unsp...@hushmail.com wrote:
> On Fri, 04 Dec 2009 19:30:29 +0100 Mike McCarty
> <mike.mcca...@sbcglobal.net> wrote:
>> [11:55:06] Info: Starting test name 'possible_rkt_files'
>> (..)
>> [11:55:17] Found directory '/dev/ida'. Possible rootkit:
> Possible rootkit component
>> (I seee nothing suspicious in that directory.)
>
> So what is causing the directory to exist? Do you use a Compaq
> Smart Raid or equivalent array that uses /dev/ida/?
No, I don't. However, I also don't use udev, so I've got
every kind of device node in the world over in /dev, including
/dev/ida stuff. However, I don't see any _files_ in there.
>> [11:55:54] Found string 'hdparm' in file
>> '/etc/rc.d/rc.sysinit'. Possible rootkit: Xzibit Rootkit
>>
>> (Well, it's certainly in there, but it appears correct to me.)
>
> Thanks for reporting. The mailing list archives by now should
> contain enough references to whitelisting hdparm false postives
> using RTKT_FILE_WHITELIST (+ USER_FILEPROP_FILES_DIRS).
Or, I can just add it to my "mental whitelist" :-)
Mike
--
p="p=%c%s%c;main(){printf(p,34,p,34);}";main(){printf(p,34,p,34);}
Oppose globalization and One World Governments like the UN.
This message made from 100% recycled bits.
You have found the bank of Larn.
I speak only for myself, and I am unanimous in that!
------------------------------------------------------------------------------
Join us December 9, 2009 for the Red Hat Virtual Experience,
a free event focused on virtualization and cloud computing.
Attend in-depth sessions from your desk. Your couch. Anywhere.
http://p.sf.net/sfu/redhat-sfdev2dev
_______________________________________________
Rkhunter-users mailing list
Rkhunter-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/rkhunter-users
