If you are absolutely sure it’s clean then whitelist it in rkhunter.conf.local.
#
# The following two options can be used to whitelist files and directories
# that would normally be flagged with a warning during the various rootkit
# and malware checks. If the file or directory name contains a space, then
# the percent character ('%') must be used instead. Only existing files and
# directories can be specified, and these must be full pathnames not links.
#
# Additionally, the RTKT_FILE_WHITELIST option may include a string after the
# file name (separated by a colon). This will then only whitelist that string
# in that file (as part of the malware checks). For example:
#
# RTKT_FILE_WHITELIST="/etc/rc.local:hdparm"
#
# If the option list includes the filename on its own as well, then the file
# will be whitelisted from rootkit checks of the files existence, but still
# only the specific string within the file will be whitelisted. For example:
#
# RTKT_FILE_WHITELIST="/etc/rc.local:hdparm /etc/rc.local"
#
# To whitelist a file from the existence checks, but not from the strings
# checks, then include the filename on its own and on its own but with
# just a colon appended. For example:
#
# RTKT_FILE_WHITELIST="/etc/rc.local /etc/rc.local:"
#
# NOTE: It is recommended that if you whitelist any files, then you include
# those files in the file properties check. See the USER_FILEPROP_FILES_DIRS
# configuration option.
#
# These are space-separated lists of file and directory pathnames.
# The options may be specified more than once.
#
#RTKT_DIR_WHITELIST=""
#RTKT_FILE_WHITELIST=""
RTKT_FILE_WHITELIST=/usr/lib/xen-4.4/bin/xl
-Al-
> On Sep 8, 2014, at 1:29 AM, Mark Ruys <mark.r...@peercode.nl> wrote:
>
> Hi,
>
> I can't get rid of a false positive in RKHunter:
>
> $ sudo rkhunter --check --skip-keypress --no-mail-on-warning
> --report-warnings-only
> Warning: The following processes are using suspicious files:
> Command: xl
> UID: 0 PID: 3708
> Pathname: /usr/lib/xen-4.4/bin/xl
> Possible Rootkit: Dica-Kit Rootkit
> Command: xl
> UID: 3709 PID: 3708
> Pathname: 143064
> Possible Rootkit: Dica-Kit Rootkit
> Command: xl
> UID: 0 PID: 6439
> Pathname: /usr/lib/xen-4.4/bin/xl
> Possible Rootkit: Dica-Kit Rootkit
> Command: xl
> UID: 6440 PID: 6439
> Pathname: 143064
> Possible Rootkit: Dica-Kit Rootkit
> Command: xl
> UID: 0 PID: 8136
> Pathname: /usr/lib/xen-4.4/bin/xl
> Possible Rootkit: Dica-Kit Rootkit
> Command: xl
> UID: 8137 PID: 8136
> Pathname: 143064
> Possible Rootkit: Dica-Kit Rootkit
>
> $ lsb_release -a
> No LSB modules are available.
> Distributor ID: Ubuntu
> Description: Ubuntu 14.04.1 LTS
> Release: 14.04
> Codename: trusty
>
> $ dpkg -S /usr/lib/xen-4.4/bin/xl
> xen-utils-4.4: /usr/lib/xen-4.4/bin/xl
>
> $ ls -l /usr/lib/xen-4.4/bin/xl
> -rwxr-xr-x 1 root root 157448 Jul 9 14:11 /usr/lib/xen-4.4/bin/xl
>
>
> Help appreciated!
>
> Mark
------------------------------------------------------------------------------
Want excitement?
Manually upgrade your production database.
When you want reliability, choose Perforce
Perforce version control. Predictably reliable.
http://pubads.g.doubleclick.net/gampad/clk?id=157508191&iu=/4140/ostg.clktrk
_______________________________________________
Rkhunter-users mailing list
Rkhunter-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/rkhunter-users
