Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 339714 - app-forensics/rkhunter: false positive with 'hidef' string in sys-apps/openrc' /etc/init.d/net.lo
Summary: app-forensics/rkhunter: false positive with 'hidef' string in sys-apps/openrc...
Status: RESOLVED TEST-REQUEST
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: Current packages (show other bugs)
Hardware: All Linux
: High normal with 2 votes (vote)
Assignee: Michael Palimaka (kensington)
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2010-10-04 14:58 UTC by Thomas Capricelli
Modified: 2018-03-18 00:00 UTC (History)
7 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Thomas Capricelli 2010-10-04 14:58:55 UTC
rkhunter complains that:
Warning: Found string 'hidef' in file '/etc/init.d/net.lo'. Possible rootkit: Possible part of Knark rootkit

A Quick grep gives:
        local hidefirstroute=false first=true
                        hidefirstroute=true
                if ${hidefirstroute}; then
                        hidefirstroute=false

and i have that on several computers, i dont think i actually have a rootkit on all those computers.

Reproducible: Always
Comment 1 Justin Lecher (RETIRED) gentoo-dev 2010-10-04 15:31:05 UTC
Please update to recent versions and reopen if problem still exists.
Comment 2 Thomas Capricelli 2010-10-04 15:41:14 UTC
happens with sys-apps/openrc-0.6.3 too, which seems to be the most recent version on ~amd64
Comment 3 SpanKY gentoo-dev 2010-10-05 19:57:48 UTC
rkhunter suck, not openrc
Comment 4 Thomas Capricelli 2010-10-05 20:38:22 UTC
mm.. fair enough ;-)
Comment 5 Xake 2011-04-11 09:39:20 UTC
Maybe rkhunter should whitelist some known gentoo things by default (like "hidef" in net.lo, "hdparm" being in the hdparm and pciparm scripts)? At least the latest upstream version supports this.

You could add a "Gentoo section" in the end of the config file, where you have known stuff like /dev/.udev and more are whitelisted and make a elog about the need to adjust if you do not run a "default" system.
Comment 6 Randy Tupas 2011-04-17 17:42:46 UTC
Using Rootkit Hunter version 1.3.4,

Added: RTKT_FILE_WHITELIST="/etc/init.d/net.lo" to /etc/rkhunter.conf,
but still receive "hidef" warning.

Is this resolved in the unstable version of rkhunter?
Comment 7 Marek Królikowski 2011-05-11 05:30:05 UTC
Exacly this same here.
After yesterday upgrade to stable version sys-apps/openrc-0.8.2-r1
my rkhunter send me today email:
[07:21:44] Warning: Found string 'hidef' in file '/etc/init.d/net.lo'. Possible rootkit: Possible part of Knark rootkit


I use stable Openrc sys-apps/openrc-0.8.2-r1
and
stable rkhunter: app-forensics/rkhunter-1.3.4-r3

Thanks
Comment 8 neepie 2011-05-22 13:57:55 UTC
Same problem here:

Just like Marek above I'm running sys-apps/openrc-0.8.2-r1 and app-forensics/rkhunter-1.3.4-r3

I've (temporarily) solved this by changing the init.d script for net.lo. I've renamed the variable hidefirstroute to hide_firstroute and that seems to have solved the problem (and as far as I can tell so far) has not broken anything.

Of course this is not a solution unless it's done upstream, but at least it did get rid of these warnings for now
Comment 9 Ivan Todorović 2011-05-23 09:42:39 UTC
I got rid of this problem by installing rkhunter 1.3.8 and having this line in /etc/rkhunter.conf:

RTKT_FILE_WHITELIST="/etc/init.d/net.lo:hidef"
Comment 10 James Broadhead 2011-10-16 19:16:02 UTC
Still present in app-forensics/rkhunter-1.3.8 . 

Should Ivan's config-patch be provided by the ebuild ?
Comment 11 Alex Efros 2012-01-08 05:26:43 UTC
Same here. This is a fix, but I'm also think it should be provided by default. At least until upstream fix these false positives.

RTKT_FILE_WHITELIST="/etc/init.d/pciparm:hdparm /etc/init.d/hdparm:hdparm /etc/init.d/net.lo:hidef"
Comment 12 Coacher 2012-12-13 09:29:43 UTC
This is still the issue with rkhunter-1.4.0 and openrc-0.11.8.
/etc/init.d/net.lo is still detected as hidef, however hdparm and pciparm are not detected anymore.

My rkhunter's tests are all, except for DISABLE_TESTS="hidden_procs deleted_files".

Whitelist helps, but adding a small patch for rkhunter or renaming local variable in net.lo initscript would be much appreciated.
Comment 13 Michael Palimaka (kensington) gentoo-dev 2018-03-18 00:00:56 UTC
I can't reproduce this on an updated system. If it still happens, please reopen the bug and I'll investigate further.