sp113438 grabbed a keyboard and wrote: > After running on my amd64 squeeze: > # rkhunter --update > rkhunter -c > > rkhunter showed one warning: > > Warning: Checking for possible rootkit strings [ Warning ] > [01:25:23] Found string 'hdparm' in file > '/etc/init.d/.depend.boot'. Possible rootkit: Xzibit Rootkit > [01:25:23] Found string 'hdparm' in file '/etc/init.d/hdparm'. > Possible rootkit: Xzibit Rootkit
That's actually a fairly well-known false positive.
If you want to silence that message, search your /etc/rkhunter.conf file
for the part which has RTKT_FILE_WHITELIST= in it, and then whitelist
that particular file. My own rkhunter.conf file has this in it:
RTKT_FILE_WHITELIST="/etc/init.d/hdparm /etc/init.d/.depend.boot"
That string typically shows up in those two files, so adding them to the
whitelist gets rid of the message. It's a known problem with the
rkhunter db.
Search Google for "rkhunter hdparm" and you'll find all kinds of
references to it.
--Dave
signature.asc
Description: OpenPGP digital signature
