On 03/11/2013 09:19 PM, David Guntner wrote: > sp113438 grabbed a keyboard and wrote: >> After running on my amd64 squeeze: >> # rkhunter --update >> rkhunter -c >> >> rkhunter showed one warning: >> >> Warning: Checking for possible rootkit strings [ Warning ] >> [01:25:23] Found string 'hdparm' in file >> '/etc/init.d/.depend.boot'. Possible rootkit: Xzibit Rootkit >> [01:25:23] Found string 'hdparm' in file '/etc/init.d/hdparm'. >> Possible rootkit: Xzibit Rootkit > > That's actually a fairly well-known false positive. > > If you want to silence that message, search your /etc/rkhunter.conf file > for the part which has RTKT_FILE_WHITELIST= in it, and then whitelist > that particular file. My own rkhunter.conf file has this in it: > > RTKT_FILE_WHITELIST="/etc/init.d/hdparm /etc/init.d/.depend.boot" > > That string typically shows up in those two files, so adding them to the > whitelist gets rid of the message. It's a known problem with the > rkhunter db. > > Search Google for "rkhunter hdparm" and you'll find all kinds of > references to it. > > --Dave > > My guess is that that same idea may also apply to this? -
[12:09:18] Warning: The command '/usr/bin/unhide.rb' has been replaced by a scri pt: /usr/bin/unhide.rb: Ruby script, ASCII text [12:09:18] Info: Found file '/usr/bin/lwp-request': it is whitelisted for the 's cript replacement' check. [12:10:48] Checking for hidden files and directories [ Warning ] [12:10:48] Warning: Hidden directory found: '/etc/.java' -- Regards Jack Boston Tea Party, Coercive Acts, Powder Alarm, Revolution Lessons not learned are bound to be repeated. -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/513f59dc.5000...@gmail.com
