[arch-general] rkhunter found possible rootkit

brent s. bts at square-r00t.net
Tue Aug 20 16:20:30 UTC 2019


On 8/20/19 5:58 AM, Oliver Jaksch via arch-general wrote:
> On Tuesday, 20 August 2019, 10:15:58 CEST you wrote:
>> Am 20.08.19 um 10:00 schrieb Filipe Laíns via arch-general:
>>> On Tue, 2019-08-20 at 08:33 +0200, Oliver Jaksch via arch-general wrote:
>>>> I let rkhunter running around once a week. There were nothing since many
>>>> months. But today it's report complains about */lib64/libkeyutils.so.1.9*
>>>> and therefore other tools they're (seems to be) using this SO.
>>
>> ...
>>
>>> No, those libraries are used for key manipulation, that's why rkhunter
>>> thinks that they might be sniffer.
>>
>> In this particular case the filename was apparently used by a rootkit in
>>  2013 and it was blacklisted. Now the legitimate owner of the
>> libkeyutils filenames has reached the blacklisted version number. I
>> don't know which of the two possibilities it is in your case.
>>
>> https://bugs.archlinux.org/task/63369
>> https://www.webhostingtalk.com/showthread.php?t=1235797
> 
> Thanks to all. I think the URLs Filipe has posted are the most expressive 
> part. Let's hope that this really is a false alarm coming from the past.
> -
> Oliver
> 


If you're in doubt, you can also try chkrootkit. When dealing with
potential false positives, it sometimes helps to try more than one tool.

-- 
brent saner
https://square-r00t.net/
GPG info: https://square-r00t.net/gpg-info

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 899 bytes
Desc: OpenPGP digital signature
URL: <https://lists.archlinux.org/pipermail/arch-general/attachments/20190820/2a43c5f8/attachment.sig>


More information about the arch-general mailing list