One of the first things people should do is
not run the software but
read the README, FAQ and other documentation. I the case of RKH it clearly states
where one should look (rkhunter-users mailing list archives) and ask (rkhunter-users mailing list)...
Quote:
Originally Posted by flyingpigs
Warning: The following processes are using deleted files:
Process: /sbin/init PID: 1 File: /var/log/upstart/systemd-logind.log.1
Process: /usr/sbin/cups-browsed PID: 1168 File: /etc/passwd
|
Common causes are log rotation, (temporary) file usage and such. From file names in /home/pwn20wn/ looks like a desktop environment session. Most importantly: any file still open on a file descriptor could be copied out and inspected if unsure (as in 'strings /path/to/file|less;' or somesuch).
Quote:
Originally Posted by flyingpigs
Warning: Process '/sbin/wpa_supplicant' (PID 1167) is listening on the network.
Warning: Process '/sbin/dhclient' (PID 1349) is listening on the network.
|
While file names or argv[0] aren't exactly good indicators (so verify using your package management features) these are common false positives.
Quote:
Originally Posted by flyingpigs
Warning: Suspicious file types found in /dev:
/dev/.udev/rules.d/root.rules: ASCII text
|
Its ASCII text. Read it and see.
Quote:
Originally Posted by flyingpigs
Warning: Hidden directory found: /etc/.java: directory
Warning: Hidden directory found: /dev/.udev: directory
Warning: Hidden file found: /dev/.initramfs: symbolic link to `/run/initramfs'
|
"Hidden" here means a file name that starts with a dot. Old school. False positives most of the time.
Quote:
Originally Posted by flyingpigs
Warning: Application 'openssl', version '1.0.1f', is out of date, and possibly a security risk.
|
Check your distros package nfo and know using the RKH application version check was discouraged long time ago. (The latter because we all like to use stuff. But help maintain it? No thanks...)