When you run rkhunter on Debian Linux, you might get a warning when rkhunter is checking for hidden files and directories that some Hiffen files were found in /proc. A closer investigation in rkhunter might bring up the filenames /dev/.static, /dev/.udev and /dev/.initramfs which are normal files on Debian and not related to a attack on your system. The warnings in rkhunter.log are:

[10:21:40] Warning: Hidden directory found: /dev/.static
[10:21:40] Warning: Hidden directory found: /dev/.udev
[10:21:40] Warning: Hidden directory found: /dev/.initramfs

To avoid these warnings, you can reconfigure rkhunter to ignore these files by editing the rkhunter.conf file:

vi /etc/rkhunter.conf

and remove the # in fron of the following lines:

ALLOWHIDDENDIR=/dev/.udev
ALLOWHIDDENDIR=/dev/.static
ALLOWHIDDENDIR=/dev/.initramfs

Reconfigure rkhunter to avoid false positive warnings on Debian 5.0
Tagged on:

4 thoughts on “Reconfigure rkhunter to avoid false positive warnings on Debian 5.0

  • Permalink

    Another line that usually scares the sh*t out of newbies running rkhunter is this:

    ‘Warning: Checking for possible rootkit strings [ Warning ]
    Found string ‘hdparm’ in file ‘/etc/init.d/.depend.boot’. Possible rootkit: Xzibit Rootkit
    Found string ‘hdparm’ in file ‘/etc/init.d/hdparm’. Possible rootkit: Xzibit Rootkit’

    The explanation and solution is in README.Debian (within rkhunter’s doc directory).

    Reply
  • Permalink

    Thank you so much! … “explanation and solution is in README.Debian” … yes yes yes *g

    Reply
  • Permalink

    This does not work in Rootkit Hunter 1.3.8 for /dev/.initramfs on Debian/Ubuntu. I have seen comment on the Internet that this bug has received a patch but have been unable to locate the update. A simple pointer to the place in the bash script to fix this would be appreciated.

    Reply
  • Permalink

    thanks for sharing! this worked out also on a CentOS 6 machine…

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

*

Ad #native_company# — #native_desc# #native_cta#