Hi,

I recently installed the ganglia monitoring package (compiled from source) on several of my boxes. It installs the file: /usr/include/file.h . Chkrootkit is warning that I may have a Showtee root kit installed based on the existence of this file. I have listed the contents of the file below. Is this a real root-kit or is it simply a false psoitive?


#ifndef FILE_H
#define FILE_H 1

/* FreeBSD seems to gag on these.. Yet still works when not compiled in */
#if defined(BSD)
ssize_t readn (int fd, void *vptr, size_t n);
ssize_t writen (int fd, const void *vptr, size_t n);
#endif
int slurpfile ( char * filename, char *buffer, int buflen );
char *skip_whitespace ( const char *p);
char *skip_token ( const char *p);

#endif


Thanks.

I'm pretty sure this is an FP: ([ -f /usr/include/file.h ]), tho that's not a fact.

If you want to be 100 percent sure you could sha1sum your file(s) and ask one of the developers to verify it. I mean, that's the proper way I guess since they don't tack sha1/md5sums or gpg sigs onto their tarballs. If you've got Aide, Samhain or Tripwire installed and maintained the database the right way, I guess you can go for 100 percent minus some calculated risks.

I find this "Showtee" stuff kinda funny, jus like the RHSharpe one. There's only one reference on the 'web and I've still gotta find sources for both "in the wild".