Bug#658003: rkhunter: falso positivo con hdparm (?)

Fabián Bonetti mama21mama2000 at yahoo.com.ar
Mon Jan 30 17:06:16 UTC 2012 

Package: rkhunter
Version: 1.3.6-4
Severity: normal

#File /var/log/rkhunter.log
[13:46:28]     Checking for string 'hdparm'                  [ Warning ]
[13:46:28]     Checking for string '/lib/ldd.so/tkps'        [ Not found ]
[13:46:28]     Checking for string 't0rnkit'                 [ Not found ]
[13:46:28]     Checking for string '/dev/proc/fuckit'        [ Not found ]
[13:46:28]     Checking for string 'libproc.so.2.0.7'        [ Not found ]
[13:46:29]     Checking for string 'libproc.so.2.0.7'        [ Not found ]
[13:46:29]     Checking for string 'libproc.so.2.0.7'        [ Not found ]
[13:46:29]     Checking for string '/usr/lib/ldlibct.so'     [ Not found ]
[13:46:29]     Checking for string '/usr/lib/ldlibdu.so'     [ Not found ]
[13:46:29]     Checking for string '/dev/ptyxx/.file'        [ Not found ]
[13:46:29]     Checking for string 'libproc.so.2.0.7'        [ Not found ]
[13:46:29]     Checking for string '/dev/ida/.inet'          [ Not found ]
[13:46:29] Warning: Checking for possible rootkit strings    [ Warning ]
[13:46:29]          Found string 'hdparm' in file '/etc/init.d/hdparm'. Possible rootkit: Xzibit Rootkit
[13:46:29]          Found string 'hdparm' in file '/etc/init.d/.depend.boot'. Possible rootkit: Xzibit Rootkit


mama at zeuza:~$ whereis hdparm
hdparm: /sbin/hdparm /etc/hdparm.conf /usr/share/man/man8/hdparm.8.gz

mama at zeuza:~$ md5sum /sbin/hdparm
5f74fb3bd3a1b50e803d139a7aa10695  /sbin/hdparm

mama at zeuza:~$ sha1sum /sbin/hdparm
50e94ee5f91c5bae7a626c7deaf6dccb96fd8d81  /sbin/hdparm

mama at zeuza:~$ sha256sum /sbin/hdparm
73f7525ae08a8d9faa9c91a0c96c7b54cfbb21ed91baa398ddcfb5ee33b1a3f5  /sbin/hdparm
mama at zeuza:~$ 

-- http://packages.debian.org/squeeze/i386/hdparm/download
MD5 checksum 	2c05b8d28cd08a31e93409491b71423b
SHA1 checksum 	101e7372cc2de13866a8d423c020857def65c48e
SHA256 checksum 	5ec7ca9fd92f33148d9c5a0b0929955fccd0ab7e480512b8b93f4811d0d2a35c

-- System Information:
Debian Release: 6.0.4
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: i386 (i686)

Kernel: Linux 2.6.32-5-686 (SMP w/2 CPU cores)
Locale: LANG=es_AR.UTF-8, LC_CTYPE=es_AR.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages rkhunter depends on:
ii  binutils               2.20.1-16         The GNU assembler, linker and bina
ii  debconf [debconf-2.0]  1.5.36.1          Debian configuration management sy
ii  file                   5.04-5            Determines file type using "magic"
ii  net-tools              1.60-23           The NET-3 networking toolkit
ii  perl                   5.10.1-17squeeze3 Larry Wall's Practical Extraction 
ii  sendmail               8.14.3-9.4        powerful, efficient, and scalable 
ii  sendmail-bin [mail-tra 8.14.3-9.4        powerful, efficient, and scalable 

Versions of packages rkhunter recommends:
ii  iproute                20100519-3        networking and traffic control too
ii  lsof                   4.81.dfsg.1-1     List open files
ii  perl [libdigest-sha-pe 5.10.1-17squeeze3 Larry Wall's Practical Extraction 
ii  unhide                 20100201-1        Forensic tool to find hidden proce
ii  wget                   1.12-2.1          retrieves files from the web

Versions of packages rkhunter suggests:
ii  bsd-mailx          8.1.2-0.20100314cvs-1 simple mail user agent
pn  tripwire           <none>                (no description available)

-- debconf information:
  rkhunter/apt_autogen: false
  rkhunter/cron_daily_run:
  rkhunter/cron_db_update:

More information about the forensics-devel mailing list