LinuxQuestions.org
LinuxAnswers - the LQ Linux tutorial section.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
 
Search this Thread
Old 01-05-2010, 12:16 PM   #1
the trooper
Senior Member
 
Registered: Jun 2006
Location: England
Distribution: Debian Jessie Amd64
Posts: 1,476

Rep: Reputation: Disabled
Possible false positive with rkhunter


Hello all,

I have just been checking one of my machines with rkhunter and got the following result:

Code:
[17:50:08] Warning: Checking for possible rootkit strings    [ Warning ]
[17:50:09]          Found string 'hdparm' in file '/etc/init.d/checkroot.sh'. Possible rootkit: Xzibit Rootkit
[17:50:09]          Found string 'hdparm' in file '/etc/init.d/bootlogd'. Possible rootkit: Xzibit Rootkit
Using a well known search engine shows that others have come across this before:

http://www.mail-archive.com/debian-b...msg259717.html

I have installed the current version of rkhunter from Debian's Unstable repo,but i still have the same result as above.
I now check the rkhunter wiki,which mentions the same problem:

http://sourceforge.net/apps/trac/rkhunter/wiki/MPMOD

Quote:
Here is an example on my system to remove a false positive for a certain rootkit that hit hdparm.

USER_FILEPROP_FILES_DIRS=/etc/init.d/bootlogd
USER_FILEPROP_FILES_DIRS=/etc/init.d/checkroot.sh

After updating the properties database and doing a new scan, the sh function created further RKH warnings so I then added a whitelist after confirmed the contents of the script was indeed false positive.

SCRIPTWHITELIST=/etc/init.d/bootlogd
SCRIPTWHITELIST=/etc/init.d/checkroot.sh
So i have now whitelisted the above mentioned scripts and re-run rkhunter--propupd and re-run rkhunter,but i am still getting the warning message?

At this point i can't be sure whether this is my error or if there is something more with the whitelisted scripts?.I can post the contents of those scripts if someone more knowledgeable than me could look over them?

The above is on a Debian Testing/Unstable amd64 box.

Last edited by the trooper; 01-05-2010 at 01:03 PM.
 
Old 01-05-2010, 12:41 PM   #2
craigevil
Senior Member
 
Registered: Apr 2005
Location: OZ
Distribution: Debian Sid
Posts: 4,734
Blog Entries: 12

Rep: Reputation: 458Reputation: 458Reputation: 458Reputation: 458Reputation: 458
For some reason the Xzibit thing has been there for while. I even ran rkhunter on a clean install and it was in the results. It is a bug with the rkhunter db.
 
Old 01-05-2010, 12:46 PM   #3
the trooper
Senior Member
 
Registered: Jun 2006
Location: England
Distribution: Debian Jessie Amd64
Posts: 1,476

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by craigevil View Post
For some reason the Xzibit thing has been there for while. I even ran rkhunter on a clean install and it was in the results. It is a bug with the rkhunter db.
That seems to be the case.
Although i'm not sure as to why i'm still getting the message after whitelisting the scripts?.
 
Old 01-05-2010, 03:55 PM   #4
unSpawn
Moderator
 
Registered: May 2001
Posts: 28,435
Blog Entries: 54

Rep: Reputation: 3240Reputation: 3240Reputation: 3240Reputation: 3240Reputation: 3240Reputation: 3240Reputation: 3240Reputation: 3240Reputation: 3240Reputation: 3240Reputation: 3240
http://sourceforge.net/apps/trac/rkhunter/wiki/MPMOD handles generic whitelisting like scripts (as in 'awk -F"'" '/replaced by a script/ {print "SCRIPTWHITELIST="$2}' rkhunter.log'). Everyone with a hdparm false positive related to /etc/*rc* files see John's reply to Dick Gevers in the rkhunter-users mailing list archive of 2009/11/29: add the resource file to RTKT_FILE_WHITELIST configuration option and put it into your rkhunter.conf.local file. If you whitelist files then add those files to the USER_FILEPROP_FILES_DIRS configuration option. Also please note that, as per all Rootkit Hunter docs, the main place to discuss all things Rootkit Hunter is the rkhunter-users mailing list.

Last edited by unSpawn; 01-05-2010 at 03:57 PM.
 
1 members found this post helpful.
Old 01-06-2010, 08:42 AM   #5
the trooper
Senior Member
 
Registered: Jun 2006
Location: England
Distribution: Debian Jessie Amd64
Posts: 1,476

Original Poster
Rep: Reputation: Disabled
Thanks unspawn,whitelisting the scripts where you suggested has stopped the xzibit rootkit message.

Quote:
Also please note that, as per all Rootkit Hunter docs, the main place to discuss all things Rootkit Hunter is the rkhunter-users mailing list.
Ok,ill bare that in mind for the future.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
tripping firewall rate limit, false positive? scattered Linux - Networking 1 09-19-2008 04:23 AM
apache / mod_security: fixing false positive 950013 fryzer Linux - Server 5 05-06-2008 10:30 AM
Is this a false positive....A/V question cbjhawks Linux - Security 4 02-21-2006 06:50 AM
'Chkrootkit 0.43' false positive? Mr. Gone Linux - Security 2 03-09-2004 09:16 AM
'Chkrootkit 0.43' false positive? Mr. Gone Linux - Security 0 03-08-2004 08:06 AM


All times are GMT -5. The time now is 08:29 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration