Bug#651119: rkhunter: False positives when checking running processes for suspicious files

Subject: Bug#651119: rkhunter: False positives when checking running processes for suspicious files
From: linux@slavino.sk (Slavko)
Date: Tue, 24 Apr 2012 19:13:13 +0200
Message-id: <[🔎] 20120424191313.0ade0a02@bonifac.skk>

Hi,

i go to similar problem.

rkhunter --version
Rootkit Hunter 1.3.6
...

the rkhunter reports warning:

Warning: Checking running processes for suspicious files [ Warning ]
Warning: One or more of these files were found: backdoor, adore.o,
mod_rootme.so, phide_mod.o, lbk.ko, vlogger.o, cleaner.o, cleaner, ava,
tzava, mod_klgr.o, hydra, hydra.restore, ras2xm, vobiscum, sshd3,
system, t0rnsb, t0rns, t0rnp, rx4u, rx2me, crontab, sshdu, glotzer,
holber, xhide, xh, emech, psybnc, mech, httpd.bin, mh, xl, write,
Phantasmagoria.o, lkt.o, nlkt.o
         Check the output of the lsof command 'lsof -F n -w -n'

after check the output of the suggested lsof command i found opened the
file (more precise the directory):

/home/smbshare/system

This is directory of my regular samba share and was opened by samba. Other
files from the list are not found on my system.

My suggestion is simply provide the white list for this...

regards

-- 
Slavko
http://slavino.sk
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 490 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/forensics-devel/attachments/20120424/eeb966c7/attachment.pgp>

Reply to:

Prev by Date: rephrase_0.1-3_amd64.changes ACCEPTED into unstable
Next by Date: Your ref:...Date: 27/04/2012
Previous by thread: rephrase_0.1-3_amd64.changes ACCEPTED into unstable
Next by thread: Your ref:...Date: 27/04/2012
Index(es):
- Date
- Thread