rkhunter complains that: Warning: Found string 'hidef' in file '/etc/init.d/net.lo'. Possible rootkit: Possible part of Knark rootkit A Quick grep gives: local hidefirstroute=false first=true hidefirstroute=true if ${hidefirstroute}; then hidefirstroute=false and i have that on several computers, i dont think i actually have a rootkit on all those computers. Reproducible: Always
Please update to recent versions and reopen if problem still exists.
happens with sys-apps/openrc-0.6.3 too, which seems to be the most recent version on ~amd64
rkhunter suck, not openrc
mm.. fair enough ;-)
Maybe rkhunter should whitelist some known gentoo things by default (like "hidef" in net.lo, "hdparm" being in the hdparm and pciparm scripts)? At least the latest upstream version supports this. You could add a "Gentoo section" in the end of the config file, where you have known stuff like /dev/.udev and more are whitelisted and make a elog about the need to adjust if you do not run a "default" system.
Using Rootkit Hunter version 1.3.4, Added: RTKT_FILE_WHITELIST="/etc/init.d/net.lo" to /etc/rkhunter.conf, but still receive "hidef" warning. Is this resolved in the unstable version of rkhunter?
Exacly this same here. After yesterday upgrade to stable version sys-apps/openrc-0.8.2-r1 my rkhunter send me today email: [07:21:44] Warning: Found string 'hidef' in file '/etc/init.d/net.lo'. Possible rootkit: Possible part of Knark rootkit I use stable Openrc sys-apps/openrc-0.8.2-r1 and stable rkhunter: app-forensics/rkhunter-1.3.4-r3 Thanks
Same problem here: Just like Marek above I'm running sys-apps/openrc-0.8.2-r1 and app-forensics/rkhunter-1.3.4-r3 I've (temporarily) solved this by changing the init.d script for net.lo. I've renamed the variable hidefirstroute to hide_firstroute and that seems to have solved the problem (and as far as I can tell so far) has not broken anything. Of course this is not a solution unless it's done upstream, but at least it did get rid of these warnings for now
I got rid of this problem by installing rkhunter 1.3.8 and having this line in /etc/rkhunter.conf: RTKT_FILE_WHITELIST="/etc/init.d/net.lo:hidef"
Still present in app-forensics/rkhunter-1.3.8 . Should Ivan's config-patch be provided by the ebuild ?
Same here. This is a fix, but I'm also think it should be provided by default. At least until upstream fix these false positives. RTKT_FILE_WHITELIST="/etc/init.d/pciparm:hdparm /etc/init.d/hdparm:hdparm /etc/init.d/net.lo:hidef"
This is still the issue with rkhunter-1.4.0 and openrc-0.11.8. /etc/init.d/net.lo is still detected as hidef, however hdparm and pciparm are not detected anymore. My rkhunter's tests are all, except for DISABLE_TESTS="hidden_procs deleted_files". Whitelist helps, but adding a small patch for rkhunter or renaming local variable in net.lo initscript would be much appreciated.
I can't reproduce this on an updated system. If it still happens, please reopen the bug and I'll investigate further.