[arch-general] rkhunter found possible rootkit

ProgAndy admin at progandy.de
Tue Aug 20 08:15:58 UTC 2019

Am 20.08.19 um 10:00 schrieb Filipe Laíns via arch-general:
> On Tue, 2019-08-20 at 08:33 +0200, Oliver Jaksch via arch-general wrote:
>> I let rkhunter running around once a week. There were nothing since many 
>> months. But today it's report complains about */lib64/libkeyutils.so.1.9* and 
>> therefore other tools they're (seems to be) using this SO.
> No, those libraries are used for key manipulation, that's why rkhunter
> thinks that they might be sniffer.
In this particular case the filename was apparently used by a rootkit in
 2013 and it was blacklisted. Now the legitimate owner of the
libkeyutils filenames has reached the blacklisted version number. I
don't know which of the two possibilities it is in your case.


More information about the arch-general mailing list