Just ran rkhunter and I get a warning message for these directories...

/bin/groups
/usr/bin/ldd
/usr/bin/whatis
/usr/sbin/adduser

I also get a warning when checking for hidden files and directories.

Is any of this anything to worry about?

Thanks.

From the information you have given, it's difficult to say if you should worry about it.

Can you be more specific: What are the warning messages?

Those files could definitely be used as part of a rootkit (if modified).

Which version?


No, those are files. Let me guess, the warning is about the binary being replaced by a script. Please read the FAQ in your docs directory and see the whitelisting options in your rkhunter.conf.


No exact log lines, no advice.

rkhunter version 1.3.0


The warning is just that, the word warning next to a directory or file while rkhunter runs.

/usr/sbin/adduser [ Warning ]
/usr/bin/whatis [ Warning ]
/usr/bin/ldd [ Warning ]
/bin/groups [ Warning ]

Warning: The command '/usr/bin/ldd' has been replaced by a script: /usr/bin/ldd: Bourne shell script text executable



Warning: The command '/usr/sbin/adduser' has been replaced by a script: /usr/sbin/adduser: Bourne-Again shell script text executable

arning: The command '/usr/bin/whatis' has been replaced by a script: /usr/bin/whatis: Bourne shell script text executable

Warning: The command '/bin/groups' has been replaced by a script: /bin/groups: Bourne shell script text executable

Checking for hidden files and directories [ Warning ]
Warning: Hidden directory found: /dev/.udev

Check the file /var/log/rkhunter.log paste the warnings here if there odd.

Also check the files themselfs, if there script files you can examine the code, paste one here if you don't understand it, might just be simple wrapper scripts.

I have some warnings on hidden files on my system, but these are normal:
[13:14:27] Warning: Hidden directory found: /etc/.java
[13:14:27] Warning: Hidden directory found: /dev/.static
[13:14:27] Warning: Hidden directory found: /dev/.udev
[13:14:27] Warning: Hidden directory found: /dev/.initramfs

I already told him what to do and if he could read the docs that come with the product or the mailing list archives he could know how to handle it.



Again this too is something you can verify and then whitelist in rkhunter.conf.


BTW, not to plug stuff, but RKH 1.3.2 was released yesterday. Come 'n get it!

I got the same warnings as Hegemon on my Ubuntu setup, but I also got this one:
Warning: Hidden file found: /dev/.tmp-2-0: block special (2/0)

The file (.tmp-2-0) is 0kb and is of type "x-special/device-block". Does anyone know what this is or if I should worry?

There are a few ways to determine if a file has a malicious nature or purpose. The FAQ that comes with the product goes into details in section 3.1 "Rootkit Hunter tells me there is something wrong with my system. What do I do?". Please read that part, try to determine what package and then ask.