On 8/20/19 5:58 AM, Oliver Jaksch via arch-general wrote:
On Tuesday, 20 August 2019, 10:15:58 CEST you wrote:
Am 20.08.19 um 10:00 schrieb Filipe Laíns via arch-general:
On Tue, 2019-08-20 at 08:33 +0200, Oliver Jaksch via arch-general wrote:
I let rkhunter running around once a week. There were nothing since many months. But today it's report complains about */lib64/libkeyutils.so.1.9* and therefore other tools they're (seems to be) using this SO.
...
No, those libraries are used for key manipulation, that's why rkhunter thinks that they might be sniffer.
In this particular case the filename was apparently used by a rootkit in 2013 and it was blacklisted. Now the legitimate owner of the libkeyutils filenames has reached the blacklisted version number. I don't know which of the two possibilities it is in your case.
https://bugs.archlinux.org/task/63369 https://www.webhostingtalk.com/showthread.php?t=1235797
Thanks to all. I think the URLs Filipe has posted are the most expressive part. Let's hope that this really is a false alarm coming from the past. - Oliver
If you're in doubt, you can also try chkrootkit. When dealing with potential false positives, it sometimes helps to try more than one tool. -- brent saner https://square-r00t.net/ GPG info: https://square-r00t.net/gpg-info