[arch-general] rkhunter found possible rootkit
Filipe Laíns
lains at archlinux.org
Tue Aug 20 08:31:17 UTC 2019
On Tue, 2019-08-20 at 10:15 +0200, ProgAndy wrote:
> Am 20.08.19 um 10:00 schrieb Filipe Laíns via arch-general:
> > On Tue, 2019-08-20 at 08:33 +0200, Oliver Jaksch via arch-general
> > wrote:
> > > I let rkhunter running around once a week. There were nothing
> > > since many
> > > months. But today it's report complains about
> > > */lib64/libkeyutils.so.1.9* and
> > > therefore other tools they're (seems to be) using this SO.
> > >
> ...
> > No, those libraries are used for key manipulation, that's why
> > rkhunter
> > thinks that they might be sniffer.
> >
> In this particular case the filename was apparently used by a rootkit
> in
> 2013 and it was blacklisted. Now the legitimate owner of the
> libkeyutils filenames has reached the blacklisted version number. I
> don't know which of the two possibilities it is in your case.
>
> https://bugs.archlinux.org/task/63369
> https://www.webhostingtalk.com/showthread.php?t=1235797
The sources are pulled from [1] and signed by David Howells (Redhat) so
I am pretty inclined to trust them. I did not, however, inspect the
sources myself so I can give any guarantees.
[1] https://git.kernel.org/pub/scm/linux/kernel/git/dhowells/keyutils.git
Thanks,
Filipe Laíns
3DCE 51D6 0930 EBA4 7858 BA41 46F6 33CB B0EB 4BF2
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: This is a digitally signed message part
URL: <https://lists.archlinux.org/pipermail/arch-general/attachments/20190820/2f37148b/attachment.sig>
More information about the arch-general
mailing list