Possible rootkit: Xzibit Rootkit ????

[furquan]

I installed the latest "Rkhunter 1.3.6 ", but according the Chirpy from "Configserver" he says that the "It does appear to currently throw a false-positive on CentOS v4.8 systems, but you should check this:Possible rootkit: Xzibit Rootkit"

What does this mean, Should we ignore it or do we have to do something about it, coz my server never reported any rootkit on the server prior to 1.3.6 ver.

Some one Please assist.

Thank you

[Bailey]

Try installing & running chkrootkit and see if that picks it up as well.

The best thing to do is to try to verify if it exists by using multiple resources to try to find it. If only rkhunter detects it, and chirpy (who is very respected in terms of server management) is advising it could be a false-positive in rkhunter, then it may be safe to ignore it.

I say "may be" because there is the remote possibility, of course, the rootkit does indeed exist. So I say "may be safe to ignore it" implying that it's ultimately 100% your decision, and you have to decide what is acceptable risk for yourself.

Sorry it's not more cut-and-dry.

Bailey

[furquan]

Thank you so very much for the response

I do have chkrootkit installed on my servers and they do not report anything amiss.

All they say is "nothing infected" or "not found".

I hope things are ok.

[ramprage]

You should be good to go then.

[miahac]

If you look at your /var/log/rkhunter.log you will see something like this.

Found string 'hdparm' in file '/etc/rc.d/init.d/vmware-tools'. Possible rootkit: Xzibit Rootkit

which for me is a false positive ... whew

[furquan]

Well i found this :

" Found string 'hdparm' in file '/etc/rc.d/rc.sysinit'. Possible rootkit: Xzibit Rootkit"

What does this mean ? am i clean ?