rkhunter reported RH-Sharpe's Rootkit

masuch · 02-27-2012, 04:58 PM

Hi,

rkhunter reported RH-Sharpe's Rootkit. In /var/log/rkhunter.log file there is information that potential rootkit is in the executable perl script /usr/bin/slice.
I have contacted rootkit.nl but they told me to ask for help on internet.

Could please anybody help me how to investigate if it is true or false positive ?

thank you,
regards,
M.

unSpawn · 02-27-2012, 08:01 PM

Quote:

Originally Posted by masuch

rkhunter reported RH-Sharpe's Rootkit. In /var/log/rkhunter.log file there is information that potential rootkit is in the executable perl script /usr/bin/slice.

Verify the file belongs to the package that contains it (prolly called "slice" ;-p) then white-list it.

Quote:

Originally Posted by masuch

I have contacted rootkit.nl but they told me to ask for help on internet.

I often wonder why people refuse to read files that are aptly named FAQ or README:

Quote:

ROOTKIT HUNTER GENERAL SUPPORT
==============================

If a problem is found with RKH, it is recommended that users initially
try and resolve the problem themselves. This can be done by first
checking the FAQ file, which is present in your installation if the
distributed tarball is used as source. The FAQ will contain answers
to many common problems. The latest version of the FAQ can always be
found at RKH's project pages on SourceForge, in the 'Documentation'
section.

If the problem has occurred directly after upgrading RKH, then please
check the CHANGELOG file. It will contain information about changes
made since the previous version of RKH, and may indicate why you are
now experiencing a problem.

Users should also check the rkhunter-users mailing list archives
(available on the web site). The problem will be investigated by the
RKH development team, and, where appropriate, a solution posted on the
mailing list. Hence the mailing list archives may well contain a
solution to the problem.

Additionally, users should check the RKH tracker system (available at
http://sourceforge.net/tracker/?group_id=155034). It is quite
possible that the problem has already been reported to us as a bug or
support request. It is also possible that a fix for the problem has
been provided in the tracker log.

Depending upon the nature of the problem it may be worthwhile trying
an Internet search (for example using google), to see if anyone else
has experienced a similar problem.

Finally, if you have still not found an answer to the problem, then
mail it to the rkhunter-users mailing list. Please provide as much
information as possible about the problem, but do not make the
message excessively long! Information such as your operating system
and version of RKH should always be included.

Please be advised that while you are free to ask for advice in your
favourite IRC channel, all-purpose forum or distribution mailing list,
the demonstrated level of general and security knowledge and experience,
and therefore the quality of responses, may vary (very much).

If you are sure the problem is a bug, or want it considered as a
support request, then please submit it directly into the tracker
system.

masuch · 02-28-2012, 06:25 AM

Quote:

Originally Posted by unSpawn

Verify the file belongs to the package that contains it (prolly called "slice" ;-p) then white-list it.

I often wonder why people refuse to read files that are aptly named FAQ or README:

Meybe because the answer is not there. I am sorry, I missed to try IRC channels.