On Sun, 2010-05-16 at 15:11 -0400, Tanstaafl wrote:
>
> >> myhost : Sat May 15, 11:35:08 : /var/log
> >>  # less rkhunter.log | grep Warning
> >> [11:30:28] /usr/bin/chattr                             [ Warning ]
> >> [11:30:28] Warning: File '/usr/bin/chattr' has the immutable-bit set.
> >> [11:30:28] /usr/bin/curl                               [ Warning ]
> >> [11:30:28] Warning: File '/usr/bin/curl' has the immutable-bit set.
> 
> > You can either whitelist the files or disable the 'immutable' test
> > completely.
> 
> I don't mind disabling the test completely if it isn't very useful (this
> is what I was told about the 'applications' test a while back)... but is
> that what you are saying?
> 
The test is useful, but only for those systems which do not have the
immutable bit set. If your system has the bit set on most system
commands, then you will get a lot of false-positives. In that case the
test is not useful, so it can be disabled. Having said that I guess it
could be useful if the test could be reversed - so in your case it would
report any command which does not have the bit set. I will consider
that.

> 
> Here is what the log says:
> 
>  myhost : Sun May 16, 14:06:37 : ~
>   # less /var/log/rkhunter.log|grep rootkit
>  [03:10:49] Checking for rootkits...
>  [03:10:49] Info: Starting test name 'rootkits'
>  [03:10:49] Performing check of known rootkit files and directories
>  [03:11:36] Performing additional rootkit checks
>  [03:11:36]   Performing check of possible rootkit files and directories
>  [03:11:41]   Checking for possible rootkit files and directories [ None
> found ]
>  [03:11:41]   Performing check for possible rootkit strings
>  [03:11:58] Warning: Checking for possible rootkit strings    [ Warning ]
>  [03:11:58]          Found string 'hdparm' in file '/etc/init.d/hdparm'.
> Possible rootkit: Xzibit Rootkit
>  [03:11:58]          Found string 'hdparm' in file
> '/etc/init.d/pciparm'. Possible rootkit: Xzibit Rootkit
>  [03:12:09] Possible rootkits: 2
>  myhost : Sun May 16, 14:06:45 : ~
>   #
> 
> > The 'hdparm' one is possibly a false-positive, but that's for you to
> > check.
> 
> Ok, well, I examined the two scripts, and didn't see anything unusual
> about them... but I'm not a forensics expert, just a lowly admin
> wanna-be... any other suggestions/pointers?
> 
I suspect it is a false-positive given that no other files of the
rootkit were found. The fact that the same rootkit is reported twice is
a known bug.



John.

-- 
John Horne, University of Plymouth, UK
Tel: +44 (0)1752 587287    Fax: +44 (0)1752 587001


------------------------------------------------------------------------------

_______________________________________________
Rkhunter-users mailing list
Rkhunter-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/rkhunter-users

Reply via email to