[SOLVED] Rkhunter suckit rootkit warning (false or true?)

ham bone · 2013-07-30 00:56:29

Greetings
I am requesting assistance with a potential suckit rooktkit issue as stated by rkhunter.
For reader convenience, this post is divided into system/softwareware, problem background (how I attempted to fix it) and two questions.

System/software
uname -r 3.9.9-1-ARCH luks lvm
rkhunter: Rootkit Hunter 1.4.0

Background and what I've done to solve this:
I received numerous warnings after running rkhunter. After running --update and--propupd, most of the warnings were inode changes due to the fact that I relocated the lvm that contained root. I also received warnings that I was able to call false positives due to the fact that the files in question matched the those that I was later able to download via pacman and then verify with the cmp command. I Googled and actually spent two hours trying to track down information. Suckit seems to be a non kernel rootkit. The Ubuntu forums are down due to a security issue. On multiple occasions, the search function associated with the rkhunter website returned no results for my situation even when the search parameters were limited to the most intrinsic keywords.
I shoud note that when rkhunter Performed the "check of known rootkit files and directories" the results were no good. It is only when rkhunter performs the "performing Suckit Rookit additional checks" that I receive the warning indicated immediately below question 1.

Two Questions:
Question 1
Are the warnings below associated with the recent changes in Arch Linux as identified by Arch Linux News dated 2013-Jun-03? https://www.archlinux.org/news/binaries … ervention/

Extracts from the rkhunter logfile:

[13:10:40] Info: Starting test name 'additional_rkts'
[13:10:40] Performing additional rootkit checks
[13:10:40]
[13:10:40]   Performing Suckit Rookit additional checks
[13:10:40]     Checking hard link count on '/sbin/init'      [ Warning ]
[13:10:41]     Checking for hidden file extensions           [ None found ]
[13:10:41]     Running skdet command                         [ Skipped ]
[13:10:41] Info: Unable to find the 'skdet' command
[13:10:41] Warning: Suckit Rookit additional checks          [ Warning ]
[13:10:41]          Error from '/usr/bin/stat' command when checking '/sbin/init'

Question 2
Are the warnings below associated with normal false positives in rkhunter? My Googling says, yes, but I am seeking confirmation or (hopefully not) refutal.

cking /dev for suspicious file types         [ Warning ]
[13:11:14] Warning: Suspicious file types found in /dev:
[13:11:14]          /dev/shm/pulse-shm-3499313937: data

 Warning: Hidden file found: /usr/share/man/man5/.k5login.5.gz: gzip compressed data, from Unix, max compression
[13:11:15] Warning: Hidden file found: /usr/share/man/man5/.k5identity.5.gz: gzip compressed data, from Unix, max compression
[13:11:15]

I thank you all in advance. Please understand that I am vehemently opposed to rtfm answers as I've paid my dues, using Arch since 2009. Everyone needs detailed help on occassion, and I rarely use forums
Thanks again

Last edited by ham bone (2013-07-30 20:16:59)

cfr · 2013-07-30 01:33:34

ham bone wrote:

Please understand that I am vehemently opposed to rtfm answers as I've paid my dues, using Arch since 2009.

Excuse me?

Everyone needs detailed help on occassion, and I rarely use forums

So you do not help others (even by reporting back on the success or failure of advice you have been given in your previous thread or by marking your thread [solved], if it was) but expect others to help you in precisely the way you find most convenient?

https://wiki.archlinux.org/index.php/Fo … troduction
https://wiki.archlinux.org/index.php/Fo … way_Street

ham bone · 2013-07-30 03:29:41

CFR Shame on you! You're probably accustomed to having your arse kissed by those who need help and are intimidated by your 3700+ post. Well I am happy to disappoint you and your ilk.

First, you're creating a problem over a minor possible faux pas incident that occurred a year ago, and without facts. That's mature.

cfr wrote:

So you do not help others (even by reporting back on the success or failure of advice you have been given in your previous thread or by marking your thread [solved],..

You said that I did not mark a post as solved. You're correct. Maybe I was in a hospital. Truth be told, the problem went away after a few updates, and a few file system checks. This never entered my mind as useful to anyone, much less grounds for marking a post as solved. If someone other than you has something objective to say that would refute my position, I'd be happy to comply.

cfr wrote:

... but expect others to help you in precisely the way you find most convenient?

