identifying files found by rkhunter

der.hans PLUGd at LuftHans.com
Fri Aug 4 16:00:25 MST 2006 

Am 04. Aug, 2006 schwätzte alex at crackpot.org so:

> I run the program rkhunter daily to search for rootkits.  Recently, it
> found some hidden directories in /dev, and reported them as suspicious.
>
> /dev/.static

Probably be udev. Note that it's a directory.

dpkg -L udev | grep static

Nothing for that, so it's probably created by some udev function.

> /dev/.udev

Definitely udev.

> /dev/.initramfs
> /dev/.initramfs-tools

Probably udev.

Check the udev package for what files it needs.

rkhunter probably needs to know about these files and not report them.
Hopefully it'll still check them to make sure they're the files they're
supposed to be.

ciao,

der.hans

>
> This is on a Debian machine.
> # uname -a
> Linux kiltlifter 2.6.16-2-686 #1 Sat Jul 15 21:59:21 UTC 2006 i686 GNU/Linux
> # more /etc/debian_version
> testing/unstable
>
> I have searched the rkhunter mailing list for a mention of these files.
> Nothing.  I've searched Google.  Nothing yet.  I've tried to see if they
> belong to a package (using dpkg -S).  Nothing.  I've wandered around in
> the directories and tried to identify the contents, but I haven't had any
> breakthroughs.
>
> Can anyone help me identify these directories and verify that they should
> actually be on my system?
>
> I wish I could say what changed on the day that I first saw this warning.
> This is a personal server, and though I keep its packages up to date, I
> don't have tons of time to invest in its maintainence.  I've had this
> warning from rkhunter for a while, but haven't had time to investigate.
> (Very sorry, I'm sure that information would be helpful...)
>
> thanks,
> alex
> ---------------------------------------------------
> PLUG-discuss mailing list - PLUG-discuss at lists.plug.phoenix.az.us
> To subscribe, unsubscribe, or to change  you mail settings:
> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
>

-- 
#  https://www.LuftHans.com/        http://www.CiscoLearning.org/
#  Join the League of Professional System Administrators! https://LOPSA.org/
#  Molotov Bible - religion thrown at other people in order to cause an
#  explosive situation - der.hans

More information about the PLUG-discuss mailing list