Bug#725866: rkhunter: False positive about unhide.rb
Demetris Demetriou
mitsosgtir at gmail.com
Wed Oct 9 11:07:06 UTC 2013
Package: rkhunter
Version: 1.4.0-1
Severity: normal
Hello,
Running rkhunter on a newly configured wheezy system gives:
/usr/bin/unhide.rb [ Warning ]
Warning: The command '/usr/bin/unhide.rb' has been replaced by a script:
/usr/bin/unhide.rb: Ruby script, ASCII text
That file is a ruby script, sha512sums and md5sums have been compared with
another system (which had the following whitelisting configured a long long
time ago) and they match.
Edit /etc/rkhunter.conf:
Add to the bottom of the SCRIPTWHITELIST section:
SCRIPTWHITELIST=/usr/bin/unhide.rb
This corrects the false positive warning.
Thank you
-- System Information:
Debian Release: 7.1
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 3.2.0-4-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages rkhunter depends on:
ii binutils 2.22-8
ii debconf [debconf-2.0] 1.5.49
ii file 5.11-2
ii net-tools 1.60-24.2
ii perl 5.14.2-21
ii ucf 3.0025+nmu3
Versions of packages rkhunter recommends:
ii curl 7.26.0-1+wheezy3
ii exim4-daemon-light [mail-transport-agent] 4.80-7
ii iproute 20120521-3+b3
ii lsof 4.86+dfsg-1
ii unhide.rb 13-1.1
ii wget 1.13.4-3
Versions of packages rkhunter suggests:
ii heirloom-mailx [mailx] 12.5-2
pn libdigest-whirlpool-perl <none>
ii liburi-perl 1.60-1
ii libwww-perl 6.04-1
ii powermgmt-base 1.31
ii tripwire 2.4.2.2-2
-- Configuration Files:
/etc/logrotate.d/rkhunter changed [not included]
/etc/rkhunter.conf changed [not included]
-- debconf information excluded
More information about the forensics-devel
mailing list