# rkhunter-1.3.6 giving spurious warning?

## Fred Krogh

 *Quote:*   

> [06:52:37] Warning: Found string '/usr/bin/.etc' in file '/etc/init.d/net.lo'. Possible rootkit: Dica-Kit Rootkit

 

But there is no such string in /etc/init.d/net.lo, it doesn't even contain the string "etc".  This warning just appeared after the update to 1.3.6.  Any ideas as to what is going on?  Thanks,

Fred

----------

## boris64

Same problem here, looks like a false positive to me.

I get some additional warnings that sound a little bit stupid.

```

[13:14:08] Warning: Checking for possible rootkit strings    [ Warning ]

[13:14:08]          Found string 'hdparm' in file '/etc/init.d/pciparm'. Possible rootkit: Xzibit Rootkit

[13:14:08]          Found string 'hdparm' in file '/etc/init.d/hdparm'. Possible rootkit: Xzibit Rootkit

```

Well yes, the hdparm init script should contain "hdparm", right?

 :Very Happy: 

----------

## Fred Krogh

I had those flagged for the first time as well.  Those you can get rid of my editing /etc/rkhunter.conf.  Add

 *Quote:*   

> USER_FILEPROP_FILES_DIRS="!/etc/init.d/hdparm"
> 
> USER_FILEPROP_FILES_DIRS="!/etc/init.d/pciparm"
> 
> RTKT_FILE_WHITELIST="/etc/init.d/pciparm /etc/init.d/hdparm"

 There was an earlier post on this that I would have pointed to, but for some reason a search on rkhunter is not showing any of the recent posts.

----------

## boris64

Ah, thank you.

Well now we've still this magical and 

invisible ".etc" that only rkhunter is able to see.

----------

## PraetorZero

Did you ever find a solution to this?  I've been ignoring that particular warning since, like you, my net.lo doesn't contain that string.

----------

## Fred Krogh

No, I'm still just ignoring the warning.

----------

## spikyatlinux

I´ve modified

 *Quote:*   

> USER_FILEPROP_FILES_DIRS="!/etc/init.d/hdparm"
> 
> USER_FILEPROP_FILES_DIRS="!/etc/init.d/pciparm"
> 
> RTKT_FILE_WHITELIST="/etc/init.d/pciparm /etc/init.d/hdparm"

 

to

 *Quote:*   

> USER_FILEPROP_FILES_DIRS="!/etc/init.d/hdparm"
> 
> USER_FILEPROP_FILES_DIRS="!/etc/init.d/pciparm"
> 
> USER_FILEPROP_FILES_DIRS="!/etc/init.d/net.lo"
> ...

 

This solved  *Quote:*   

> Warning: Found string '/usr/bin/.etc' in file '/etc/init.d/net.lo'. Possible rootkit: Dica-Kit Rootkit

 

----------

