I let rkhunter running around once a week. There were nothing since many months. But today it's report complains about */lib64/libkeyutils.so.1.9* and therefore other tools they're (seems to be) using this SO. The SO matches the one from 'core/keyutils 1.6.1-1' in size and hash. I've uploaded the SO to some "we scan it all" AV sites, but none of them found anything. Should I/we be worried? Anything else I can do? Or is this a false alarm and the warnings are somewhat okay because of the package's nature ("Linux Key Management Utilities")?
Warning: Checking for possible rootkit files and directories [ Warning ] Found file '/lib/libkeyutils.so.1.9'. Possible rootkit: Sniffer component Found file '/lib64/libkeyutils.so.1.9'. Possible rootkit: Sniffer component Found file '/usr/lib/libkeyutils.so.1.9'. Possible rootkit: Sniffer component Found file '/usr/lib64/libkeyutils.so.1.9'. Possible rootkit: Sniffer component
Warning: The following processes are using suspicious files: Command: (sd-pam) UID: 1001 PID: 944 Pathname: Possible Rootkit: Spam tool component Command: NetworkManager UID: 0 PID: 381 Pathname: Possible Rootkit: Spam tool component Command: NetworkManager UID: 385 PID: 381 Pathname: 3166425 Possible Rootkit: Spam tool component Command: NetworkManager UID: 387 PID: 381 Pathname: 3166425 Possible Rootkit: Spam tool component Command: Xorg UID: 0 PID: 512 Pathname: Possible Rootkit: Spam tool component [...]