These are known issues. >From /usr/share/doc/rkhunter/README.Debian Below is a list of common hidden files and directories known to set off false alarms in rkhunter: * /dev/.static/, /dev/.udev & /dev/.udevdb/ - used by udev IIRC, there are already bug reports filed about initramfs false positives. Anthony On 8/4/06, alex@crackpot.org wrote: > I run the program rkhunter daily to search for rootkits. Recently, it > found some hidden directories in /dev, and reported them as suspicious. > > /dev/.static > /dev/.udev > /dev/.initramfs > /dev/.initramfs-tools > > This is on a Debian machine. > # uname -a > Linux kiltlifter 2.6.16-2-686 #1 Sat Jul 15 21:59:21 UTC 2006 i686 GNU/Linux > # more /etc/debian_version > testing/unstable > > I have searched the rkhunter mailing list for a mention of these files. > Nothing. I've searched Google. Nothing yet. I've tried to see if they > belong to a package (using dpkg -S). Nothing. I've wandered around in > the directories and tried to identify the contents, but I haven't had any > breakthroughs. > > Can anyone help me identify these directories and verify that they should > actually be on my system? > > I wish I could say what changed on the day that I first saw this warning. > This is a personal server, and though I keep its packages up to date, I > don't have tons of time to invest in its maintainence. I've had this > warning from rkhunter for a while, but haven't had time to investigate. > (Very sorry, I'm sure that information would be helpful...) > > thanks, > alex > --------------------------------------------------- > PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us > To subscribe, unsubscribe, or to change you mail settings: > http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss > --------------------------------------------------- PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us To subscribe, unsubscribe, or to change you mail settings: http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss