mail from root

Dazed_75 lthielster at gmail.com
Sun Apr 14 13:14:24 MST 2013


On Sun, Apr 14, 2013 at 12:58 PM, Robert Holtzman <holtzm at cox.net> wrote:

> On Sat, Apr 13, 2013 at 10:39:04AM -0700, Dazed_75 wrote:
> > I don't really know enough to give a solid answer.  But since you've had
> no
> > responses, I will ask why you think the mails on the desktop are FALSE
> > positives and why you think they should be occurring on the laptop as
> > well.
>
> The mails on the desktop warn of a rootkit named "Xzibit Rootkit". This
> has benn gone over in the past on the rkhunter list and the devs have
> declared them to be false positives. Running rkhunter manually on the
> laptop
> gives the same warnings.
>
> > In other words, rkhunter on the desktop is saying something has changed
> in
> > the two files it is questioning.  Just because you copied the .conf file
> to
> > the laptop does not mean the two files on the laptop should be called
> into
> > question.
>
> I Don't believe I called them into question.
>

The two files I was referring to were the files on which you were getting
the false positives.  But given your clarification above that running
rkhunter manually on the laptop gives the same false positives changes
everything.  Now the question becomes whether rkhunter is being run the
same way on both machines.  IOW, perhaps it is a scheduled job (cron or
anacron) on the desktop but not on the laptop.  If so, then you would not
get the daily emails on the laptop.  Or perhaps it IS cronned on the laptop
but the machine is not ON at the scheduled time.  Just thoughts ...

>
> > Are those files present on the laptop and identical in every way
> > to the desktop?
>
> As I said in my post, since I copied the .conf file to a thumb drive and
> then via sneakernet to the laptop, I'm unaware of how they would be
> different. Am I missing something? If I am I'll run diff on them but
> right now I can't see how the copy could change.
>
> --
> Bob Holtzman
> If you think you're getting free lunch,
> check the price of the beer.
> Key ID: 8D549279
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.10 (GNU/Linux)
>
> iEYEARECAAYFAlFrCl8ACgkQv5BYD41UknlRFACg07bofjaHaPNqXni9dMKaKQeQ
> sjQAn2UkkghqKeCm6M7Qu5Z5zgpDWr2O
> =Jf+c
> -----END PGP SIGNATURE-----
>
> ---------------------------------------------------
> PLUG-discuss mailing list - PLUG-discuss at lists.phxlinux.org
> To subscribe, unsubscribe, or to change your mail settings:
> http://lists.phxlinux.org/mailman/listinfo/plug-discuss
>



-- 
Dazed_75 a.k.a. Larry

Please protect my address like I protect yours. When sending messages to
multiple recipients, use the BCC: (Blind carbon copy). Remove addresses
from a forwarded message body before clicking Send.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.phxlinux.org/pipermail/plug-discuss/attachments/20130414/c3be5b39/attachment.html>


More information about the PLUG-discuss mailing list