Dick Gevers wrote:
[...]
> My STARTUP_PATHS includes /etc/rc.d in which the file rc.sysinit contains
> the word 'hdparm', which causes a warning by rkh:
>
> Found string 'hdparm' in file '//etc/rc.d/rc.sysinit'. Possible rootkit:
> Xzibit Rootkit
>
> But rpm finds the file to be in order.
>
> For info:
>
> grep -n hdparm rc.sysinit
> 1132:# after installing the hdparm-RPM. If you need different hdparm
> parameters
> 1153:# resyncing and disks heavily active, because hdparm might hang and
> 1157: if [ -x /sbin/hdparm ]; then
> 1190: action "Setting hard drive parameters for %s:
> " ${disk[$device]} /sbin/hdparm ${HDFLAGS[$device]} /dev/${disk[$device]}
>
> Is there a way I can exclude this file?: I searched, but didn't see an
> option for this check.
Perhaps the tool could be made smart enough to notice that the
string occurs in a comment. Another possibility is to edit that
file to remove the string.
Personally, I don't like whitelisting.
Mike
--
p="p=%c%s%c;main(){printf(p,34,p,34);}";main(){printf(p,34,p,34);}
Oppose globalization and One World Governments like the UN.
This message made from 100% recycled bits.
You have found the bank of Larn.
I speak only for myself, and I am unanimous in that!
------------------------------------------------------------------------------
Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day
trial. Simplify your report design, integration and deployment - and focus on
what you do best, core application coding. Discover what's new with
Crystal Reports now. http://p.sf.net/sfu/bobj-july
_______________________________________________
Rkhunter-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/rkhunter-users
