I'd say false positive as the package flex installs libfl.so to /usr/lib, but you can check your md5 hash against mine, I'm running etch with flex 2.5.33-11 installed.
:~$ stat /usr/lib/libfl.so File: `/usr/lib/libfl.so' Size: 773 Blocks: 8 IO Block: 4096 regular file Device: 801h/2049d Inode: 313411 Links: 1 Access: (0644/-rw-r--r--) Uid: ( 0/ root) Gid: ( 0/ root) Access: 2007-08-28 09:10:34.000000000 -0500 Modify: 2007-01-18 20:33:21.000000000 -0600 Change: 2007-08-28 09:10:42.000000000 -0500 :~$ md5sum -b /usr/lib/libfl.so bd73306a4c6fd78d37ddb78e451f865c */usr/lib/libfl.so The 'flex' package installs these files: /. /usr /usr/bin /usr/bin/flex /usr/include /usr/include/FlexLexer.h /usr/share /usr/share/info /usr/share/info/flex.info-2.gz /usr/share/info/flex.info-7.gz /usr/share/info/flex.info-6.gz /usr/share/info/flex.info-1.gz /usr/share/info/flex.info.gz /usr/share/info/flex.info-4.gz /usr/share/info/flex.info-3.gz /usr/share/info/flex.info-5.gz /usr/share/doc /usr/share/doc/flex /usr/share/doc/flex/NEWS.gz /usr/share/doc/flex/NEWS.Debian.gz /usr/share/doc/flex/README.Debian.gz /usr/share/doc/flex/README.gz /usr/share/doc/flex/changelog.Debian.gz /usr/share/doc/flex/copyright /usr/share/lintian /usr/share/lintian/overrides /usr/share/lintian/overrides/flex /usr/share/locale /usr/share/locale/da /usr/share/locale/da/LC_MESSAGES /usr/share/locale/da/LC_MESSAGES/flex.mo /usr/share/locale/pt_BR /usr/share/locale/pt_BR/LC_MESSAGES /usr/share/locale/pt_BR/LC_MESSAGES/flex.mo /usr/share/locale/ga /usr/share/locale/ga/LC_MESSAGES /usr/share/locale/ga/LC_MESSAGES/flex.mo /usr/share/locale/vi /usr/share/locale/vi/LC_MESSAGES /usr/share/locale/vi/LC_MESSAGES/flex.mo /usr/share/locale/es /usr/share/locale/es/LC_MESSAGES /usr/share/locale/es/LC_MESSAGES/flex.mo /usr/share/locale/sv /usr/share/locale/sv/LC_MESSAGES /usr/share/locale/sv/LC_MESSAGES/flex.mo /usr/share/locale/de /usr/share/locale/de/LC_MESSAGES /usr/share/locale/de/LC_MESSAGES/flex.mo /usr/share/locale/ro /usr/share/locale/ro/LC_MESSAGES /usr/share/locale/ro/LC_MESSAGES/flex.mo /usr/share/locale/nl /usr/share/locale/nl/LC_MESSAGES /usr/share/locale/nl/LC_MESSAGES/flex.mo /usr/share/locale/ko /usr/share/locale/ko/LC_MESSAGES /usr/share/locale/ko/LC_MESSAGES/flex.mo /usr/share/locale/zh_CN /usr/share/locale/zh_CN/LC_MESSAGES /usr/share/locale/zh_CN/LC_MESSAGES/flex.mo /usr/share/locale/tr /usr/share/locale/tr/LC_MESSAGES /usr/share/locale/tr/LC_MESSAGES/flex.mo /usr/share/locale/ca /usr/share/locale/ca/LC_MESSAGES /usr/share/locale/ca/LC_MESSAGES/flex.mo /usr/share/locale/pl /usr/share/locale/pl/LC_MESSAGES /usr/share/locale/pl/LC_MESSAGES/flex.mo /usr/share/locale/ru /usr/share/locale/ru/LC_MESSAGES /usr/share/locale/ru/LC_MESSAGES/flex.mo /usr/share/locale/fr /usr/share/locale/fr/LC_MESSAGES /usr/share/locale/fr/LC_MESSAGES/flex.mo /usr/share/man /usr/share/man/man1 /usr/share/man/man1/flex.1.gz /usr/lib /usr/lib/libfl.so /usr/lib/libfl_pic.a /usr/lib/libfl.a /usr/bin/flex++ /usr/bin/lex /usr/share/doc/flex/changelog.gz /usr/share/man/man1/lex.1.gz /usr/share/man/man1/flex++.1.gz /usr/lib/libl.a Thomas Wagner wrote: > I just upgradet from sarge to etch and got the followin messege. What do you > think of it? > > OSSEC HIDS Notification. > 2007 Aug 28 14:32:18 > > Received From: h966380->rootcheck > Rule: 14 fired (level 8) -> "Rootkit detection engine message" > Portion of the log(s): > > Rootkit 'Showtee' detected by the presence of file '/usr/lib/libfl.so'. >
