On 8/4/06, Anthony Boynes <aboynes@gmail.com> wrote:
>
> These are known issues.
>
> >From /usr/share/doc/rkhunter/README.Debian
>
> Below is a list of common hidden files and directories known to set off
> false alarms in rkhunter:
>
>   * /dev/.static/, /dev/.udev & /dev/.udevdb/ - used by udev
>
> IIRC, there are already bug reports filed about initramfs false positives.
>
>
> Anthony
>
>
 The reason it sets off alarms, is because rkhunter was written assuming
/dev would always contain static files(ie. 2.4.x vs 2.6.x), so when it sees
.blah it assumes it's an attackers hidden directory(/dev is a popular place
for rootkits and trojans to hide their dirs). Personally, I'd recommend
chkrootkit over rkhunter, but both are about equally useless since people
don't really use rookits from 2001 anymore, nor are recent updates to either
checker reflective of advancements in backdoor technology. :-\