[arch-general] rkhunter found possible rootkit
bts at square-r00t.net
Tue Aug 20 16:20:30 UTC 2019
On 8/20/19 5:58 AM, Oliver Jaksch via arch-general wrote:
> On Tuesday, 20 August 2019, 10:15:58 CEST you wrote:
>> Am 20.08.19 um 10:00 schrieb Filipe Laíns via arch-general:
>>> On Tue, 2019-08-20 at 08:33 +0200, Oliver Jaksch via arch-general wrote:
>>>> I let rkhunter running around once a week. There were nothing since many
>>>> months. But today it's report complains about */lib64/libkeyutils.so.1.9*
>>>> and therefore other tools they're (seems to be) using this SO.
>>> No, those libraries are used for key manipulation, that's why rkhunter
>>> thinks that they might be sniffer.
>> In this particular case the filename was apparently used by a rootkit in
>> 2013 and it was blacklisted. Now the legitimate owner of the
>> libkeyutils filenames has reached the blacklisted version number. I
>> don't know which of the two possibilities it is in your case.
> Thanks to all. I think the URLs Filipe has posted are the most expressive
> part. Let's hope that this really is a false alarm coming from the past.
If you're in doubt, you can also try chkrootkit. When dealing with
potential false positives, it sometimes helps to try more than one tool.
GPG info: https://square-r00t.net/gpg-info
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 899 bytes
Desc: OpenPGP digital signature
More information about the arch-general