Bug#725866: rkhunter: False positive about unhide.rb

Demetris Demetriou mitsosgtir at gmail.com
Wed Oct 9 11:07:06 UTC 2013

Package: rkhunter
Version: 1.4.0-1
Severity: normal

Running rkhunter on a newly configured wheezy system gives:
  /usr/bin/unhide.rb                              [ Warning ]
Warning: The command '/usr/bin/unhide.rb' has been replaced by a script:
/usr/bin/unhide.rb: Ruby script, ASCII text

That file is a ruby script, sha512sums and md5sums have been compared with
another system (which had the following whitelisting configured a long long
time ago) and they match.

Edit /etc/rkhunter.conf:
Add to the bottom of the SCRIPTWHITELIST section:

This corrects the false positive warning.
Thank you

-- System Information:
Debian Release: 7.1
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 3.2.0-4-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages rkhunter depends on:
ii  binutils               2.22-8
ii  debconf [debconf-2.0]  1.5.49
ii  file                   5.11-2
ii  net-tools              1.60-24.2
ii  perl                   5.14.2-21
ii  ucf                    3.0025+nmu3

Versions of packages rkhunter recommends:
ii  curl                                       7.26.0-1+wheezy3
ii  exim4-daemon-light [mail-transport-agent]  4.80-7
ii  iproute                                    20120521-3+b3
ii  lsof                                       4.86+dfsg-1
ii  unhide.rb                                  13-1.1
ii  wget                                       1.13.4-3

Versions of packages rkhunter suggests:
ii  heirloom-mailx [mailx]    12.5-2
pn  libdigest-whirlpool-perl  <none>
ii  liburi-perl               1.60-1
ii  libwww-perl               6.04-1
ii  powermgmt-base            1.31
ii  tripwire        

-- Configuration Files:
/etc/logrotate.d/rkhunter changed [not included]
/etc/rkhunter.conf changed [not included]

-- debconf information excluded

More information about the forensics-devel mailing list