On 8/4/06, Anthony Boynes <aboynes@gmail.com> wrote:
These are known issues.
>From /usr/share/doc/rkhunter/README.Debian
Below is a list of common hidden files and directories known to set off
false alarms in rkhunter:
* /dev/.static/, /dev/.udev & /dev/.udevdb/ - used by udev
IIRC, there are already bug reports filed about initramfs false positives.
Anthony
The reason it sets off alarms, is because rkhunter was written assuming /dev would always contain static files(ie.
2.4.x vs 2.6.x), so when it sees .blah it assumes it's an attackers hidden directory(/dev is a popular place for rootkits and trojans to hide their dirs). Personally, I'd recommend chkrootkit over rkhunter, but both are about equally useless since people don't really use rookits from 2001 anymore, nor are recent updates to either checker reflective of advancements in backdoor technology. :-\