Rule 510 - Host-based anomaly detection event (rootcheck).

Kalimari · **Posted:** Fri Jul 13, 2012 4:35 am

Updated to CentOS release 6.3 yesterday evening and ran/propupd rkhunter. This morning received an ASL notification:

Code:

Trojaned version of file `/proc/1/maps` detected. Signature used: `init.` (Suckit rootkit).

First thought, this is a false positive due to CentOS update, but as file is not owned by any package wanted to check publicly before submitting. Have re-run rkhunter and it found nothing. Anyone else seen this?

mikeshinn · **Posted:** Fri Jul 13, 2012 9:31 am

Can you send us the file?

Kalimari · **Posted:** Fri Jul 13, 2012 11:00 am

mikeshinn wrote:

Can you send us the file?

As in submit it as false-positive?

mikeshinn · **Posted:** Fri Jul 13, 2012 10:08 pm

Yes. Zip/Tar/whatever it up, and put a password on it (and of course, send us the password so we can open it). Otherwise, if it is malware, it might get stopped on the way by email scanners.

Kalimari · **Posted:** Sat Jul 14, 2012 5:39 am

All done

mikeshinn · **Posted:** Sat Jul 14, 2012 6:25 pm

Its a false positive alright, we'll get an update out Monday for it.

Kalimari · **Posted:** Sun Jul 15, 2012 6:33 am

Great! Thanks for update.

Rule 510 - Host-based anomaly detection event (rootcheck).

Who is online