Re: identifying files found by rkhunter

Top Page
This message is part of the following thread:
M\the complete thread tree sorted by date
MMder.hans at <-
MMAnthony Boynes at ->
Attachments:
Message as email
+ (text/plain)
Delete this message
Reply to this message
Author: Joseph Sinclair
Date:  
To: Main PLUG discussion list
Subject: Re: identifying files found by rkhunter
Just to add a little to what Hans said, 

I did a little research on this on my system, and determined the following:
    .udev is used by the hotplug/automount system to maintain a dynamic database of connections and failed connections
    .static is used by udev to maintain a list of non-removable (static) devices
    .initramfs is used by udev to manage the udev filesystem(which is derived from the ramfs filesystem)


der.hans wrote:
> Am 04. Aug, 2006 schwätzte so:
>
>> I run the program rkhunter daily to search for rootkits. Recently, it
>> found some hidden directories in /dev, and reported them as suspicious.
>>
>> /dev/.static
>
> Probably be udev. Note that it's a directory.
>
> dpkg -L udev | grep static
>
> Nothing for that, so it's probably created by some udev function.
>
>> /dev/.udev
>
> Definitely udev.
>
>> /dev/.initramfs
>> /dev/.initramfs-tools
>
> Probably udev.
>
> Check the udev package for what files it needs.
>
> rkhunter probably needs to know about these files and not report them.
> Hopefully it'll still check them to make sure they're the files they're
> supposed to be.
>
> ciao,
>
> der.hans
>
>>
>> This is on a Debian machine.
>> # uname -a
>> Linux kiltlifter 2.6.16-2-686 #1 Sat Jul 15 21:59:21 UTC 2006 i686
>> GNU/Linux
>> # more /etc/debian_version
>> testing/unstable
>>
>> I have searched the rkhunter mailing list for a mention of these files.
>> Nothing. I've searched Google. Nothing yet. I've tried to see if they
>> belong to a package (using dpkg -S). Nothing. I've wandered around in
>> the directories and tried to identify the contents, but I haven't had any
>> breakthroughs.
>>
>> Can anyone help me identify these directories and verify that they should
>> actually be on my system?
>>
>> I wish I could say what changed on the day that I first saw this warning.
>> This is a personal server, and though I keep its packages up to date, I
>> don't have tons of time to invest in its maintainence. I've had this
>> warning from rkhunter for a while, but haven't had time to investigate.
>> (Very sorry, I'm sure that information would be helpful...)
>>
>> thanks,
>> alex
>> ---------------------------------------------------
>> PLUG-discuss mailing list -
>> To subscribe, unsubscribe, or to change you mail settings:
>> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
>>
>
>
> ------------------------------------------------------------------------
>
> ---------------------------------------------------
> PLUG-discuss mailing list -
> To subscribe, unsubscribe, or to change you mail settings:
> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
---------------------------------------------------
PLUG-discuss mailing list -
To subscribe, unsubscribe, or to change you mail settings:
http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss

This message was posted to the following mailing lists:
Plug Discuss
Mailing List Info | Nearby Messages		<-Re: identifying files found by rkhunterRe: ****RE: OT: Converting Data From PostGreSQL to MySQL->
Some Mailing List Archive administrated by UnconfiguredLurker (version 2.3)