sp113438 grabbed a keyboard and wrote:
> After running on my amd64 squeeze:
> # rkhunter --update
> rkhunter -c
>
> rkhunter showed one warning:
>
> Warning: Checking for possible rootkit strings [ Warning ]
> [01:25:23] Found string 'hdparm' in file
> '/etc/init.d/.depend.boot'. Possible rootkit: Xzibit Rootkit
> [01:25:23] Found string 'hdparm' in file '/etc/init.d/hdparm'.
> Possible rootkit: Xzibit Rootkit
That's actually a fairly well-known false positive.
If you want to silence that message, search your /etc/rkhunter.conf file
for the part which has RTKT_FILE_WHITELIST= in it, and then whitelist
that particular file. My own rkhunter.conf file has this in it:
RTKT_FILE_WHITELIST="/etc/init.d/hdparm /etc/init.d/.depend.boot"
That string typically shows up in those two files, so adding them to the
whitelist gets rid of the message. It's a known problem with the
rkhunter db.
Search Google for "rkhunter hdparm" and you'll find all kinds of
references to it.
--Dave
Attachment:
signature.asc
Description: OpenPGP digital signature