Which to trust: chkrootkit or rkhunter?
Paul W. Frields
stickster at gmail.com
Thu Jun 7 17:44:30 UTC 2012
On Thu, Jun 07, 2012 at 03:16:09PM +0000, Beartooth wrote:
>
> One tells me, on several machines, that /sbin/init is infected
> with the Suckit rootkit; the other says not. Is there a way to tell
> whether I'm seeing a false positive or a false negative?
>
> Fwiw, this result occurs both on an F16 machine, and on an f17
> one with a fresh install. (Both are fully updated.)
If you do an 'rpm -V systemd' and you don't see any result for
/sbin/init or /lib/systemd/systemd, my bet would be false positive.
-V means verify: compares the checksums of the files belonging to that
package with what's registered in the RPM database, and alerts for
changes ("5" in the output IIRC).
--
Paul W. Frields http://paul.frields.org/
gpg fingerprint: 3DA6 A0AC 6D58 FEC4 0233 5906 ACDB C937 BD11 3717
http://redhat.com/ - - - - http://pfrields.fedorapeople.org/
The open source story continues to grow: http://opensource.com
More information about the users
mailing list