Re: F12 Rkhunter, Have I a rootkit? SOLVED
On Tuesday 05 January 2010, Gene Heskett wrote: >On Tuesday 05 January 2010, Kevin Fenzi wrote: >>On Tue, 05 Jan 2010 19:57:20 -0500 >> >>Gene Heskett wrote: >>> When I asked about it Kevin, F10 was under active support for another >>> 2 or 3 months, now it is not, so why waste our time? I built >>> rkhunter from the latest tarball, and that still didn't fix it. >> >>Well, I am just trying to find out where you "asked about it". >> >>I would have been happy to try and address it in a bug. >>If it was on this list, then I missed it, and would suggest you file >>issues as bugs to make sure I see them. >> >>Thanks, >> >>kevin > >TBT Kevin, I didn't think it was fedora's bug, and a message to the author > in the docs of this tarball, bounced with a no permissions message. Update to this discussion: It _was_ my own damned fault, I was running the copy in /usr/local/bin, version 1.3.6, when I ran it b y hand cuz /usr/local/bin is earlier in my $PATH, but the script in /etc/cron.daily was hard coded to run the older one, version 1.3.4, in /usr/bin. Fixed, and so is my complaint. My apologies for the noise on the list. -- Cheers, Gene "There are four boxes to be used in defense of liberty: soap, ballot, jury, and ammo. Please use in that order." -Ed Howdershelt (Author) Weinberg's Second Law: If builders built buildings the way programmers wrote programs, then the first woodpecker that came along would destroy civilization. -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
Re: F12 Rkhunter, Have I a rootkit? SOLVED
On Tue, 2010-01-05 at 18:31 -0500, Gene Heskett wrote: > On Tuesday 05 January 2010, John Horne wrote: > >On Tue, 2010-01-05 at 11:35 -1000, David Burns wrote: > >> On Tue, Jan 5, 2010 at 7:46 AM, Frank Murphy (Frankly3D) > >> > >> wrote: > >> >> This is a false positive. > >> > >> rkhunter gave me so many false positives I stopped using it. This is > >> probably as much (or more) a comment on my character as it is on the > >> value of rkhunter. > > > >Specific tests in RKH can be disabled, and false-positives whitelisted. > > > > > > > >John. > > > _Most_ of the time. Despite some people including me, asking about > /usr/sbin/unhide, one of fedora's forensic tools if I read the manpage > correctly, no one has managed to come up with a way to add that file to the > rkhunter database as a legit file. So we get at least 2 emails a day mewling > about it. More trouble than its worth if it isn't going to be supported any > better than that. > I'm not quite sure what you mean by 'add that file to the rkhunter database as a legit file'? You mean it is failing the file properties test? If you email me the error you are getting then I'll take a look at it. John. -- John Horne, University of Plymouth, UK Tel: +44 (0)1752 587287Fax: +44 (0)1752 587001 -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
Re: F12 Rkhunter, Have I a rootkit? SOLVED
On Tuesday 05 January 2010, Kevin Fenzi wrote: >On Tue, 05 Jan 2010 19:57:20 -0500 > >Gene Heskett wrote: >> When I asked about it Kevin, F10 was under active support for another >> 2 or 3 months, now it is not, so why waste our time? I built >> rkhunter from the latest tarball, and that still didn't fix it. > >Well, I am just trying to find out where you "asked about it". > >I would have been happy to try and address it in a bug. >If it was on this list, then I missed it, and would suggest you file >issues as bugs to make sure I see them. > >Thanks, > >kevin > TBT Kevin, I didn't think it was fedora's bug, and a message to the author in the docs of this tarball, bounced with a no permissions message. -- Cheers, Gene "There are four boxes to be used in defense of liberty: soap, ballot, jury, and ammo. Please use in that order." -Ed Howdershelt (Author) River: "Put a bullet to me. Bullet in the brainpan, squish." --"Serenity" -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
Re: F12 Rkhunter, Have I a rootkit? SOLVED
On Tue, 05 Jan 2010 19:57:20 -0500 Gene Heskett wrote: > When I asked about it Kevin, F10 was under active support for another > 2 or 3 months, now it is not, so why waste our time? I built > rkhunter from the latest tarball, and that still didn't fix it. Well, I am just trying to find out where you "asked about it". I would have been happy to try and address it in a bug. If it was on this list, then I missed it, and would suggest you file issues as bugs to make sure I see them. Thanks, kevin signature.asc Description: PGP signature -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
Re: F12 Rkhunter, Have I a rootkit? SOLVED
