similar to: question about unhide / transitory process

I rebuilt rkhunter-1.2.8-1.noarch.rpm by using the spec and tgz from the rkhunter site (www.rootkit.nl). (I rebuilt it using his instructions.) However rkhunter does not do an md5 check. The box used to have fedora and each time there were updates it would complain that the some of the md5's don't match. I contacted the author using his contact feature on Wednesday but he hasn't

On 11/06/2017 07:06 AM, marcos valentine wrote: > Hello guys, > > > Whats is the best way to identify a possible user using a botnet with php > in the server? And if he is using GET commands for example in other server. > > Does apache logs outbound conections ? > > If it is using a file that is not malicious the clam av would not identify. This sounds like a good

Hello; I'm running a FreeBSD 4.10-release-p2 box and both chkrootkit 0.44 & 0.45 report that my /sbin/init file is infected. It appears as though the egrep for "UPX" in the output of "strings" triggers the infected notice. When I copy the init file from an uninfected box to this one chkrootkit continues to report it as infected. Is chkrootkit reading a copy of the

Another alternative is to use a FIMS/HIDS such as Aide (Advanced Intrusion Detection Environment), OSSEC or Samhain. Be prepared to learn a lot about what your OS normally does behind the scenes (and thus a fair amount of initial fine tuning to exclude those things). Aide seems to work well (I've seen only one odd result) and is quite granular. However, it is local system based rather than

Morning, I am going to treat this as a rooted box and reinstall from scratch, but any thoughts appreciated: This is a Trixbox Server based on Centos, running kernel 2.6.18-53.1.4.el5 SMP The phone system stopped working but this was traced to a configuration error with a replacement switch (it did not get added to the vlan properly), which meant that Trixbox could not see any DNS servers and

I can't say I have any idea why rsync would just skip that step and I can't duplicate it myself. Your only recourse might be to use --inplace on that system. On 12/31/18 12:33 PM, Heiko Schlittermann via rsync wrote: > Kevin Korb via rsync <rsync at lists.samba.org> (So 30 Dez 2018 23:56:44 CET): >> I think --partial might be a red herring here. It only applies to what

Dear Friends, I am using CENTOS 4.3 - kernel 2.6.9-42.0.2.EL with rkhunter version 1.2.8, but the rkhunter program show me problem on file /bin/kill. I compare files /bin/kill with other CENTOS 4 and it has same size. ====================== SHOE LOG =========================== Rootkit Hunter 1.2.8 is running Mon, 30 Oct 2006 12:56:44 -0200 Determining OS... Ready Checking binaries *

I think --partial might be a red herring here. It only applies to what happens when rsync is aborted in the middle of a file. What happens without -P? Also, it is worth trying with --inplace. On 12/30/18 5:32 PM, Heiko Schlittermann via rsync wrote: > Hi, > > I used --partial to transfer files from my local computer (rsync 3.1.2, > Debian) to a remote computer (rsync 3.1.1 WD

shell# /sbin/devfs rule -s 2 delset shell# /sbin/devfs rule -s 2 add hide shell# /sbin/devfs rule -s 2 add path random unhide shell# /sbin/devfs rule -s 2 add path urandom unhide shell# /sbin/devfs rule -s 2 add path zero unhide shell# /sbin/devfs rule -s 2 add path pty\* unhide shell# /sbin/devfs rule -s 2 add path pty\* unhide shell# /sbin/devfs rule -s 2 add path tty\* unhide shell#

Hi all, Debian Lenny, dovecot 1.0.15 My rkhunter script has picked up dovecot using port 1984 temporarily. When I run it now however, it is gone. Warning: Network TCP port 1984 is being used by /usr/lib/dovecot/imap. Possible rootkit: Fuckit Rootkit Use the 'lsof -i' or 'netstat -an' command to check this. Does dovecot use this port for any reason? anyone seen this before?

Kevin Korb via rsync <rsync at lists.samba.org> (So 30 Dez 2018 23:56:44 CET): > I think --partial might be a red herring here. It only applies to what > happens when rsync is aborted in the middle of a file. What happens > without -P? Same happens w/o --partial. I append 2 logs: - a from localhost to remote server, exposing the missing "rename" - b from localhost to

Hi, I used --partial to transfer files from my local computer (rsync 3.1.2, Debian) to a remote computer (rsync 3.1.1 WD MyPassport Storage device) The files get transferred, but after successful transfer, the files are not renamed from .<tmpfile> to <file>. Where to go next? Here is the verbose output after transferring an empty file heiko at blade:~/Pictures$ rsync

How can I be sure if it is LKM or not? Today I've run chkrootkit and it gave me: Checking `lkm'... You have 179 process hidden for readdir command You have 179 process hidden for ps command chkproc: Warning: Possible LKM Trojan installed Checking `chkutmp'... The tty of the following user process(es) were not found in /var/run/utmp ! ! RUID PID TTY CMD ! root

14 KB/s now. Yesterday 40 KB/s. Is that transitory or there is no enough bandwidth on llvm.org?

On 05/05/2015 06:47 PM, Gordon Messmer wrote: > On 05/05/2015 03:02 AM, Ulrich Hiller wrote: >> /etc/openldap/ldap.conf contains the line: >> ------------------------------------------ >> pam_check_host_attr yes > > /etc/openldap/ldap.conf is the configuration file for openldap clients. > It is not used for system authentication or name service. > >>

I saw this in Logwatch today for one of my servers: --------------------- yum Begin ------------------------ Packages Installed: samba-common.i386 3.0.23c-2.el5.2.0.2 samba.i386 3.0.23c-2.el5.2.0.2 Packages Erased: samba-common samba ---------------------- yum End ------------------------- No one, including myself, has even logged into this box in the past few

Dear list members, i have installed a CentOS 7 x86_64 system. I want to let users authenticate over our ldap server. This seems to be working. ldap-username and ldap-passwords are accepted for the users configured in the ldap server. No problem. Now i want to restrict the access to users who have my centos-machine in their ldap host attribute. My problem is, that this host attribute seems to be

Hi all, I have a newbie question: If I have a function with the following documentation: ca.jo(x, type = c("eigen", "trace"), ecdet = c("none", "const", "trend"), K = 2, spec=c("longrun", "transitory"), season = NULL, dumvar = NULL) Let's take "type" as an example... if I omit this parameter when calling the

hi all, I am using centos3.5 for my firewall home. I would like to do some tests with bridge firewalling. When i try to create the bridge, brctl givtes me this error: br_add_bridge: Package not installed. i find some answers about this error, but the most important is the one that says driver is not loaded into kernel. In my /boot/config-2.4.21-32.0.1.EL file appears compiled as a

RPMS's rebuilt or upstream one's used Hi I got a cleanly reinstalled 4.2 workstation. However i still needed to build the following SRPMS from Mandriva/Fedora :- - Chkrootkit - Logcheck - Tripwire - Xboard & Gnuchess - Rkhunter I needed to use the upstream versions of :- - OpenOffice.org 2.0.1 - RealPlayer Gold - Acrobat Reader I needed to tweak Bind chroot to log queries and