For what its worth ran rkhunter, and the issues it highlighted are
[20:43:48] Checking for passwd file changes Warning ]
[20:43:48] Warning: Unable to check for passwd file differences: no copy of the passwd file exists.
[20:43:48] Info: Starting test name ‘group_changes’
[20:43:48] Checking for group file changes Warning ]
[20:43:49] Warning: Unable to check for group file differences: no copy of the group file exists.
[20:43:50] Checking /dev for suspicious file types Warning ]
[20:43:50] Warning: Suspicious file types found in /dev:
[20:43:50] /dev/shm/pulse-shm-3921141793: data
[20:43:50] /dev/shm/pulse-shm-1887517512: data
[20:43:50] /dev/shm/sysconfig/config-wlan0: ASCII text
[20:43:50] Checking for hidden files and directories Warning ]
[20:43:50] Warning: Hidden file found: /usr/share/man/man5/.k5login.5.gz: gzip compressed data, from Unix, max compression
What version of Suse and is this a clean install I honestly suspect they maybe false positives.
Though it is a little strange you have a hidden one in man, but I still think they’re false positives. You may need to do the investigating look at the files referenced.
Once you have ruled them out I wouldn’t concern your self I would be more concerned had you found a rootkit.
False positives is a bit incorrect they are warnings. I get some on another distro in my case because they’re scripts rather than binaries. Checking them with cat confirms they’re not malicious.
This is opensuse 11 and a clean install yesterday. Only installing software from the repos provided with the exception of adding Index of /repositories/home:/lrupp/openSUSE_11.0 to get rkhunter…
I certainly wouldn’t of thought you have anything to worry about. I suspect pulse** is part of pulseaudio which is relatively new and probably hasn’t been parsed out yet.
dev/shm is temp iirc really wouldn’t of thought you would need to worry about anything I suspect a later version will get rid of these warnings.
The others are probably just being looked for in a different place note they say missing.
You can try googling the warnings if you’re really are super paranoid, but I honestly wouldn’t be to concerned.
Also this is rkhunter mainly, in regards to ckrootkit again not sure there is much to worry about they all seem to be perl libs and you’ve implied they came from reputable sources.
yeleek schrieb:
> For what its worth ran rkhunter, and the issues it highlighted are
>
>
> [20:43:48] Checking for passwd file changes Warning
> ]
> [20:43:48] Warning: Unable to check for passwd file differences: no
> copy of the passwd file exists.
> [20:43:48] Info: Starting test name ‘group_changes’
> [20:43:48] Checking for group file changes Warning
> ]
> [20:43:49] Warning: Unable to check for group file differences: no copy
> of the group file exists.
That would be normal if you ran rkhunter for the first time. In that
case, obviously there can be no previous state to compare against.
> [20:43:50] Checking /dev for suspicious file types Warning
> ]
> [20:43:50] Warning: Suspicious file types found in /dev:
> [20:43:50] /dev/shm/pulse-shm-3921141793: data
> [20:43:50] /dev/shm/pulse-shm-1887517512: data
> [20:43:50] /dev/shm/sysconfig/config-wlan0: ASCII text
rkhunter considers non-device files in /dev as suspicious, which might
have been sensible before the arrival of udev, though one should check
the files in question before panicking, anyway. But nowadays /dev is
a mounted pseudo filesystem, so the files below it are not plain files
even if it looks as if they were.
> [20:43:50] Checking for hidden files and directories Warning
> ]
> [20:43:50] Warning: Hidden file found:
> /usr/share/man/man5/.k5login.5.gz: gzip compressed data, from Unix, max
> compression
Ooo-kay. Well, rkhunter complaining about that makes me smile.
“.k5login.5.gz” is the manpage for the hidden file “.k5login”.
Type “man .k5login” to see what I mean. Technically it is indeed
a hidden file (it starts with a dot), but I wouldn’t be overly
concerned by that - a man page is hardly a sign of a rootkit.
