Re: [SLUG] Someone in my computer

From: Eben King (eben1@tampabay.rr.com)
Date: Sat Aug 28 2004 - 06:03:57 EDT

Next message: Robert Snyder: "[SLUG] Improving Xserver preformance"
Previous message: Richard Smoot: "Re: [SLUG] users/passwords expiring"
In reply to: Tevfik Yücek: "Re: [SLUG] Someone in my computer"
Next in thread: Paddy: "Re: [SLUG] Someone in my computer"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

On Fri, 27 Aug 2004, Tevfik Y|cek wrote:

> On Wed, 25 Aug 2004 22:03:11 -0400 (EDT), Eben King
> <eben1@tampabay.rr.com> wrote:
> > On Wed, 25 Aug 2004, Tevfik Yucek wrote:
> >
> > > I have a question: I want to run chkrootkit everyday. I put the
> > > following line in my cron file:
> > >
> > > cd /path/to/chkrootkit; ./chkrootkit 2>&1 | mail -s "chkrootkit output" myemail
> > >
> > > it works fine, however, I dont want to get e-mails everyday. I want
> > > to send the email only if the output of chkrootkit has the word
> > > "INFECTED" in it. Can someone help me on this?
> >
> > Maybe have a script /usr/local/bin/yourscript which does something like
> >
> > cd /path/to/chkrootkit
> > ( date ; ./chkrootkit ) 2>&1 > chrootkit-output
> > grep -q INFECTED chkrootkit-output && mail -s "chkrootkit output" myemail
> >
> > then run it daily (or whatever) from crontab.
>
> Thanks Eben,
>
> I had to make a small change to your script:
>
> cd /usr/local/src/chkrootkit
> ( date ; ./chkrootkit ) 2>&1 > chkrootkit-output
> grep -q INFECTED chkrootkit-output && (cat chkrootkit-output | mail -s
> "chkrootkit output" mymailaddress)

"cat foo | bar" is equivalent to (but starts slower than and uses more
memory than) "bar < foo", so that line beginning with grep becomes

grep -q INFECTED chkrootkit-output && mail -s "chkrootkit output"
mymailaddress < chkrootkit-output

I caught a small error which I believe I posted before. With this:

( date ; ./chkrootkit ) 2>&1 > chkrootkit-output

any output to stderr by ./chkrootkit will go to yourscript's stdout, and
then cron will catch it, and (probably) mail it to root. With this:

( date ; ./chkrootkit ) > chkrootkit-output 2>&1

any output to stderr by ./chkrootkit will go to chkrootkit-output. You
probably want the latter.

-- -eben ebQenW1@EtaRmpTabYayU.rIr.OcoPm home.tampabay.rr.com/hactar LIBRA: A big promotion is just around the corner for someone much more talented than you. Laughter is the very best medicine, remember that when your appendix bursts next week. -- Weird Al

----------------------------------------------------------------------- This list is provided as an unmoderated internet service by Networked Knowledge Systems (NKS). Views and opinions expressed in messages posted are those of the author and do not necessarily reflect the official policy or position of NKS or any of its employees.

Next message: Robert Snyder: "[SLUG] Improving Xserver preformance"
Previous message: Richard Smoot: "Re: [SLUG] users/passwords expiring"
In reply to: Tevfik Yücek: "Re: [SLUG] Someone in my computer"
Next in thread: Paddy: "Re: [SLUG] Someone in my computer"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.3 : Fri Aug 01 2014 - 15:37:47 EDT