Le ven. 17 août 2012 16:44:32 CEST, NoOp a écrit: > ... > And from Fedora 17 (rpm) > LO3.6: > $ lsof -U | grep soffice > soffice.b 30094 gg 6u unix 0xf4440b40 0t0 116738 socket > soffice.b 30094 gg 10u unix 0xf4441d40 0t0 116742 > /tmp/OSL_PIPE_1000_SingleOfficeIPC_5d6a40e77981cf59bf3a90df38dfa5f7 > soffice.b 30094 gg 27u unix 0xf44406c0 0t0 116776 socket > soffice.b 30094 gg 28u unix 0xf4441680 0t0 116778 socket > soffice.b 30094 gg 33u unix 0xdb205680 0t0 116782 socket > > $ rkhunter --version > Rootkit Hunter 1.4.0 > > No warnings regarding anything 'soffice' in the rkhunter logs.
Thanks for your input. Can you confirm that this command doesn't produce any result related to LibreOffice : rkhunter --enable packet_cap_apps --report-warnings-only After investigating a bit more, and running rkhunter in debug mode, here is what I found : rkhunter search inodes listed in /proc/net/packet and then search these inodes in the output of lsof (to get the command which created the process). But this second search is a simple grep, and can match with something else than a PID. In my case, I get : $ cat /proc/net/packet sk RefCnt Type Proto Iface R Rmem User Inode ffff8100bdbe0c00 3 3 0003 2 1 0 0 8374 This is probably dhclient, but I need to confirm it. $ lsof -lMnPw -d 1-20 | egrep 8374 # this is the command used by rkhunter soffice.b 15012 1058 15r REG 8,2 8374 1954680 /opt/libreoffice3.6/program/resource/ofaen-US.res Here, the inode found in /proc/net/packet match with the size of ofaen-US.res, not his inode ! The relevant part of the debug logs produced by rkhunter is : [snip] + INODE_LIST= ++ egrep -v '^sk|888e' /proc/net/packet ++ awk '{ print $9 }' + for INODE in '`egrep -v '\''^sk|888e'\'' /proc/net/packet | awk '\''{ print $9 }'\''`' + INODE_LIST='|8374' ++ echo '|8374' ++ sed -e 's/^|//' + INODE_LIST=8374 [snip] + for PID in '`${LSOF_CMD} -lMnPw -d 1-20 | egrep "[ ](${INODE_LIST})[ ]" | awk '\''{ print $2 }'\''`' + NAME= + '[' -h /proc/15012/exe -a 1 -eq 1 ']' ++ /usr/bin/readlink -f /proc/15012/exe ++ cut '-d ' -f1 + NAME=/opt/libreoffice3.6/program/soffice.bin + test -z /opt/libreoffice3.6/program/soffice.bin + AMATCH=1 + for RKHTMPVAR in '${ALLOWPROCLISTENERS}' + '[' /opt/libreoffice3.6/program/soffice.bin = /sbin/dhclient ']' + for RKHTMPVAR in '${ALLOWPROCLISTENERS}' + '[' /opt/libreoffice3.6/program/soffice.bin = /usr/bin/dhcpcd ']' + for RKHTMPVAR in '${ALLOWPROCLISTENERS}' + '[' /opt/libreoffice3.6/program/soffice.bin = /usr/sbin/dhcpd ']' + '[' 1 -eq 0 ']' + FOUND=1 + BLACKPROC=' /opt/libreoffice3.6/program/soffice.bin 15012' [snip] I'll contact the authors of rkhunter to get confirmation, and hopefully correction, of this problem. Thanks again for helping to clarify the situation, -- Philippe Naudin -- For unsubscribe instructions e-mail to: users+h...@global.libreoffice.org Problems? http://www.libreoffice.org/get-help/mailing-lists/how-to-unsubscribe/ Posting guidelines + more: http://wiki.documentfoundation.org/Netiquette List archive: http://listarchives.libreoffice.org/global/users/ All messages sent to this list will be publicly archived and cannot be deleted