--------------------- Start Rootkit Hunter Update ---------------------
[ Rootkit Hunter version 1.4.6 ]
Checking rkhunter data files...
Checking file mirrors.dat [ No update ]
Checking file programs_bad.dat [ No update ]
Checking file backdoorports.dat [ No update ]
Checking file suspscan.dat [ No update ]
Checking file i18n/cn [ No update ]
Checking file i18n/de [ No update ]
Checking file i18n/en [ No update ]
Checking file i18n/tr [ No update ]
Checking file i18n/tr.utf8 [ No update ]
Checking file i18n/zh [ No update ]
Checking file i18n/zh.utf8 [ No update ]
Checking file i18n/ja [ No update ]
---------------------- Start Rootkit Hunter Scan ----------------------
Warning: Checking for possible rootkit files and directories [ Warning ]
Found file '/lib/libkeyutils.so.1.9'. Possible rootkit: Sniffer component
Found file '/lib64/libkeyutils.so.1.9'. Possible rootkit: Sniffer component
Found file '/usr/lib/libkeyutils.so.1.9'. Possible rootkit: Sniffer component
Found file '/usr/lib64/libkeyutils.so.1.9'. Possible rootkit: Sniffer component
Warning: The following processes are using suspicious files:
Command: applet.py
UID: 1000 PID: 1097
Pathname: /usr/lib/libkeyutils.so.1.9
Possible Rootkit: Spam tool component
Command: chromium
UID: 1000 PID: 1372
Pathname: /usr/lib/libkeyutils.so.1.9
Possible Rootkit: Spam tool component
Command: chromium
UID: 1373 PID: 1372
Pathname: 22200
Possible Rootkit: Spam tool component
Command: chromium
UID: 1378 PID: 1372
Pathname: 22200
...
Command: Xorg
UID: 0 PID: 547
Pathname: /usr/lib/libkeyutils.so.1.9
Possible Rootkit: Spam tool component
The above had a long list of "Possible Rootkit: Spam tool component", listing most of the running system.
Versions:
[root@magneto ~]# pacman -Q rkhunter
rkhunter 1.4.6-1
[root@magneto ~]# pacman -Q keyutils
keyutils 1.6.1-1
I have checked the keyutils files
[root@magneto ~]# pacman -Qkk keyutils
keyutils: 72 total files, 0 altered files
I compared the sha256 code with the original source off of the arch mirrors, as well as from that of another Arch system
[user@magneto ~]# sha256sum /home/user/Downloads/keyutils-1.6.1-1-x86_64.pkg/usr/lib/libkeyutils.so.1.9
992d3dfa004ddd20392b5cad11079c03bd0eca8502593411fd1bba37c0bad363 /home/user/Downloads/keyutils-1.6.1-1-x86_64.pkg/usr/lib/libkeyutils.so.1.9
[user@magneto ~]# sha256sum /lib/libkeyutils.so.1.9 /lib64/libkeyutils.so.1.9 /usr/lib/libkeyutils.so.1.9 /usr/lib64/libkeyutils.so.1.9
992d3dfa004ddd20392b5cad11079c03bd0eca8502593411fd1bba37c0bad363 /lib/libkeyutils.so.1.9
992d3dfa004ddd20392b5cad11079c03bd0eca8502593411fd1bba37c0bad363 /lib64/libkeyutils.so.1.9
992d3dfa004ddd20392b5cad11079c03bd0eca8502593411fd1bba37c0bad363 /usr/lib/libkeyutils.so.1.9
992d3dfa004ddd20392b5cad11079c03bd0eca8502593411fd1bba37c0bad363 /usr/lib64/libkeyutils.so.1.9
Workarounds:
Downgrading keyutils from 1.6.1-1 back to 1.6-1 (which uses libkeyutils.so.1.8) will not throw any warnings with rkhunter.
Having rkhunter ignore the above libkeyutils.so.1.9 files causes rkhunter to not show any warnings (obviously), not even with the applications.
]]>