Re: rootkit/virus/trojan on squeeze 32 bit
On 03/11/2013 09:19 PM, David Guntner wrote:
> sp113438 grabbed a keyboard and wrote:
>> After running on my amd64 squeeze:
>> # rkhunter --update
>> rkhunter -c
>>
>> rkhunter showed one warning:
>>
>> Warning: Checking for possible rootkit strings [ Warning ]
>> [01:25:23] Found string 'hdparm' in file
>> '/etc/init.d/.depend.boot'. Possible rootkit: Xzibit Rootkit
>> [01:25:23] Found string 'hdparm' in file '/etc/init.d/hdparm'.
>> Possible rootkit: Xzibit Rootkit
>
> That's actually a fairly well-known false positive.
>
> If you want to silence that message, search your /etc/rkhunter.conf file
> for the part which has RTKT_FILE_WHITELIST= in it, and then whitelist
> that particular file. My own rkhunter.conf file has this in it:
>
> RTKT_FILE_WHITELIST="/etc/init.d/hdparm /etc/init.d/.depend.boot"
>
> That string typically shows up in those two files, so adding them to the
> whitelist gets rid of the message. It's a known problem with the
> rkhunter db.
>
> Search Google for "rkhunter hdparm" and you'll find all kinds of
> references to it.
>
> --Dave
>
>
My guess is that that same idea may also apply to this? -
[12:09:18] Warning: The command '/usr/bin/unhide.rb' has been replaced
by a scri
pt: /usr/bin/unhide.rb: Ruby script, ASCII text
[12:09:18] Info: Found file '/usr/bin/lwp-request': it is whitelisted
for the 's
cript replacement' check.
[12:10:48] Checking for hidden files and directories [ Warning ]
[12:10:48] Warning: Hidden directory found: '/etc/.java'
--
Regards
Jack
Boston Tea Party, Coercive Acts, Powder Alarm, Revolution
Lessons not learned are bound to be repeated.
Reply to: