Hi, John I checked the /var/log/rkhunter.log and now I understand that these binaries are replaced by script.
=========== [19:59:43] /usr/xpg4/bin/test [ Warning ] [19:59:44] Warning: The command '/usr/xpg4/bin/test' has been replaced by a script: /usr/xpg4/bin/test: executable /usr/xpg4/bin/sh script [19:59:46] /usr/xpg4/bin/tr =========== I checked the file property for each. All of them are actually scripts. bash-3.00# file /usr/sbin/dmesg /usr/sbin/dmesg: executable /usr/bin/sh script bash-3.00# file /usr/bin/kill /usr/bin/kill: executable /bin/ksh script bash-3.00# file /usr/bin/test /usr/bin/test: executable /bin/ksh script bash-3.00# file /usr/bin/which /usr/bin/which: executable /usr/bin/csh script bash-3.00# file /usr/ucb/df /usr/ucb/df: executable /usr/bin/sh script bash-3.00# file /usr/ucb/du /usr/ucb/du: executable /usr/bin/sh script bash-3.00# file /usr/ucb/file /usr/ucb/file: executable /usr/bin/sh script bash-3.00# file /usr/xpg4/bin/kill /usr/xpg4/bin/kill: executable /usr/xpg4/bin/sh script bash-3.00# file /usr/xpg4/bin/test /usr/xpg4/bin/test: executable /usr/xpg4/bin/sh script bash-3.00# I should whitelist those in /etc/rkhunter.conf.local. Should I use the lines below ? Please advise #SCRIPTWHITELIST="/sbin/ifup /sbin/ifdown" #SCRIPTWHITELIST="/usr/bin/groups" Thank you very much! Shunta Takino On Wed, 15 Jun 2011 11:54:52 +0100 John Horne <john.ho...@plymouth.ac.uk> wrote: > On Wed, 2011-06-15 at 19:50 +0900, TAKINO Shunta wrote: > > > > Those 10 files are regarded as known rootkits. > > > > [19:04:44] Info: Found file '/usr/bin/mc68000': it is whitelisted for the > > 'known_rkts' check. > > [19:04:44] Checking for file '/usr/bin/mc68000' [ Found ] > > > These are fine, they are not warnings but simply being logged as > informational messages. > > > > > Here is an additional question. > > > > i) [ Warning ] - file properties check > > > > While running rkhunter, "Performing file properties check" > > indicated [ Warning ] messages for the commands below. > > > > /usr/sbin/dmesg [ Warning ] > > /usr/bin/dmesg [ Warning ] > > /usr/bin/kill [ Warning ] > > /usr/bin/test [ Warning ] > > /usr/bin/which [ Warning ] > > /usr/ucb/df [ Warning ] > > /usr/ucb/du [ Warning ] > > /usr/ucb/file [ Warning ] > > > You will need to look in the log file (/var/log/rkhunter.log) to see why > these warnings occur. > > > > John. > > -- > John Horne Tel: +44 (0)1752 587287 > University of Plymouth, UK Fax: +44 (0)1752 587001 > ------------------------------------------------------------------------------ EditLive Enterprise is the world's most technically advanced content authoring tool. Experience the power of Track Changes, Inline Image Editing and ensure content is compliant with Accessibility Checking. http://p.sf.net/sfu/ephox-dev2dev _______________________________________________ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users
