Am 20.08.19 um 10:00 schrieb Filipe LaĆns via arch-general:
On Tue, 2019-08-20 at 08:33 +0200, Oliver Jaksch via arch-general wrote:
I let rkhunter running around once a week. There were nothing since many months. But today it's report complains about */lib64/libkeyutils.so.1.9* and therefore other tools they're (seems to be) using this SO.
... No, those libraries are used for key manipulation, that's why rkhunter thinks that they might be sniffer.
In this particular case the filename was apparently used by a rootkit in 2013 and it was blacklisted. Now the legitimate owner of the libkeyutils filenames has reached the blacklisted version number. I don't know which of the two possibilities it is in your case. https://bugs.archlinux.org/task/63369 https://www.webhostingtalk.com/showthread.php?t=1235797