You are not logged in.

#1 2019-08-13 19:34:55

smoothsailing
Member
Registered: 2012-06-25
Posts: 2

Rootkit Hunter flagged keyutils 1.6.1-1

Has anyone else had rkhunter flag the libraries of the latest keyutils 1.6.1-1?

--------------------- Start Rootkit Hunter Update ---------------------
[ Rootkit Hunter version 1.4.6 ]

Checking rkhunter data files...
  Checking file mirrors.dat                                  [ No update ]
  Checking file programs_bad.dat                             [ No update ]
  Checking file backdoorports.dat                            [ No update ]
  Checking file suspscan.dat                                 [ No update ]
  Checking file i18n/cn                                      [ No update ]
  Checking file i18n/de                                      [ No update ]
  Checking file i18n/en                                      [ No update ]
  Checking file i18n/tr                                      [ No update ]
  Checking file i18n/tr.utf8                                 [ No update ]
  Checking file i18n/zh                                      [ No update ]
  Checking file i18n/zh.utf8                                 [ No update ]
  Checking file i18n/ja                                      [ No update ]

---------------------- Start Rootkit Hunter Scan ----------------------
Warning: Checking for possible rootkit files and directories [ Warning ]
         Found file '/lib/libkeyutils.so.1.9'. Possible rootkit: Sniffer component
         Found file '/lib64/libkeyutils.so.1.9'. Possible rootkit: Sniffer component
         Found file '/usr/lib/libkeyutils.so.1.9'. Possible rootkit: Sniffer component
         Found file '/usr/lib64/libkeyutils.so.1.9'. Possible rootkit: Sniffer component
Warning: The following processes are using suspicious files:
         Command: applet.py
           UID: 1000    PID: 1097
           Pathname: /usr/lib/libkeyutils.so.1.9
           Possible Rootkit: Spam tool component
         Command: chromium
           UID: 1000    PID: 1372
           Pathname: /usr/lib/libkeyutils.so.1.9
           Possible Rootkit: Spam tool component
         Command: chromium
           UID: 1373    PID: 1372
           Pathname: 22200
           Possible Rootkit: Spam tool component
         Command: chromium
           UID: 1378    PID: 1372
           Pathname: 22200
...
         Command: Xorg
           UID: 0    PID: 547
           Pathname: /usr/lib/libkeyutils.so.1.9
           Possible Rootkit: Spam tool component

The above had a long list of "Possible Rootkit: Spam tool component", listing most of the running system.

Versions:

[root@magneto ~]# pacman -Q rkhunter
rkhunter 1.4.6-1
[root@magneto ~]# pacman -Q keyutils
keyutils 1.6.1-1

I have checked the keyutils files

[root@magneto ~]# pacman -Qkk keyutils
keyutils: 72 total files, 0 altered files

I compared the sha256 code with the original source off of the arch mirrors, as well as from that of another Arch system

[user@magneto ~]# sha256sum /home/user/Downloads/keyutils-1.6.1-1-x86_64.pkg/usr/lib/libkeyutils.so.1.9
992d3dfa004ddd20392b5cad11079c03bd0eca8502593411fd1bba37c0bad363  /home/user/Downloads/keyutils-1.6.1-1-x86_64.pkg/usr/lib/libkeyutils.so.1.9
[user@magneto ~]# sha256sum /lib/libkeyutils.so.1.9 /lib64/libkeyutils.so.1.9  /usr/lib/libkeyutils.so.1.9 /usr/lib64/libkeyutils.so.1.9
992d3dfa004ddd20392b5cad11079c03bd0eca8502593411fd1bba37c0bad363  /lib/libkeyutils.so.1.9
992d3dfa004ddd20392b5cad11079c03bd0eca8502593411fd1bba37c0bad363  /lib64/libkeyutils.so.1.9
992d3dfa004ddd20392b5cad11079c03bd0eca8502593411fd1bba37c0bad363  /usr/lib/libkeyutils.so.1.9
992d3dfa004ddd20392b5cad11079c03bd0eca8502593411fd1bba37c0bad363  /usr/lib64/libkeyutils.so.1.9

Workarounds:

Downgrading keyutils from 1.6.1-1 back to 1.6-1 (which uses libkeyutils.so.1.8) will not throw any warnings with rkhunter.

Having rkhunter ignore the above libkeyutils.so.1.9 files causes rkhunter to not show any warnings (obviously), not even with the applications.

Offline

#2 2019-08-13 19:48:00

loqs
Member
Registered: 2014-03-06
Posts: 8,150

Re: Rootkit Hunter flagged keyutils 1.6.1-1

Offline

#3 2019-08-14 20:59:30

zeta
Member
Registered: 2019-04-04
Posts: 4

Re: Rootkit Hunter flagged keyutils 1.6.1-1

I had the same issue. Downgrading keyutils to 1.6-1 solved the problem.

Offline

Board footer

Powered by FluxBB