On Mon, 2010-07-12 at 00:22 +0100, John Horne wrote: > On Sat, 2010-07-10 at 19:42 -0500, Chris wrote: > > > > /usr/sbin/rkhunter [ Warning ] > > Warning: The command '/usr/sbin/rkhunter' has been replaced and is not a > > script: /usr/sbin/rkhunter: a /bin/sh script text executable > > > This is a known bug. It's already fixed in the CVS version. > > > I'm also seeing this but I believe there was already an earlier thread > > on it: > > > > Warning: SHV4 Rootkit > > [ Warning ] File '/usr/include/file.h' found > > > > Warning: SHV5 Rootkit > > [ Warning ] File '/usr/include/file.h' found > > > You can whitelist these. > > > > > Checking for string 'hdparm' [ Warning ] > > > > Warning: Checking for possible rootkit strings [ Warning ] > > Found string 'hdparm' in file '/etc/rc.d/init.d/bootlogd'. Possible > > rootkit: Xzibit Rootkit > > Found string 'hdparm' in file '/etc/rc.d/rc.sysinit'. Possible rootkit: > > Xzibit Rootkit > > > Fixed in the CVS version, where it is possible to whitelist specific > strings in specific files. (In your case it would be the 'hdparm' string > in the /etc/rc.d/rc.sysinit and bootlogd files. This means you don't > have to whitelist the files from all rootkit checks.) > > At the moment you will have to whitelist the files from all rootkit > checks (see RTKT_FILE_WHITELIST in the config file). > > > > > John. > Thanks John, here's what I've done:
RTKT_FILE_WHITELIST=/etc/init.d/hdparm RTKT_FILE_WHITELIST=/etc/init.d/pciparm RTKT_FILE_WHITELIST=/usr/include/file.h RTKT_FILE_WHITELIST=/etc/rc.d/rc.sysinit RTKT_FILE_WHITELIST=/etc/rc.d/init.d/bootlogd RTKT_FILE_WHITELIST=/etc/rc.d/rc.sysinit Still this morning I had the below warnings. Do I need to add 'hdparm' to the end of the path? Warning: SHV4 Rootkit [ Warning ] File '/usr/include/file.h' found Warning: Checking for possible rootkit strings [ Warning ] Found string 'hdparm' in file '/etc/rc.d/init.d/bootlogd'. Possible rootkit: Xzibit Rootkit Found string 'hdparm' in file '/etc/rc.d/rc.sysinit'. Possible rootkit: Xzibit Rootkit -- Chris KeyID 0xE372A7DA98E6705C
signature.asc
Description: This is a digitally signed message part
------------------------------------------------------------------------------ This SF.net email is sponsored by Sprint What will you do first with EVO, the first 4G phone? Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first
_______________________________________________ Rkhunter-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/rkhunter-users
