You are not logged in.
I got new user in kde login manager. Named Realtime kit rkit
My other computer does not have this.
I run chkrootkit and rkhunter on both machines.
chkrootkit gives clean output on both.
rkhunter gave adore rootkit warning on both machines.
I havent done anything special with my computers no SSH or anything. I have fairly new install on both machines and about default configs.
Few popular packages from AUR and everything else from supported repositories.
So should i be worried??
Last edited by evot (2010-10-03 18:23:47)
Offline
So should i be worried??
You should read rkhunter log to find *why* it gave the warning. Come on.
You need to install an RTFM interface.
Offline
There was a thread about this quite recently. A search will find it. It may well turn out to be a false positive but you need to check it out to be safe. As pointed out above the logs will tell you ...
All men have stood for freedom...
For freedom is the man that will turn the world upside down.
Gerrard Winstanley.
Offline
Warnings from /var/log/rkhunter.log
[19:24:01] /usr/bin/ldd [ Warning ]
[19:24:04] /usr/sbin/adduser [ Warning ]
[19:24:12] Checking for file '/usr/sbin/kfd' [ Found ]
[19:24:12] Warning: Adore Rootkit [ Warning ]
[19:24:12] File '/usr/sbin/kfd' found
[19:25:15] Checking for passwd file changes [ Warning ]
[19:25:15] Checking for group file changes [ Warning ]
[19:25:16] Checking /dev for suspicious file types [ Warning ]
[19:25:16] Warning: Suspicious file types found in /dev:
[19:25:16] /dev/shm/pulse-shm-1712797582: data
[19:25:16] /dev/shm/pulse-shm-2839650524: data
[19:25:16] Info: Found hidden directory '/dev/.udev': it is whitelisted.
[19:25:16] Checking for hidden files and directories [ Warning ]
[19:25:16] Warning: Hidden directory found: /etc/.java
[19:25:30] Rootkit checks...
[19:25:30] Rootkits checked : 245
[19:25:30] Possible rootkits: 1
[19:25:30] Rootkit names : Adore Rootkit
Offline
Offline
There was a thread about this quite recently. A search will find it. It may well turn out to be a false positive but you need to check it out to be safe. As pointed out above the logs will tell you ...
Ok i found thread about something similar.
And this is about the conclusion.
BTW, this is a definite false positive. rkhunter sees any /usr/sbin/kfd file as the Arode rootkit. e.g. move that file and all is good. Create and empty file with that name, Adore rootkit warning.
Does my rkhunter.log file look like that i could trust that it's false positive.
What should i do with that KDM extra user entry??
This is my first rootkit experience so i don't know how to work with these.
Offline
pacman -Qo /usr/sbin/kfd
/usr/sbin/kfd is owned by heimdal 1.3.3-1
https://bugs.archlinux.org/task/18028
But you still need to figure out what the new user is.
All men have stood for freedom...
For freedom is the man that will turn the world upside down.
Gerrard Winstanley.
Offline
pacman -Qo /usr/sbin/kfd
/usr/sbin/kfd is owned by heimdal 1.3.3-1https://bugs.archlinux.org/task/18028
But you still need to figure out what the new user is.
I think that Adore rootkit subject seems to be soved.
Thank you all
Any ideas for that KDM user??
Kind of weird when i look it from KDE settings for KDM i found under users tab box where is list of excluded users. There is all groups like audio, power etc. and then there is tree users myuser, root and rkit .... ??
Offline
I found this thread, but..
https://bbs.archlinux.org/viewtopic.php?id=103668
Exactly same situation.
Feel kind of strange just hide user named rkit
Is that really the right way to do this??
Offline
Is it rkit or rtkit?
All men have stood for freedom...
For freedom is the man that will turn the world upside down.
Gerrard Winstanley.
Offline
Is it rkit or rtkit?
Sorry my bad.. It's rtkit
And that should be fine to have??
Offline
Seems that i found the answer.
rtkit is package installed as depency for pulseaudio.. Now i feel embarraced
Found topic from fedora forums where was same kind of subject going on.
But once again i can say that i have learned something.
Thanks Loafer for leading the path
Next thing for me is getting to know Firewall Builder.. just for future.
Offline