LinuxQuestions.org
View the Most Wanted LQ Wiki articles.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 11-18-2005, 02:27 PM   #1
simcox1
Member
 
Registered: Mar 2005
Location: UK
Distribution: Slackware
Posts: 794
Blog Entries: 2

Rep: Reputation: 30
rkhunter cronjob


I've tried running a script to get rkhunter automated but as far as I can see it isn't working. According to the rkhunter website this script:

#!/bin/bash
(
/usr/local/bin/rkhunter --versioncheck
/usr/local/bin/rkhunter --update
/usr/local/bin/rkhunter --cronjob --report-warnings-only
) | /bin/mail -s 'rkhunter Daily Run' rootsimon@coxall:~$

should work. I assume it will send a mail to root. If it runs at boot there's no root email arrived. I've checked the paths and they seem ok. There's probably another way to make a cron job. The 'simon@coxall' isn't part of the script but it's mysteriously adding itself every time I close a file in the console. This file is in /etc/cron.daily/rkhunter, it's executable.
 
Old 11-18-2005, 02:38 PM   #2
tangle
Senior Member
 
Registered: Apr 2002
Location: Smithville, TN
Distribution: Slackware
Posts: 1,744

Rep: Reputation: 71
Try this:

#!/bin/sh
(
/usr/local/bin/rkhunter ––versioncheck
/usr/local/bin/rkhunter ––update
/usr/local/bin/rkhunter ––cronjob \
––report-warnings-only
) | /bin/mail –s ’rkhunter output’ root

Jeremy wrote an artical in the Sept. 15 2005 issue of linux magazine with this script in it.

I am not sure what the :~$ is after the email address. Maybe that is what is causing you problems. Have you tried to run it manually?

If you run it at boot, do you do it after the network and email are up?

Last edited by tangle; 11-18-2005 at 02:48 PM.
 
Old 11-18-2005, 02:49 PM   #3
simcox1
Member
 
Registered: Mar 2005
Location: UK
Distribution: Slackware
Posts: 794
Blog Entries: 2

Original Poster
Rep: Reputation: 30
What's the actual difference? What's the significance of the backslash? Also do you have a page reference as I cant find the article. Linux format?

EDIT: No, the 'simon@coxall:~$' is just the console prompt, like you get in any console, but whenever I close a file which I've opened with 'cat' or something, it puts the prompt right there at end of the file, instead of on a new line. Everything after 'root' isn't part of the script. It's just because I pasted it from the console after closing the file.

Last edited by simcox1; 11-18-2005 at 02:53 PM.
 
Old 11-18-2005, 02:53 PM   #4
tangle
Senior Member
 
Registered: Apr 2002
Location: Smithville, TN
Distribution: Slackware
Posts: 1,744

Rep: Reputation: 71
http://www.linux-mag.com/content/view/2256/2339/
 
Old 11-18-2005, 03:17 PM   #5
simcox1
Member
 
Registered: Mar 2005
Location: UK
Distribution: Slackware
Posts: 794
Blog Entries: 2

Original Poster
Rep: Reputation: 30
It works fine when I just run it. I assume it runs at boot otherwise, but I don't know. It might be like you say that it runs before network and email are up. Does cron.daily normally run at boot, or some other specified time?
 
Old 11-18-2005, 04:12 PM   #6
simcox1
Member
 
Registered: Mar 2005
Location: UK
Distribution: Slackware
Posts: 794
Blog Entries: 2

Original Poster
Rep: Reputation: 30
On doing some research I've found that all the cronjobs were set to run at around 4.30am. Since I switch my computer off over night, that would explain why they weren't running. I always wondered why slocate updatedb never seemed to get run unless I did it manually. Now I know. Thanks.
 
