Hello Michael, On Sat, 27 Nov 2010 06:19:34 +0100 mistige de onwaarschijnlijke <mist...@gmail.com> wrote: >rkhunter did make sure there was no known rootkit there, so that was nice to know. >Still, it was running the malware all the while from somewhere. Please be aware Rootkit Hunter is a post-op passive tool. Running RKH is no replacement for machine and service hardening and regular auditing.
>There was no stuff in /tmp and /var/tmp where people like to stash their malware either. >However, by checking ps, lsof and netstat, I found an infection in directory [/dev/shm/ /fs], so a spaces subdirectory in tmpfs. > >rkhunter does not check in /tmp, /var/tmp and /dev/shm for malware Have a look at the 'suspscan' feature (configuration file, documentation). Suspscan may be a kludge (disabled by default) and certainly a performance drain but it does detect suspect items in directories you configure. Best regards, unSpawn --- ------------------------------------------------------------------------------ Increase Visibility of Your 3D Game App & Earn a Chance To Win $500! Tap into the largest installed PC base & get more eyes on your game by optimizing for Intel(R) Graphics Technology. Get started today with the Intel(R) Software Partner Program. Five $500 cash prizes are up for grabs. http://p.sf.net/sfu/intelisp-dev2dev _______________________________________________ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users
