I have just been checking one of my machines with rkhunter and got the following result:
[17:50:08] Warning: Checking for possible rootkit strings [ Warning ]
[17:50:09] Found string 'hdparm' in file '/etc/init.d/checkroot.sh'. Possible rootkit: Xzibit Rootkit
[17:50:09] Found string 'hdparm' in file '/etc/init.d/bootlogd'. Possible rootkit: Xzibit Rootkit
Using a well known search engine shows that others have come across this before:
I have installed the current version of rkhunter from Debian's Unstable repo,but i still have the same result as above.
I now check the rkhunter wiki,which mentions the same problem:
Here is an example on my system to remove a false positive for a certain rootkit that hit hdparm.
After updating the properties database and doing a new scan, the sh function created further RKH warnings so I then added a whitelist after confirmed the contents of the script was indeed false positive.
So i have now whitelisted the above mentioned scripts and re-run rkhunter--propupd
and re-run rkhunter,but i am still getting the warning message?
At this point i can't be sure whether this is my error or if there is something more with the whitelisted scripts?.I can post the contents of those scripts if someone more knowledgeable than me could look over them?
The above is on a Debian Testing/Unstable amd64 box.