Bug#952114: rkhunter: Lots of false positives

Sun, 23 Feb 2020 02:18:45 -0800 

Package: rkhunter
Version: 1.4.6-7
Severity: important
Tags: upstream

For two weeks now rkhunter is reporting an installed rootkit on my machines. It
started with the desktop computer, now also the "desktop" VM. The reports are
the same:

Warning: The following processes are using suspicious files:
         Command: applet.py
           UID: X    PID: Y
           Pathname: /lib/x86_64-linux-gnu/libkeyutils.so.1.9
           Possible Rootkit: Spam tool component
         Command: atom
           UID: X    PID: Y
           Pathname: /lib/x86_64-linux-gnu/libkeyutils.so.1.9
           Possible Rootkit: Spam tool component
         Command: atom
           UID: X    PID: Y
           Pathname: /lib/x86_64-linux-gnu/libkeyutils.so.1.9
           Possible Rootkit: Spam tool component
         Command: atom
           UID: X    PID: Y
           Pathname: /lib/x86_64-linux-gnu/libkeyutils.so.1.9
           Possible Rootkit: Spam tool component
[...]

The list goes on for multiple pages. I checked via debsums the packages and
they all seem to be fine. This has happened over at Arch Linux last year:
https://bugs.archlinux.org/task/63369

I could whitelist the libkeyutils, but it is for someone starting with rkhunter
probably very disturbing to directly get these messages.



-- System Information:
Debian Release: bullseye/sid
  APT prefers testing
  APT policy: (990, 'testing'), (500, 'oldoldstable'), (500, 'unstable'), (500, 
'stable'), (500, 'oldstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 5.4.0-4-amd64 (SMP w/12 CPU cores)
Kernel taint flags: TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) (ignored: LC_ALL 
set to en_US.UTF-8), LANGUAGE=en_US:en (charmap=UTF-8) (ignored: LC_ALL set to 
en_US.UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages rkhunter depends on:
ii  binutils               2.34-2
ii  debconf [debconf-2.0]  1.5.73
ii  file                   1:5.38-4
ii  lsof                   4.93.2+dfsg-1
ii  net-tools              1.60+git20180626.aebd88e-1
ii  perl                   5.30.0-9
ii  ucf                    3.0038+nmu1

Versions of packages rkhunter recommends:
ii  bsd-mailx [mailx]           8.1.2-0.20180807cvs-1+b1
ii  curl                        7.67.0-2
ii  dma [mail-transport-agent]  0.12-1
ii  e2fsprogs                   1.45.5-2
ii  iproute2                    5.5.0-1
ii  unhide                      20130526-4
ii  unhide.rb                   22-4
ii  wget                        1.20.3-1+b2

Versions of packages rkhunter suggests:
ii  liburi-perl     1.76-2
ii  libwww-perl     6.43-1
ii  powermgmt-base  1.36

-- Configuration Files:
/etc/logcheck/ignore.d.server/rkhunter [Errno 13] Permission denied: 
'/etc/logcheck/ignore.d.server/rkhunter'
/etc/rkhunter.conf [Errno 13] Permission denied: '/etc/rkhunter.conf'

-- debconf information:
* rkhunter/cron_db_update: true
* rkhunter/apt_autogen: true
* rkhunter/cron_daily_run: true

Reply via email to