rkhunter error message, how to fix?

Question

I am receiving the following errors from rkhunter. I have recently upgraded my server from lenny to squeeze and this may have caused the problem. How do I fix this or hide the error messages?

Warning: The modules file '/proc/modules' is missing.
Warning: Suspicious file types found in /dev:
         /dev/shm/network/ifstate: ASCII text
Warning: Hidden directory found: /dev/.udev

I also not get a second email: Please inspect this machine, because it may be infected. Please can anybody point me in the right direction to find the cause of these errors?

You can disable the test loaded_modules (not os_specific). – Apr 08 '13 at 07:41 — , Apr 08 '13 at 07:41

score 14 · Accepted Answer · answered Oct 06 '11 at 09:25

First of all, they are only warnings, not errors.

Warning: The modules file '/proc/modules' is missing.

rkhunter is trying to check the kernel modules, but it cannot because the file /proc/modules doesn't exist. You can disable the test by changing the below line:

DISABLE_TESTS="suspscan hidden_procs deleted_files packet_cap_apps"

to:

DISABLE_TESTS="suspscan hidden_procs deleted_files packet_cap_apps os_specific"

About the second warning:

Warning: Suspicious file types found in /dev:
         /dev/shm/network/ifstate: ASCII text

If /dev/shm/network/ifstate is a known good file, you can white-list it by adding the following line in /etc/rkhunter.conf:

ALLOWDEVFILE=/dev/shm/network/ifstate

About the third line:

Warning: Hidden directory found: /dev/.udev

Similar to above, to avoid this warning, you can reconfigure rkhunter to ignore this directory:

ALLOWHIDDENDIR=/dev/.udev

rkhunter error message, how to fix?

1 Answers1