LinuxQuestions.org
Latest LQ Deal: Latest LQ Deals
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 02-27-2012, 04:58 PM   #1
masuch
Member
 
Registered: Sep 2011
Location: /dev/null
Distribution: ubuntu 64bits
Posts: 135

Rep: Reputation: 1
rkhunter reported RH-Sharpe's Rootkit


Hi,

rkhunter reported RH-Sharpe's Rootkit. In /var/log/rkhunter.log file there is information that potential rootkit is in the executable perl script /usr/bin/slice.
I have contacted rootkit.nl but they told me to ask for help on internet.

Could please anybody help me how to investigate if it is true or false positive ?

thank you,
regards,
M.
 
Old 02-27-2012, 08:01 PM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600
Quote:
Originally Posted by masuch View Post
rkhunter reported RH-Sharpe's Rootkit. In /var/log/rkhunter.log file there is information that potential rootkit is in the executable perl script /usr/bin/slice.
Verify the file belongs to the package that contains it (prolly called "slice" ;-p) then white-list it.


Quote:
Originally Posted by masuch View Post
I have contacted rootkit.nl but they told me to ask for help on internet.
I often wonder why people refuse to read files that are aptly named FAQ or README:

Quote:
ROOTKIT HUNTER GENERAL SUPPORT
==============================

If a problem is found with RKH, it is recommended that users initially
try and resolve the problem themselves. This can be done by first
checking the FAQ file, which is present in your installation if the
distributed tarball is used as source. The FAQ will contain answers
to many common problems. The latest version of the FAQ can always be
found at RKH's project pages on SourceForge, in the 'Documentation'
section.

If the problem has occurred directly after upgrading RKH, then please
check the CHANGELOG file. It will contain information about changes
made since the previous version of RKH, and may indicate why you are
now experiencing a problem.

Users should also check the rkhunter-users mailing list archives
(available on the web site). The problem will be investigated by the
RKH development team, and, where appropriate, a solution posted on the
mailing list. Hence the mailing list archives may well contain a
solution to the problem.

Additionally, users should check the RKH tracker system (available at
http://sourceforge.net/tracker/?group_id=155034). It is quite
possible that the problem has already been reported to us as a bug or
support request. It is also possible that a fix for the problem has
been provided in the tracker log.

Depending upon the nature of the problem it may be worthwhile trying
an Internet search (for example using google), to see if anyone else
has experienced a similar problem.

Finally, if you have still not found an answer to the problem, then
mail it to the rkhunter-users mailing list
. Please provide as much
information as possible about the problem, but do not make the
message excessively long! Information such as your operating system
and version of RKH should always be included.

Please be advised that while you are free to ask for advice in your
favourite IRC channel, all-purpose forum or distribution mailing list,
the demonstrated level of general and security knowledge and experience,
and therefore the quality of responses, may vary (very much).

If you are sure the problem is a bug, or want it considered as a
support request, then please submit it directly into the tracker
system.
 
Old 02-28-2012, 06:25 AM   #3
masuch
Member
 
Registered: Sep 2011
Location: /dev/null
Distribution: ubuntu 64bits
Posts: 135

Original Poster
Rep: Reputation: 1
Quote:
Originally Posted by unSpawn View Post
Verify the file belongs to the package that contains it (prolly called "slice" ;-p) then white-list it.



I often wonder why people refuse to read files that are aptly named FAQ or README:
Meybe because the answer is not there. I am sorry, I missed to try IRC channels.
 
  


Reply

Tags
rkhunter, rootkit


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
rkhunter scan: 1 Rootkit & 6 Possible Suspect Files /var/log/rkhunter.log included Mollusc Linux - Security 10 09-29-2011 08:43 AM
Rootkit Hunter reported warnings qrange Linux - Security 3 02-04-2011 01:39 PM
X freezing, rkhunter warns about Adore Rootkit MTK358 Linux - Security 3 03-09-2010 12:01 AM
rootkit hunter false positive for Xzibit Rootkit on CentOS 4.8? abefroman Linux - Security 2 12-20-2009 08:19 AM
/var/log/rkhunter.log - rkhunter's (rootkit detection) logfile ahartman Linux - Security 1 07-04-2009 05:28 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 11:36 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration