identifying files found by rkhunter

Edward Norton r00t3d at gmail.com
Fri Aug 4 20:27:41 MST 2006


On 8/4/06, Anthony Boynes <aboynes at gmail.com> wrote:
>
> These are known issues.
>
> >From /usr/share/doc/rkhunter/README.Debian
>
> Below is a list of common hidden files and directories known to set off
> false alarms in rkhunter:
>
>   * /dev/.static/, /dev/.udev & /dev/.udevdb/ - used by udev
>
> IIRC, there are already bug reports filed about initramfs false positives.
>
>
> Anthony
>
>
 The reason it sets off alarms, is because rkhunter was written assuming
/dev would always contain static files(ie. 2.4.x vs 2.6.x), so when it sees
.blah it assumes it's an attackers hidden directory(/dev is a popular place
for rootkits and trojans to hide their dirs). Personally, I'd recommend
chkrootkit over rkhunter, but both are about equally useless since people
don't really use rookits from 2001 anymore, nor are recent updates to either
checker reflective of advancements in backdoor technology. :-\
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.plug.phoenix.az.us/pipermail/plug-discuss/attachments/20060804/b6241da6/attachment.htm


More information about the PLUG-discuss mailing list