RootKit Hunter Warnings on Mac OS X

These warnings can be quite benign. Passwd, group and syslog changes can be quite normal in the usage of the system, for example, adding users and groups.

The hidden file is part of the Man packages, so I wouldn't worry too much as Man uses alot of compressed files in gz format.

Bottom line is, even if you ignore them how can you be sure they are not dangerous. You need complete understanding of the output to interpret it.

Imagine someone setting up a complex IDS but with no idea of how to interpret the logs. That is the biggest danger.


rkhunter tends to produce a lot of false positives. Better safe than sorry for a server, but frustrating and confusing for the average computer user.

I don't mean to be cavalier, but unless you are using your laptop in some pretty unusual ways, it's exceedingly unlikely that you have a rootkit on it. So my answer is "Yes, ignore it." Frankly, I wouldn't use rkhunter at all on a laptop - assuming the laptop gets normal laptop use (so to speak) and isn't a server on the weekends or a peer-to-peer hub. (I would, however, check the firewall settings, practice safe browsing, be careful about files from other people, etc.)