Verde Denim grabbed a keyboard and wrote:
> On 03/11/2013 09:19 PM, David Guntner wrote:
>> That's actually a fairly well-known false positive.
>>
>> If you want to silence that message, search your /etc/rkhunter.conf file
>> for the part which has RTKT_FILE_WHITELIST= in it, and then whitelist
>> that particular file. My own rkhunter.conf file has this in it:
>>
>> RTKT_FILE_WHITELIST="/etc/init.d/hdparm /etc/init.d/.depend.boot"
>>
>> That string typically shows up in those two files, so adding them to the
>> whitelist gets rid of the message. It's a known problem with the
>> rkhunter db.
>>
>> Search Google for "rkhunter hdparm" and you'll find all kinds of
>> references to it.
>
> My guess is that that same idea may also apply to this? -
>
> [12:09:18] Warning: The command '/usr/bin/unhide.rb' has been replaced
> by a script: /usr/bin/unhide.rb: Ruby script, ASCII text
>
> [12:09:18] Info: Found file '/usr/bin/lwp-request': it is whitelisted
> for the 'script replacement' check.
>
> [12:10:48] Checking for hidden files and directories [ Warning ]
> [12:10:48] Warning: Hidden directory found: '/etc/.java'
Yup. For an item that's whitelisted, it will show up in the log file,
but not the main report itself. There are examples and so on in the
/etc/rkhunter.conf file - it's well worth going through that file to get
better ideas of how to configure it to your liking.
--Dave
Attachment:
signature.asc
Description: OpenPGP digital signature