Koozali.org: home of the SME Server

Obsolete Releases => SME Server 7.x => Topic started by: DocRob on January 04, 2008, 09:43:39 AM

Title: Warning: Suspicious file types found
Post by: DocRob on January 04, 2008, 09:43:39 AM

Hi,

Since the last update, both the SME servers I have under test have been giving the same rootkit warnings. They both complain about:

Code: [Select]

04:03:56] Warning: Suspicious file types found in /dev:
[04:03:56]          /dev/shm/suspscan.14067.strings: ASCII text, with very long lines

and some files:

Code: [Select]

[04:03:28] Warning: File '/tmp/sa-update.log' (score: 253) contains some suspicious content and should be checked.
[04:03:31]       File checked: Name: '/tmp/sess_28a16ea58154fec612c7aa9e389cfb71' Score: 221
[04:03:31] Warning: File '/tmp/sess_28a16ea58154fec612c7aa9e389cfb71' (score: 221) contains some suspicious content and should be checked.
[04:03:33]       File checked: Name: '/tmp/sess_2c4af0ab7b253f31a63d18568d823846' Score: 221
[04:03:33] Warning: File '/tmp/sess_2c4af0ab7b253f31a63d18568d823846' (score: 221) contains some suspicious content and should be checked.

Doing a cat shows that the file in /dev/ appears to be related to Hord and the others are not clear. I think that this is OK but I thought I had better ask - it is OK - what should I do to stop the warnings?

Regards

Rob

Title: Re: Warning: Suspicious file types found
Post by: progitto on January 04, 2008, 10:33:03 AM

From http://forums.contribs.org/index.php?topic=39542.0

Quote

Taking the upgrade path from a 7.x to 7.3
-----------------------------------------
- First night you may receive an email from cron about sa_updates
- First night you may receive a email saying missing passwd/group files
  (rkhunter email notification).

Ciao

Umberto

Title: Re: Warning: Suspicious file types found
Post by: DocRob on January 04, 2008, 10:42:16 AM

Thanks Umberto,

I hadn't seen that but that does explain things in part. I am still getting the message after 2 nights though.

Regards

Title: Re: Warning: Suspicious file types found
Post by: progitto on January 04, 2008, 10:48:08 AM

You can open a bug entry in bugzilla, it't the right place to do this.
http://bugs.contribs.org/

Ciao and happy new year

Umberto

Title: Re: Warning: Suspicious file types found
Post by: DocRob on January 05, 2008, 09:39:35 AM

Hiya,

Both machines are still reporting the problem. I will raise a report.

Happy New Year

Rob

Title: Re: Warning: Suspicious file types found
Post by: idp_qbn on January 05, 2008, 08:11:13 PM

After upgrading 7.2 ==> 7.3, I am getting the same "Suspicious files" messages on two SME boxes I have.
I have added my comments to http://bugs.contribs.org/show_bug.cgi?id=3713

Cheers
Ian