Re: identifying files found by rkhunter

Top Page
Attachments:
Message as email
+ (text/plain)
+ (text/html)
+ (text/plain)
Delete this message
Reply to this message
Author: Edward Norton
Date:  
To: Main PLUG discussion list
Subject: Re: identifying files found by rkhunter
On 8/4/06, Anthony Boynes <> wrote:
>
> These are known issues.
>
> >From /usr/share/doc/rkhunter/README.Debian
>
> Below is a list of common hidden files and directories known to set off
> false alarms in rkhunter:
>
> * /dev/.static/, /dev/.udev & /dev/.udevdb/ - used by udev
>
> IIRC, there are already bug reports filed about initramfs false positives.
>
>
> Anthony
>
>

The reason it sets off alarms, is because rkhunter was written assuming
/dev would always contain static files(ie. 2.4.x vs 2.6.x), so when it sees
.blah it assumes it's an attackers hidden directory(/dev is a popular place
for rootkits and trojans to hide their dirs). Personally, I'd recommend
chkrootkit over rkhunter, but both are about equally useless since people
don't really use rookits from 2001 anymore, nor are recent updates to either
checker reflective of advancements in backdoor technology. :-\
---------------------------------------------------
PLUG-discuss mailing list -
To subscribe, unsubscribe, or to change you mail settings:
http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss