On Sat, 2010-04-10 at 12:27 +0200, Markus Malkusch wrote: > unsp...@hushmail.com: > > <mar...@malkusch.de> wrote: > > > >> Might it be possible that rkhunter would even alert if somebody > >> would talk to my smbd with the source port 2006? > > > > I don't remember changes between 1.3.4 and 1.3.6 (current) but in > > the latter, checking /path/to/rkhunter around line 8504, will show > > RKH only looks at connections using the port on the local host. > > I still didn't figure out the reason for this warning. There might be a > rootkit, which I still didn't discover. > > Might it also be possible that rkh would alert if the smbd process itself > acts > as a client with a connection to another server where the arbitrary local > port > might be the port 2006? This would be a false positive. RKH should only alert > on connections in the LISTEN state. > This was fixed in 1.3.6. However, it is possible to still get false-positives. Look in the config file to see about whitelisting.
John. -- John Horne, University of Plymouth, UK Tel: +44 (0)1752 587287 Fax: +44 (0)1752 587001 ------------------------------------------------------------------------------ Download Intel® Parallel Studio Eval Try the new software tools for yourself. Speed compiling, find bugs proactively, and fine-tune applications for parallel performance. See why Intel Parallel Studio got high marks during beta. http://p.sf.net/sfu/intel-sw-dev _______________________________________________ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users