You said that I want help only on my terms
Unlike you, I never made money as an IT professional nor had a computer related profession. My background was in aviation. Not every man page is understandable to a layman such as myself. As such, the obvious choices are responses that are only useful to Linux Gurus or responses that are useful to all. Obviously, the latter makes more sense.

CFR
you also left a link concerning help vampires. Really? Having juxtaposed that link's contents with my communication in this forum heretofore, I can only say that you are risking your reputation by implying that which is obviously not true.

CFR
In short, despite your 3700+ post, you are what is wrong with the Arch Linux community. You are accustomed to laypersons bowing and kissing your arse because you can help them solve their computer problems. I guess you think that means that you do not have to respect laypersons, especially a layperson like me who is not a Linux Guru. Well guru, I bow to no one! Also, you are holding a grudge over a post that I created one year agot, a post in which I may have committed one minor unintentional etiquette faux pas. How are you not an embarrassment to the Arch Linux in particular and the Linux Community as a whole?

Last edited by ham bone (2013-07-30 03:43:21)

jasonwryan · 2013-07-30 03:43:44

Let's dial this back a little, please.

ham bone: if you want help with your issue, dictating terms to the community is not the best way to get it. And, irrespective of how you interpreted cfr's post, responding with a personal attack and generalisations about the community is unacceptable: https://wiki.archlinux.org/index.php/Fo … ther_Users
(Also, the vampire link is in his signature--not directed at you personally).

cfr: ham bone's question was a particularly good one: it set out the issues and showed initiative in understanding and trying to solve the problem. Aside from the unfortunate lapse in the last para, it does merit a substantive repsonse.

Allan · 2013-07-30 03:48:05

Alright...

Mistakes made in this thread:

ham bone wrote:

Please understand that I am vehemently opposed to rtfm answers as I've paid my dues, using Arch since 2009. Everyone needs detailed help on occassion, and I rarely use forums

That was not needed and only resulted in antagonizing people. I earlier chose not to give you the answer purely based on that.

cfr wrote:

So you do not help others (even by reporting back on the success or failure of advice you have been given in your previous thread or by marking your thread [solved], if it was) but expect others to help you in precisely the way you find most convenient?

Should not have bitten. And really a post or two (and that is ham bone's total posting history) without "solved" is in everyones posting history.

Finally, the response from ham bone is bound to get you a cool off period...

Edit: mod beat me, and ham bone is still here!

Anyway, both errors are false positives. rkhunter is full of them.

HalosGhost · 2013-07-30 03:53:09

Can I just take a moment and say that this is why I love this community? We're all deeply passionate for what we do, and even though that sometimes conflicts with what others feel/think, we're still able to keep a cool head in the end and get things worked out. Cheers to the mods and cheers to Allan!

All the best,

-HG

ham bone · 2013-07-30 20:06:22

Thanks Admin and moderators for your objectivity and your constructive criticism.
Also, thanks for telling me that my post merited a response. I wanted to respond to each one of you in one post, hence the protracted length.

As for me dictating to the community how too go about helping me, that was not my intent. In my mind dictating is telling someone what to do and how to do it for purely whimsical or egotistical reasons, which is not me because I truly value humility. However, over the years, I've seen people treated badly in forums. Typically, the more advanced, the less respect. Sorry, but I swear that to be true.

From experience, I know that I have more experience with education then most people (excluding education professionals) and on occasion, I've been paid to turn that which is technical into that which is understandable to the layperson.

As such, if I were a Linux guru, I'd respond on the original poster's level. Example: If the original poster understood dvdbackup, but not clamscan, I might say:

from the command line, dvdbackup executes as follows:
Action (dvdbackup) source ( -i ) target ( -o ) options ( -M )
clamscan is action (clamscan ) options target
clamscan –help
man clamscan

My hope would be that the original poster would succeed and post results. The secondary goal would be that my post and the original poster's response would benefit others on the international stage without sacrificing critical thinking or homework.

