Interview with Rootkit Hunter author Michael Boelen

Posted Oct 8, 2004 1:05 UTC (Fri) by accensi (guest, #11754)
Parent article: Interview with Rootkit Hunter author Michael Boelen

Speaking in rootkits, seen today in ROX devel list:

> When I run chkrootkit, I see some problems, here they are :
> Searching for suspicious files and dirs, it may take a while...
> /usr/lib/apps/AbiWord/.DirIcon /usr/lib/apps/Emacs/.DirIcon
> /usr/lib/apps/GMix/.DirIcon /usr/lib/apps/GQView/.DirIcon
...
> /usr/lib/apps/Mandrake/Système/Terminaux/.DirIcon
> /usr/lib/apps/Mandrake/Système/Terminaux/Eterm/.DirIcon
> /usr/lib/apps/Mandrake/Système/Terminaux/X Term/.DirIcon
>
> As you can see, .DirIcon files are considered by chkrootkit as suspicious.
> After a little search I found that these files are frome the Rox RPM
> package, so I am reporting what I believe as a bug. As .DirIcon files are
> PNG pictures, why are they not in "file.png" format ?

Actually they are not necessarily .png files. They can be anything supported by gtk2's image loader (svg, xpm, jpeg, ...) Therefore adding a .png extension would be misleading in many cases.

The question is why does chkrootkit think they are suspicious?

!?!