Thread: rkhunter
View Single Post
  #15  
Old 9th June 2009, 03:35
dragons dragons is offline
Junior Member
 
Join Date: Mar 2009
Posts: 18
Thanks: 2
Thanked 0 Times in 0 Posts
Question

I have exactly the same issue with ispconfig3 and rk hunter with the same warnings. I uncommented the lines in rkhunter.conf that refer to the issues in the warnings but I still get the warnings and the emails every hour. I know how to stop the emails but I really want to stop the warning by fixing the problem
Its a brand new centos5.3 server install using the howto from here on ispconfig3 and centos5.3.

warning is same as others

Quote:
Checking /dev for suspicious files... [21C[ OK ]
Scanning for hidden files...[31C[ Warning! ]
---------------
/etc/.pwd.lock
/etc/.hosts.swp /usr/share/man/man1/..1.gz /dev/.udev
---------------
Please inspect: /etc/.hosts.swp (data)
rkhunter.conf is as follows

Code:
# This is the configuration file of Rootkit Hunter. Please change
# it to your needs.
#
# All lines beginning with a hash (#) or empty lines, will be ignored.
#
INSTALLDIR=/usr

# Links to files. Don't change if you don't need to.
LATESTVERSION=/rkhunter_latest.dat
UPDATEFILEINFO=/rkhunter_fileinfo.dat

# Send a warning message to the admin when one or more warnings
# are available (rootkit and MD5 check). Note: uses default 
# commmand to send the warning message.
MAIL-ON-WARNING=(my email address)

# Use a custom temporary directory (you can override it with the
# --tmpdir parameter)
# Note: don't use /tmp as your temporary directory, because some
# important files will be written to this directory. Be sure
# you have setup your permissions very tight.
TMPDIR=/var/rkhunter/tmp

# Use a custom database directory (you can override it with the
# --dbdir parameter)
DBDIR=/var/rkhunter/db

# Whitelist files (and their MD5 hash)
# Usage: MD5WHITELIST=<binary>:<MD5 hash>
#MD5WHITELIST=/bin/ps:9bd8bf260adc81d3a43a086fce6b430a
#MD5WHITELIST=/bin/ps:404583a6b166c2f7ac1287445a9de6b3

# Allow direct root login via SSH
# Don't use this option if you don't know what the warning about
# this option means!!
ALLOW_SSH_ROOT_USER=0

# Allow hidden directory
# One directory per line (use multiple ALLOWHIDDENDIR lines)
#
#ALLOWHIDDENDIR=/etc/.java
ALLOWHIDDENDIR=/dev/.udev
#ALLOWHIDDENDIR=/dev/.udevdb
#ALLOWHIDDENDIR=/dev/.udev.tdb
#ALLOWHIDDENDIR=/dev/.static
#ALLOWHIDDENDIR=/dev/.initramfs
#ALLOWHIDDENDIR=/dev/.SRC-unix

# Allow hidden file
# One file per line (use multiple ALLOWHIDDENFILE lines)
# 
#ALLOWHIDDENFILE=/etc/.java
ALLOWHIDDENFILE=/usr/share/man/man1/..1.gz
ALLOWHIDDENFILE=/etc/.pwd.lock
#ALLOWHIDDENFILE=/etc/.init.state

# Allow process to use deleted files
# One process per line (use multiple ALLOWPROCDELFILE lines)
#
#ALLOWPROCDELFILE=/sbin/cardmgr
#ALLOWPROCDELFILE=/usr/sbin/gpm
#ALLOWPROCDELFILE=/usr/libexec/gconfd-2
#ALLOWPROCDELFILE=/usr/sbin/mysqld

# Allow process to listen on any interface
# One process per line (use multiple ALLOWPROCLISTEN lines)
#
#ALLOWPROCLISTEN=/sbin/dhclient
#ALLOWPROCLISTEN=/usr/bin/dhcpcd
#ALLOWPROCLISTEN=/usr/sbin/pppoe
#ALLOWPROCLISTEN=/usr/sbin/tcpdump
#ALLOWPROCLISTEN=/usr/sbin/snort-plain
#ALLOWPROCLISTEN=/usr/local/bin/wpa_supplicant

# The End
edit:
and the .hosts.swp file only as this in it

[CODE]b0VIM 7.0{/CODE]
Reply With Quote