On Fri, 04 Dec 2009 19:30:29 +0100 Mike McCarty <mike.mcca...@sbcglobal.net> wrote: >[11:55:06] Info: Starting test name 'possible_rkt_files' >(..) >[11:55:17] Found directory '/dev/ida'. Possible rootkit: Possible rootkit component > >(I seee nothing suspicious in that directory.)
So what is causing the directory to exist? Do you use a Compaq Smart Raid or equivalent array that uses /dev/ida/? >[11:55:54] Found string 'hdparm' in file >'/etc/rc.d/rc.sysinit'. Possible rootkit: Xzibit Rootkit > >(Well, it's certainly in there, but it appears correct to me.) Thanks for reporting. The mailing list archives by now should contain enough references to whitelisting hdparm false postives using RTKT_FILE_WHITELIST (+ USER_FILEPROP_FILES_DIRS). Regards, unSpawn --- ------------------------------------------------------------------------------ Join us December 9, 2009 for the Red Hat Virtual Experience, a free event focused on virtualization and cloud computing. Attend in-depth sessions from your desk. Your couch. Anywhere. http://p.sf.net/sfu/redhat-sfdev2dev _______________________________________________ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users