On Tuesday 05 January 2010, Kevin Fenzi wrote: >On Tue, 05 Jan 2010 18:31:30 -0500 > >Gene Heskett wrote: >> _Most_ of the time. Despite some people including me, asking about >> /usr/sbin/unhide, one of fedora's forensic tools if I read the >> manpage correctly, no one has managed to come up with a way to add >> that file to the rkhunter database as a legit file. So we get at >> least 2 emails a day mewling about it. More trouble than its worth >> if it isn't going to be supported any better than that. > >"asking about"? > >I don't see a bug in bugzilla on it > >can you file one and attach the message you get to it? > >kevin When I asked about it Kevin, F10 was under active support for another 2 or 3 months, now it is not, so why waste our time? I built rkhunter from the latest tarball, and that still didn't fix it. -- Cheers, Gene "There are four boxes to be used in defense of liberty: soap, ballot, jury, and ammo. Please use in that order." -Ed Howdershelt (Author) Q: Why did the programmer call his mother long distance? A: Because that was her name. -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
Re: F12 Rkhunter, Have I a rootkit? SOLVED
On Tue, 05 Jan 2010 18:31:30 -0500 Gene Heskett wrote: > _Most_ of the time. Despite some people including me, asking about > /usr/sbin/unhide, one of fedora's forensic tools if I read the > manpage correctly, no one has managed to come up with a way to add > that file to the rkhunter database as a legit file. So we get at > least 2 emails a day mewling about it. More trouble than its worth > if it isn't going to be supported any better than that. "asking about"? I don't see a bug in bugzilla on it can you file one and attach the message you get to it? kevin signature.asc Description: PGP signature -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
Re: F12 Rkhunter, Have I a rootkit? SOLVED
On Tuesday 05 January 2010, John Horne wrote: >On Tue, 2010-01-05 at 11:35 -1000, David Burns wrote: >> On Tue, Jan 5, 2010 at 7:46 AM, Frank Murphy (Frankly3D) >> >> wrote: >> >> This is a false positive. >> >> rkhunter gave me so many false positives I stopped using it. This is >> probably as much (or more) a comment on my character as it is on the >> value of rkhunter. > >Specific tests in RKH can be disabled, and false-positives whitelisted. > > > >John. > _Most_ of the time. Despite some people including me, asking about /usr/sbin/unhide, one of fedora's forensic tools if I read the manpage correctly, no one has managed to come up with a way to add that file to the rkhunter database as a legit file. So we get at least 2 emails a day mewling about it. More trouble than its worth if it isn't going to be supported any better than that. -- Cheers, Gene "There are four boxes to be used in defense of liberty: soap, ballot, jury, and ammo. Please use in that order." -Ed Howdershelt (Author) I can write better than anybody who can write faster, and I can write faster than anybody who can write better. -- A.J. Liebling -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
Re: F12 Rkhunter, Have I a rootkit? SOLVED
On Tue, 2010-01-05 at 11:35 -1000, David Burns wrote: > On Tue, Jan 5, 2010 at 7:46 AM, Frank Murphy (Frankly3D) > wrote: > >> This is a false positive. > > rkhunter gave me so many false positives I stopped using it. This is > probably as much (or more) a comment on my character as it is on the > value of rkhunter. > Specific tests in RKH can be disabled, and false-positives whitelisted. John. -- John Horne, University of Plymouth, UK Tel: +44 (0)1752 587287Fax: +44 (0)1752 587001 -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
Re: F12 Rkhunter, Have I a rootkit? SOLVED
On Tue, Jan 5, 2010 at 7:46 AM, Frank Murphy (Frankly3D) wrote: >> This is a false positive. rkhunter gave me so many false positives I stopped using it. This is probably as much (or more) a comment on my character as it is on the value of rkhunter. Dave -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
Re: F12 Rkhunter, Have I a rootkit? SOLVED
On 05/01/10 17:11, Kevin Fenzi wrote: > On Tue, 05 Jan 2010 10:54:13 + > "Frank Murphy (Frankly3D)" wrote: > >> -- Start Rootkit Hunter Scan >> -- Warning: Network TCP port 47107 is being used >> by /usr/lib64/thunderbird-3.0/thunderbird-bin. Possible rootkit: T0rn >> Use the 'lsof -i' or 'netstat -an' command to check this. >> >> >> Results of lsof -i' and 'netstat -an' >> http://fpaste.org/xOOO/ > > This is a false positive. > > basically it saw that something was using port 47107, which is used by > a known rootkit. It then printed a warning for you to check it. > > Likely thunderbird just happened to be using that tranisitory port when > the check was run. > > If you re-run it now does it show ok? > > kevin > Just re-ran, showed no problems. Thanks all. -- Regards, Frank Murphy UTF_8 Encoded. -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines