Bug#651119: rkhunter: False positives when checking running processes for suspicious files

Slavko linux at slavino.sk
Tue Apr 24 17:13:13 UTC 2012


Hi,

i go to similar problem.

rkhunter --version
Rootkit Hunter 1.3.6
...

the rkhunter reports warning:

Warning: Checking running processes for suspicious files [ Warning ]
Warning: One or more of these files were found: backdoor, adore.o,
mod_rootme.so, phide_mod.o, lbk.ko, vlogger.o, cleaner.o, cleaner, ava,
tzava, mod_klgr.o, hydra, hydra.restore, ras2xm, vobiscum, sshd3,
system, t0rnsb, t0rns, t0rnp, rx4u, rx2me, crontab, sshdu, glotzer,
holber, xhide, xh, emech, psybnc, mech, httpd.bin, mh, xl, write,
Phantasmagoria.o, lkt.o, nlkt.o
         Check the output of the lsof command 'lsof -F n -w -n'

after check the output of the suggested lsof command i found opened the
file (more precise the directory):

/home/smbshare/system

This is directory of my regular samba share and was opened by samba. Other
files from the list are not found on my system.

My suggestion is simply provide the white list for this...

regards

-- 
Slavko
http://slavino.sk
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 490 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/forensics-devel/attachments/20120424/eeb966c7/attachment.pgp>


More information about the forensics-devel mailing list