I believe this is a false-positive, check the contents of this file
2006/8/8, Andrew Nelson <freeandy@xxxxxxxxx>:
>
> I've just installed ossec-hid and recieved the following message.
>
> """
> OSSEC HIDS Notification.
> 2006 Aug 08 09:30:38
>
> Received From: compdeandy->rootcheck
> Rule: 14 fired (level 8) -> "Rootkit detection engine message"
> Portion of the log(s):
>
> File '/dev/.static/dev/null"' present on /dev. Possible hidden file.
>
>
>
> --END OF NOTIFICATION
>
>
>
> OSSEC HIDS Notification.
> 2006 Aug 08 09:30:38
>
> Received From: compdeandy->rootcheck
> Rule: 14 fired (level 8) -> "Rootkit detection engine message"
> Portion of the log(s):
>
> File '/dev/.static/dev/null0' present on /dev. Possible hidden file.
>
>
>
> --END OF NOTIFICATION
> """
>
> I've done some searching around and it appears that maybe this file
> installed by udev. Does anyone know if this indicates an actual
> rootkit or if this is a false positive?
>
> //andy
>
>
> --
> No trees were killed in the sending of this message. However a large
> number of electrons were terribly inconvenienced
>
--
Certified LPIC -1
http://www.underlinux.com.br
Unix is very simple, but it takes a genius to understand the simplicity.
(Dennis Ritchie)