By stating what type of help I needed, I was not trying to make enemies with the community. I was seeking to be an instrument of efficiency. Antagonizing anyone was the farthest thing from my mind.

I really wish that I knew enough to be beneficial to others in this forum, but there is always change:
Gnome2 became Gnome3; init scripts became systemd. standard keyboard and mouse became LOSTI (Line Of Sight Telekinetic Interface). Anything that I could answer is either correctly answered or old.

HG I concur

Again, Administrators, moderators, developers and HG thanks for your candor and support, and cfr, can we say water under the bridge? I am game if you are.

Last edited by ham bone (2013-07-30 20:07:24)

ham bone · 2013-07-30 20:18:06

Bottom of post 5 confirms "false positive" Thanks Allan
Also, thanks to HG for posting

Lessons learned:
Should probably cron the rkhunter job
Definitely ned to run the --update more often and I need to --propuod after each update via pacman.

Last edited by ham bone (2013-07-30 20:21:21)

cfr · 2013-07-30 23:58:33

ham bone wrote:

cfr, can we say water under the bridge? I am game if you are.

Water? Bridge? I see only the hills ahead...

Anyway, nobody's ever accused me of technical expertise before .

I would really like to know why krb5 installs

/usr/share/man/man5/.k5identity.5.gz  /usr/share/man/man5/k5identity.5.gz
/usr/share/man/man5/.k5login.5.gz     /usr/share/man/man5/k5login.5.gz

As far as I can tell the files on the left have just the same content as those on the right but they are certainly not identical

-rw-r--r-- 1 root root   42 Meh  10 07:46 /usr/share/man/man5/.k5identity.5.gz
-rw-r--r-- 1 root root   39 Meh  10 07:46 /usr/share/man/man5/.k5login.5.gz
-rw-r--r-- 1 root root 1.2K Meh  10 07:46 /usr/share/man/man5/k5identity.5.gz
-rw-r--r-- 1 root root 1018 Meh  10 07:46 /usr/share/man/man5/k5login.5.gz

These are in the official package list so they are definitely correct - I am just really curious about what purpose the left hand ones serve. I checked a couple of other man page directories, and I couldn't fine any more dot versions.

Allan · 2013-07-31 00:35:57

They are about the local config in a users home directory.

cfr · 2013-07-31 00:41:51

But why 2 copies?

man k5login
man .k5login

give me the same information, for example. The same if I explicitly specify full paths to man.

Allan · 2013-07-31 00:52:31

Probably because people moaned about the "." in the .k5login file and so they are transitioning to not have that.

cfr · 2013-07-31 00:58:46

Thanks. Just seemed very mysterious.

Arch Linux

#1 2013-07-30 00:56:29

[SOLVED] Rkhunter suckit rootkit warning (false or true?)

#2 2013-07-30 01:33:34

Re: [SOLVED] Rkhunter suckit rootkit warning (false or true?)

#3 2013-07-30 03:29:41

Re: [SOLVED] Rkhunter suckit rootkit warning (false or true?)

#4 2013-07-30 03:43:44

Re: [SOLVED] Rkhunter suckit rootkit warning (false or true?)

#5 2013-07-30 03:48:05

Re: [SOLVED] Rkhunter suckit rootkit warning (false or true?)

#6 2013-07-30 03:53:09

Re: [SOLVED] Rkhunter suckit rootkit warning (false or true?)

#7 2013-07-30 20:06:22

Re: [SOLVED] Rkhunter suckit rootkit warning (false or true?)

#8 2013-07-30 20:18:06

Re: [SOLVED] Rkhunter suckit rootkit warning (false or true?)

#9 2013-07-30 23:58:33

Re: [SOLVED] Rkhunter suckit rootkit warning (false or true?)

#10 2013-07-31 00:35:57

Re: [SOLVED] Rkhunter suckit rootkit warning (false or true?)

#11 2013-07-31 00:41:51

Re: [SOLVED] Rkhunter suckit rootkit warning (false or true?)

#12 2013-07-31 00:52:31

Re: [SOLVED] Rkhunter suckit rootkit warning (false or true?)

#13 2013-07-31 00:58:46

Re: [SOLVED] Rkhunter suckit rootkit warning (false or true?)

Board footer