On Thu, Jul 28, 2011 at 08:38:00AM +0200, Helmut Hullen wrote: > Hallo, Robert, > > Du meintest am 27.07.11: > > >>>> Just upgraded to 1.3.8 now I?m getting Xzibit Rootkit. I?m sure > >>>> it is a false positive, how do I clear this error? > > >>> RTKT_FILE_WHITELIST="/etc/rc.d/rc.sysinit:hdparm" > > > > Sorry to be late to the thread, Running Debian Squeeze and rkhunter > > 1.3.6-4. Also getting the Xzibit Rootkit warning. The problem is that > > there is no /etc/rc.d/rc.sysinit:hdparm file on my system. The > > closest I find is /etc/init.d/hdparm. Would whitelisting this work? > > Just take a try!
Tried it with partial success. Before I whitelisted it I got : [07:46:59] Possible rootkits: 2 [07:46:59] Rootkit names : Xzibit Rootkit, Xzibit Rootkit After whitelisting it I got: [14:33:44] Possible rootkits: 1 [14:33:44] Rootkit names : Xzibit Rootkit Found another mention of hdparm in the log: /etc/init.d/.depend.boot Now the configuration file looks like: RTKT_FILE_WHITELIST="/etc/init.d/hdparm" "/etc/init.d/.depend.boot" running rkhunter -c gives Whitelisted rootkit file does not exist: /etc/init.d/hdparm" Whitelisted rootkit file does not exist: "/etc/init.d/.depend.boot ls -a shows both files. What Am I missing? Why did rkunter run the first time when /etc/init.d/hdparm was whitelisted but complained when both were whitelisted? -- Bob Holtzman If you think you're getting free lunch, check the price of the beer. Key ID: 8D549279
signature.asc
Description: Digital signature
------------------------------------------------------------------------------ Got Input? Slashdot Needs You. Take our quick survey online. Come on, we don't ask for help often. Plus, you'll get a chance to win $100 to spend on ThinkGeek. http://p.sf.net/sfu/slashdot-survey
_______________________________________________ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users
