On Tue, 15 Aug 2023 at 12:51, Santiago Vila <sanv...@debian.org> wrote:
> On a Debian system with ansible and chkrootkit installed, > chkrootkit warns that ansible has possibly the Adore Worm. > WARNING: Possible Adore Worm installed: > /usr/lib/python3/dist-packages/ansible_collections/cyberark/conjur/dev/start.sh The test from upstream simply flags any file under /usr/lib that is named start.sh as a possible adore worm. This is a classic example of a false positive -- ansible seems to be the only package providing such a file, so it is best to leave users to filter or change the report to ignore or hide the message: see /usr/share/doc/chkrootkit/README.FALSE-POSITIVES.gz for various ways to do this. -- we can add this as an example to that file -- one thing we could also do, is to have chkrootkit check if files are from packages with 'dpkg -S' which would give the user more information about where files came from