Hello!
I installed the latest version of rkhunter (from sources) on a server
running Debian Etch and after running a check I got the following
warning:
Warning: Checking for possible rootkit strings [ Warning ]
Found string 'hdparm' in file '/etc/init.d/hdparm'. Possible
rootkit: Xzibit Rootkit
Is this a possible false positive? I'm asking because the server is
pretty hardened so the existence of a root kit would be a huge
surprise (considering the security measures that are applied) and also
because I went through the script in question and didn't find anything
wrong with it. I'm not excluding the possibility of a root kit and
also of a mistake from my part in reviewing the script so I want to be
safe. I saw that there are similar issues on other distributions also
like on CentOS or Ubuntu. Any thoughts on this? Could somebody post
(on some pastebin service) a /etc/init.d/hdparm script that passed
the latest rkhunter's check and it's Debian Etch specific service
script and post the link on the mailing list. I only want to be on the
safe side with this. Thank you!
P.S. I also checked the script using Debian package checksums and
compared the files in the package with a pristine clean version from a
public repository and found nothing.
levi
--
Lege, lege, relege, ora, labora et invenies.
------------------------------------------------------------------------------
This SF.Net email is sponsored by the Verizon Developer Community
Take advantage of Verizon's best-in-class app development support
A streamlined, 14 day to market process makes app distribution fast and easy
Join now and get one step closer to millions of Verizon customers
http://p.sf.net/sfu/verizon-dev2dev
_______________________________________________
Rkhunter-users mailing list
Rkhunter-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/rkhunter-users