Old 11-18-2005, 05:42 PM   #7
tangle
Senior Member
 
Registered: Apr 2002
Location: Smithville, TN
Distribution: Slackware
Posts: 1,744

Rep: Reputation: 71
I had to leave just after I post the last post. The / just carries over the line of code. So this,

/usr/local/bin/rkhunter ––cronjob \
––report-warnings-only

is the same as this,

/usr/local/bin/rkhunter ––cronjob -–report-warnings-only

Your out put should look like this.

http://mirror18.mirror.rkhunter.org/rkhunter_latest.dat

Rootkit Hunter 1.2.7, copyright Michael Boelen

This version: 1.2.7
Latest version: 1.2.7



Running updater...

Mirrorfile /usr/local/rkhunter/lib/rkhunter/db/mirrors.dat rotated
Using mirror http://mirror18.mirror.rkhunter.org
[DB] Mirror file : Up to date
[DB] MD5 hashes system binaries : Up to date
[DB] Operating System information : Up to date
[DB] MD5 blacklisted tools/binaries : Up to date
[DB] Known good program versions : Up to date
[DB] Known bad program versions : Up to date




Ready.
Line:
[ Warning! ]
-----------------------------------------------------------------

Found warnings:
[18:40:15]Sample warning[ WARNING ]

-----------------------------------------------------------------

If you're unsure about the results above, please contact the author of
Rootkit Hunter. Fill in contact form: http://www.rootkit.nl/contact/
Some errors has been found while checking. Please perform a manual check on this
machine websrv2
 
Old 11-19-2005, 05:57 AM   #8
simcox1
Member
 
Registered: Mar 2005
Location: UK
Distribution: Slackware
Posts: 794
Blog Entries: 2

Original Poster
Rep: Reputation: 30
So the script I was using is basically the same. Anyway it works when run. Have you got any idea why the prompt is appending itself to the end of the line instead of on a new line? It happens every time I open something in the console. When I close it, the prompt appears at the end of the line like above, so I have to hit return again.

Enter three numbers: 65 87 9
The average is 53.666668simon@coxall:~$

That's another example.
 
Old 11-19-2005, 05:54 PM   #9
tangle
Senior Member
 
Registered: Apr 2002
Location: Smithville, TN
Distribution: Slackware
Posts: 1,744

Rep: Reputation: 71
When I read your first post, I thought the last part was the email address you where mailing the report too. I have no idea why it appends that to the end of the file. What editor are you using?
 
Old 11-20-2005, 09:24 AM   #10
simcox1
Member
 
Registered: Mar 2005
Location: UK
Distribution: Slackware
Posts: 794
Blog Entries: 2

Original Poster
Rep: Reputation: 30
Using emacs normally, but the same happens with 'cat' or whatever. The prompt starts at the end of the closed file instead of on a new line. I don't know why it's doing it. It's fairly recent. I've recently reinstalled slackware 10.2 (2.4.31). It's never done it before.
 
Old 11-21-2005, 05:23 AM   #11
pk21
Member
 
Registered: Jun 2002
Location: Netherlands - Amsterdam
Distribution: RedHat 9
Posts: 549

Rep: Reputation: 30
Also note that the last update of rkhunter was 24 May 2005, maybe it is time to look at another program like chkrootkit(last updated at 28 Oct 2005).
 
Old 11-21-2005, 08:25 AM   #12
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,310
Blog Entries: 54

Rep: Reputation: 2860Reputation: 2860Reputation: 2860Reputation: 2860Reputation: 2860Reputation: 2860Reputation: 2860Reputation: 2860Reputation: 2860Reputation: 2860Reputation: 2860
Also note that the last update of rkhunter was 24 May 2005, maybe it is time to look at another program like chkrootkit(last updated at 28 Oct 2005).
Maybe someone should take over maintenance?
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
rkhunter atlaika Linux - Security 7 11-29-2005 10:47 AM
Help with Rkhunter findings............................ M$ISBS Linux - Security 13 08-01-2005 07:28 PM
rkhunter found the following monroetech Linux - Security 3 12-20-2004 08:51 PM
rkhunter phatbastard Linux - Security 3 12-08-2004 09:44 PM
Snort and rkhunter lord_zoo Linux - Security 5 11-28-2004 08:07 AM


All times are GMT -5. The time now is 12:05 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration