rkhunter cronjob

simcox1 · 11-18-2005, 02:27 PM

I've tried running a script to get rkhunter automated but as far as I can see it isn't working. According to the rkhunter website this script:

#!/bin/bash
(
/usr/local/bin/rkhunter --versioncheck
/usr/local/bin/rkhunter --update
/usr/local/bin/rkhunter --cronjob --report-warnings-only
) | /bin/mail -s 'rkhunter Daily Run' rootsimon@coxall:~$

should work. I assume it will send a mail to root. If it runs at boot there's no root email arrived. I've checked the paths and they seem ok. There's probably another way to make a cron job. The 'simon@coxall' isn't part of the script but it's mysteriously adding itself every time I close a file in the console. This file is in /etc/cron.daily/rkhunter, it's executable.

tangle · 11-18-2005, 02:38 PM

Try this:

#!/bin/sh
(
/usr/local/bin/rkhunter ––versioncheck
/usr/local/bin/rkhunter ––update
/usr/local/bin/rkhunter ––cronjob \
––report-warnings-only
) | /bin/mail –s ’rkhunter output’ root

Jeremy wrote an artical in the Sept. 15 2005 issue of linux magazine with this script in it.

I am not sure what the :~$ is after the email address. Maybe that is what is causing you problems. Have you tried to run it manually?

If you run it at boot, do you do it after the network and email are up?

simcox1 · 11-18-2005, 02:49 PM

What's the actual difference? What's the significance of the backslash? Also do you have a page reference as I cant find the article. Linux format?

EDIT: No, the 'simon@coxall:~$' is just the console prompt, like you get in any console, but whenever I close a file which I've opened with 'cat' or something, it puts the prompt right there at end of the file, instead of on a new line. Everything after 'root' isn't part of the script. It's just because I pasted it from the console after closing the file.

tangle · 11-18-2005, 02:53 PM

http://www.linux-mag.com/content/view/2256/2339/

simcox1 · 11-18-2005, 03:17 PM

It works fine when I just run it. I assume it runs at boot otherwise, but I don't know. It might be like you say that it runs before network and email are up. Does cron.daily normally run at boot, or some other specified time?

simcox1 · 11-18-2005, 04:12 PM

On doing some research I've found that all the cronjobs were set to run at around 4.30am. Since I switch my computer off over night, that would explain why they weren't running. I always wondered why slocate updatedb never seemed to get run unless I did it manually. Now I know. Thanks.

tangle · 11-18-2005, 05:42 PM

I had to leave just after I post the last post. The / just carries over the line of code. So this,

/usr/local/bin/rkhunter ––cronjob \
––report-warnings-only

is the same as this,

/usr/local/bin/rkhunter ––cronjob -–report-warnings-only

Your out put should look like this.

http://mirror18.mirror.rkhunter.org/rkhunter_latest.dat

Rootkit Hunter 1.2.7, copyright Michael Boelen

This version: 1.2.7
Latest version: 1.2.7

Running updater...

Mirrorfile /usr/local/rkhunter/lib/rkhunter/db/mirrors.dat rotated
Using mirror http://mirror18.mirror.rkhunter.org
[DB] Mirror file : Up to date
[DB] MD5 hashes system binaries : Up to date
[DB] Operating System information : Up to date
[DB] MD5 blacklisted tools/binaries : Up to date
[DB] Known good program versions : Up to date
[DB] Known bad program versions : Up to date

Ready.
Line:
[ Warning! ]
-----------------------------------------------------------------

Found warnings:
[18:40:15]Sample warning[ WARNING ]

-----------------------------------------------------------------

If you're unsure about the results above, please contact the author of
Rootkit Hunter. Fill in contact form: http://www.rootkit.nl/contact/
Some errors has been found while checking. Please perform a manual check on this
machine websrv2

simcox1 · 11-19-2005, 05:57 AM

So the script I was using is basically the same. Anyway it works when run. Have you got any idea why the prompt is appending itself to the end of the line instead of on a new line? It happens every time I open something in the console. When I close it, the prompt appears at the end of the line like above, so I have to hit return again.

Enter three numbers: 65 87 9
The average is 53.666668simon@coxall:~$

That's another example.

tangle · 11-19-2005, 05:54 PM

When I read your first post, I thought the last part was the email address you where mailing the report too. I have no idea why it appends that to the end of the file. What editor are you using?

simcox1 · 11-20-2005, 09:24 AM

Using emacs normally, but the same happens with 'cat' or whatever. The prompt starts at the end of the closed file instead of on a new line. I don't know why it's doing it. It's fairly recent. I've recently reinstalled slackware 10.2 (2.4.31). It's never done it before.

pk21 · 11-21-2005, 05:23 AM

Also note that the last update of rkhunter was 24 May 2005, maybe it is time to look at another program like chkrootkit(last updated at 28 Oct 2005).

unSpawn · 11-21-2005, 08:25 AM

Also note that the last update of rkhunter was 24 May 2005, maybe it is time to look at another program like chkrootkit(last updated at 28 Oct 2005).
Maybe someone should take over maintenance?