Re: identifying files found by rkhunter

Top Page
Attachments:
Message as email
+ (text/plain)
+ (text/plain)
Delete this message
Reply to this message
Author: der.hans
Date:  
To: Main PLUG discussion list
Subject: Re: identifying files found by rkhunter
Am 04. Aug, 2006 schwätzte so:

> I run the program rkhunter daily to search for rootkits. Recently, it
> found some hidden directories in /dev, and reported them as suspicious.
>
> /dev/.static


Probably be udev. Note that it's a directory.

dpkg -L udev | grep static

Nothing for that, so it's probably created by some udev function.

> /dev/.udev


Definitely udev.

> /dev/.initramfs
> /dev/.initramfs-tools


Probably udev.

Check the udev package for what files it needs.

rkhunter probably needs to know about these files and not report them.
Hopefully it'll still check them to make sure they're the files they're
supposed to be.

ciao,

der.hans

>
> This is on a Debian machine.
> # uname -a
> Linux kiltlifter 2.6.16-2-686 #1 Sat Jul 15 21:59:21 UTC 2006 i686 GNU/Linux
> # more /etc/debian_version
> testing/unstable
>
> I have searched the rkhunter mailing list for a mention of these files.
> Nothing. I've searched Google. Nothing yet. I've tried to see if they
> belong to a package (using dpkg -S). Nothing. I've wandered around in
> the directories and tried to identify the contents, but I haven't had any
> breakthroughs.
>
> Can anyone help me identify these directories and verify that they should
> actually be on my system?
>
> I wish I could say what changed on the day that I first saw this warning.
> This is a personal server, and though I keep its packages up to date, I
> don't have tons of time to invest in its maintainence. I've had this
> warning from rkhunter for a while, but haven't had time to investigate.
> (Very sorry, I'm sure that information would be helpful...)
>
> thanks,
> alex
> ---------------------------------------------------
> PLUG-discuss mailing list -
> To subscribe, unsubscribe, or to change you mail settings:
> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
>


-- 
#  https://www.LuftHans.com/        http://www.CiscoLearning.org/
#  Join the League of Professional System Administrators! https://LOPSA.org/
#  Molotov Bible - religion thrown at other people in order to cause an
#  explosive situation - der.hans
---------------------------------------------------
PLUG-discuss mailing list -
To subscribe, unsubscribe, or to change you mail settings:
http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss