hunter Scan -----------------------" \ >> $TMPFILE1 if [ $XITVAL != 0 ]; then /bin/cat $TMPFILE1 | /bin/mail -s 'rkhunter Daily Run' $MAILTO fi /bin/cat $TMPFILE1 >> $LOGFILE fi # Delete the gating lockfile /bin/rm -f /var/lock/subsys/rkhunter fi # Delete the secure tempfile /bin/rm -f $TMPFILE1 exit $XITVAL I can't see anything there which makes the daily output email look like that, even though it does. Regards, Michael. > John. > > -- > --------------------------------------------------------------- > John Horne, University of Plymouth, UK Tel: +44 (0)1752 587287 > E-mail: [EMAIL PROTECTED] Fax: +44 (0)1752 587001 > > ------------------------------------------------------------------------------ > SF.Net email is Sponsored by MIX09, March 18-20, 2009 in Las Vegas, Nevada. > The future of the web can't happen without you. Join us at MIX09 to > help pave the way to the Next Web now. Learn more and register at http://ad.doubleclick.net/clk;208669438;13503038;i?http://2009.visitmix.com/ > _______________________________________________ > Rkhunter-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/rkhunter-users ------- End of Original Message ------- ------------------------------------------------------------------------------ SF.Net email is Sponsored by MIX09, March 18-20, 2009 in Las Vegas, Nevada. The future of the web can't happen without you. Join us at MIX09 to help pave the way to the Next Web now. Learn more and register at http://ad.doubleclick.net/clk;208669438;13503038;i?http://2009.visitmix.com/ _______________________________________________ Rkhunter-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/rkhunter-users
