On Sat, 2012-05-12 at 18:48 +0200, Tomas Ligursky wrote: > 2012/5/9 John Horne: > > On Tue, 2012-05-08 at 15:37 +0200, Tomas Ligursky wrote: > > > Hello, > > > > > > I am new to rkhunter and would like to ask for a help. I use Kubuntu > > > 11.10 and I have performed a scan by rkhunter version 1.4.0. Besides > > > other warnings discussed many times before, I have got the following: > > > ... > > > [12:30:18] Info: Starting test name 'filesystem' > > > [12:30:18] Performing filesystem checks > > > [12:30:18] Info: SCAN_MODE_DEV set to 'THOROUGH' > > > [12:30:18] Checking /dev for suspicious file types [ Warning ] > > > [12:30:18] Warning: Suspicious file types found in /dev: > > > [12:30:18] /dev/.udev/rules.d/root.rules: ASCII text > > > ... > > > > > > Although I guess that /dev/.udev/rules.d/root.rules is a regular file, > > > I am no Ubuntu expert and I do not know whether the one of mine is not > > > corrupted in some way. Find attached its copy. > > > > > I don't run Ubuntu myself, but I would have said that perhaps asking on > > an Ubuntu list as to whether the file is valid or not would have been > > better. > > Thank you, John. Probably, you're right. > > Nevertheless, any idea why rkhunter flagged the file as suspicious? > Just because it is present in the /dev directory or could be there yet > another reason? > It is suspicious because it is not usual to have plain text files in the /dev directory.
Unfortunately it seems to be becoming a bit more common in some Linux distros. Yet I have seen no change in the Filesystem Hierarchy Standard (FHS), so text files should not be present or rather should still be considered suspicious. John. -- John Horne, Plymouth University, UK Tel: +44 (0)1752 587287 Fax: +44 (0)1752 587001 ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ _______________________________________________ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users
