I got an alert shortly after starting it up for the first time: Rule: 14 fired (level 8) -> "Rootkit detection engine message" Portion of the log(s):
Trojaned version of file '/bin/lsof' detected. Signature used: '/prof|/dev/[^pcmnfk]|proc\.h|bash|^/bin/sh|/dev/ttyo|/dev/ttyp' (Trojan) This was very cool. The problem is that I built the dang thing (lsof). Not that the source code couldn't have been contaminated. So I tried to figure out what trojan it was. # strings /usr/bin/lsof | egrep "/prof|/dev/[^pcmnfk]|proc\.h|bash|^/bin/sh|/dev/ttyo|/dev/ttyp" /dev/allkmem # I did a search through some of the other rootkit detectors and I found that chkrootkit looks for /prof, and rkhunter doesn't use strings. Can you tell me how you came up with your rules? --HAPS
