[arch-general] rkhunter found possible rootkit

Filipe Laíns lains at archlinux.org
Tue Aug 20 08:00:24 UTC 2019 

On Tue, 2019-08-20 at 08:33 +0200, Oliver Jaksch via arch-general wrote:
> I let rkhunter running around once a week. There were nothing since many 
> months. But today it's report complains about */lib64/libkeyutils.so.1.9* and 
> therefore other tools they're (seems to be) using this SO.
> 
> The SO matches the one from 'core/keyutils 1.6.1-1' in size and hash.
> I've uploaded the SO to some "we scan it all" AV sites, but none of them found 
> anything.
> 
> Should I/we be worried? Anything else I can do? Or is this a false alarm and 
> the warnings are somewhat okay because of the package's nature ("Linux Key 
> Management Utilities")?
> 
> 
> > Warning: Checking for possible rootkit files and directories [ Warning ]
> > Found file '/lib/libkeyutils.so.1.9'. Possible rootkit: Sniffer component 
> > Found file '/lib64/libkeyutils.so.1.9'. Possible rootkit: Sniffer component
> > Found file '/usr/lib/libkeyutils.so.1.9'. Possible rootkit: Sniffer 
> component
> > Found file '/usr/lib64/libkeyutils.so.1.9'. Possible
> > rootkit: Sniffer component
> > 
> > Warning: The following processes are using suspicious files:
> >          Command: (sd-pam)
> >            UID: 1001    PID: 944
> >            Pathname:
> >            Possible Rootkit: Spam tool component
> >          Command: NetworkManager
> >            UID: 0    PID: 381
> >            Pathname:
> >            Possible Rootkit: Spam tool component
> >          Command: NetworkManager
> >            UID: 385    PID: 381
> >            Pathname: 3166425
> >            Possible Rootkit: Spam tool component
> >          Command: NetworkManager
> >            UID: 387    PID: 381
> >            Pathname: 3166425
> >            Possible Rootkit: Spam tool component
> >          Command: Xorg
> >            UID: 0    PID: 512
> >            Pathname:
> >            Possible Rootkit: Spam tool component
> > [...]

No, those libraries are used for key manipulation, that's why rkhunter
thinks that they might be sniffer.

If you are worried you can check the sources.
https://git.archlinux.org/svntogit/packages.git/tree/trunk/PKGBUILD?h=packages/keyutils

Filipe Laíns
3DCE 51D6 0930 EBA4 7858 BA41 46F6 33CB B0EB 4BF2
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: This is a digitally signed message part
URL: <https://lists.archlinux.org/pipermail/arch-general/attachments/20190820/b681e523/attachment.sig>

More information about the arch-general mailing list