When you run rkhunter on Debian Linux, you might get a warning when rkhunter is checking for hidden files and directories that some Hiffen files were found in /proc. A closer investigation in rkhunter might bring up the filenames /dev/.static, /dev/.udev and /dev/.initramfs which are normal files on Debian and not related to a attack on your system. The warnings in rkhunter.log are:
[10:21:40] Warning: Hidden directory found: /dev/.static
[10:21:40] Warning: Hidden directory found: /dev/.udev
[10:21:40] Warning: Hidden directory found: /dev/.initramfs
To avoid these warnings, you can reconfigure rkhunter to ignore these files by editing the rkhunter.conf file:
vi /etc/rkhunter.conf
and remove the # in fron of the following lines:
ALLOWHIDDENDIR=/dev/.udev
ALLOWHIDDENDIR=/dev/.static
ALLOWHIDDENDIR=/dev/.initramfs
Another line that usually scares the sh*t out of newbies running rkhunter is this:
‘Warning: Checking for possible rootkit strings [ Warning ]
Found string ‘hdparm’ in file ‘/etc/init.d/.depend.boot’. Possible rootkit: Xzibit Rootkit
Found string ‘hdparm’ in file ‘/etc/init.d/hdparm’. Possible rootkit: Xzibit Rootkit’
The explanation and solution is in README.Debian (within rkhunter’s doc directory).
Thank you so much! … “explanation and solution is in README.Debian” … yes yes yes *g
This does not work in Rootkit Hunter 1.3.8 for /dev/.initramfs on Debian/Ubuntu. I have seen comment on the Internet that this bug has received a patch but have been unable to locate the update. A simple pointer to the place in the bash script to fix this would be appreciated.
thanks for sharing! this worked out also on a CentOS 6 machine…