On Tue, 2019-08-20 at 10:15 +0200, ProgAndy wrote:
Am 20.08.19 um 10:00 schrieb Filipe Laíns via arch-general:
On Tue, 2019-08-20 at 08:33 +0200, Oliver Jaksch via arch-general wrote:
I let rkhunter running around once a week. There were nothing since many months. But today it's report complains about */lib64/libkeyutils.so.1.9* and therefore other tools they're (seems to be) using this SO.
... No, those libraries are used for key manipulation, that's why rkhunter thinks that they might be sniffer.
In this particular case the filename was apparently used by a rootkit in 2013 and it was blacklisted. Now the legitimate owner of the libkeyutils filenames has reached the blacklisted version number. I don't know which of the two possibilities it is in your case.
https://bugs.archlinux.org/task/63369 https://www.webhostingtalk.com/showthread.php?t=1235797
The sources are pulled from [1] and signed by David Howells (Redhat) so I am pretty inclined to trust them. I did not, however, inspect the sources myself so I can give any guarantees. [1] https://git.kernel.org/pub/scm/linux/kernel/git/dhowells/keyutils.git Thanks, Filipe Laíns 3DCE 51D6 0930 EBA4 7858 BA41 46F6 33CB B0EB 4BF2