# rkhunter found some suspicious files

## juniper

I don't think it is a big deal, but it had warnings on the following files

/etc/.udev (hidden file in /etc)

/etc/.java (hidden file in /etc/ was really old, i just deleted it).

/usr/bin/ldd (complains that this is a BASH script)

/usr/bin/whatis (complains it is a BASH script)

/usr/bin/lwp-request (complains it is a python script)

i lessed those files, they look reasonable, but I am not a programmer so I don't know what to look for.  if someone else has those files, are they also scripts on your machine?

----------

## avx

 *Quote:*   

> /usr/bin/ldd (complains that this is a BASH script) 
> 
> /usr/bin/whatis (complains it is a BASH script)

 for me too.

 *Quote:*   

> /usr/bin/lwp-request (complains it is a python script)

 for me, this is a perl-script 

```
[ph030@hikaru][~] equery b lwp-request

[ Searching for file(s) lwp-request in *... ]

dev-perl/libwww-perl-5.825 (/usr/bin/lwp-request)
```

Which rkhunter-version do you have?

----------

## juniper

```

[I] app-forensics/rkhunter

     Available versions:  1.2.7-r1 (~)1.2.8 1.2.9 1.2.9-r1 (~)1.3.4-r1 (~)1.3.4-r2 {bash-completion}

     Installed versions:  1.3.4-r2(12:48:34 PM 08/04/09)(bash-completion)

     Homepage:            http://rkhunter.sf.net/

     Description:         Rootkit Hunter scans for known and unknown rootkits, backdoors, and sniffers.

```

----------

## avx

Just let in run here, same version, gives the same warnings as for you. Additionaly, I get a warning 

```
[15:03:13]   Checking system startup files for malware       [ Warning ]

[15:03:13] Warning: Found string 'hidef' in file '/etc/init.d/net.lo'. Possible rootkit: Possible part of Knark rootkit
```

grepping the said file for `hidef` gives 

```
   local hidefirstroute=false first=true

         hidefirstroute=true

      if ${hidefirstroute}; then

         hidefirstroute=false
```

----------

## juniper

hmm, i don't get the error that you mentioned.

----------

## avx

Strange, the file is from openrc-0.4.2-r1, downloading that tarball and looking up the file reveals no difference. So that's most probably a naming-"failure" of the function.

----------

## juniper

 *ph030 wrote:*   

> Strange, the file is from openrc-0.4.2-r1, downloading that tarball and looking up the file reveals no difference. So that's most probably a naming-"failure" of the function.

 

weird, i don't have openrc installed at all.  equery belongs says my /etc/init.d/net.lo is from baselayout 1.12.11.1.

----------

