You are not logged in.
Has anyone else had rkhunter flag the libraries of the latest keyutils 1.6.1-1?
--------------------- Start Rootkit Hunter Update ---------------------
[ Rootkit Hunter version 1.4.6 ]
Checking rkhunter data files...
Checking file mirrors.dat [ No update ]
Checking file programs_bad.dat [ No update ]
Checking file backdoorports.dat [ No update ]
Checking file suspscan.dat [ No update ]
Checking file i18n/cn [ No update ]
Checking file i18n/de [ No update ]
Checking file i18n/en [ No update ]
Checking file i18n/tr [ No update ]
Checking file i18n/tr.utf8 [ No update ]
Checking file i18n/zh [ No update ]
Checking file i18n/zh.utf8 [ No update ]
Checking file i18n/ja [ No update ]
---------------------- Start Rootkit Hunter Scan ----------------------
Warning: Checking for possible rootkit files and directories [ Warning ]
Found file '/lib/libkeyutils.so.1.9'. Possible rootkit: Sniffer component
Found file '/lib64/libkeyutils.so.1.9'. Possible rootkit: Sniffer component
Found file '/usr/lib/libkeyutils.so.1.9'. Possible rootkit: Sniffer component
Found file '/usr/lib64/libkeyutils.so.1.9'. Possible rootkit: Sniffer component
Warning: The following processes are using suspicious files:
Command: applet.py
UID: 1000 PID: 1097
Pathname: /usr/lib/libkeyutils.so.1.9
Possible Rootkit: Spam tool component
Command: chromium
UID: 1000 PID: 1372
Pathname: /usr/lib/libkeyutils.so.1.9
Possible Rootkit: Spam tool component
Command: chromium
UID: 1373 PID: 1372
Pathname: 22200
Possible Rootkit: Spam tool component
Command: chromium
UID: 1378 PID: 1372
Pathname: 22200
...
Command: Xorg
UID: 0 PID: 547
Pathname: /usr/lib/libkeyutils.so.1.9
Possible Rootkit: Spam tool component
The above had a long list of "Possible Rootkit: Spam tool component", listing most of the running system.
Versions:
[root@magneto ~]# pacman -Q rkhunter
rkhunter 1.4.6-1
[root@magneto ~]# pacman -Q keyutils
keyutils 1.6.1-1
I have checked the keyutils files
[root@magneto ~]# pacman -Qkk keyutils
keyutils: 72 total files, 0 altered files
I compared the sha256 code with the original source off of the arch mirrors, as well as from that of another Arch system
[user@magneto ~]# sha256sum /home/user/Downloads/keyutils-1.6.1-1-x86_64.pkg/usr/lib/libkeyutils.so.1.9
992d3dfa004ddd20392b5cad11079c03bd0eca8502593411fd1bba37c0bad363 /home/user/Downloads/keyutils-1.6.1-1-x86_64.pkg/usr/lib/libkeyutils.so.1.9
[user@magneto ~]# sha256sum /lib/libkeyutils.so.1.9 /lib64/libkeyutils.so.1.9 /usr/lib/libkeyutils.so.1.9 /usr/lib64/libkeyutils.so.1.9
992d3dfa004ddd20392b5cad11079c03bd0eca8502593411fd1bba37c0bad363 /lib/libkeyutils.so.1.9
992d3dfa004ddd20392b5cad11079c03bd0eca8502593411fd1bba37c0bad363 /lib64/libkeyutils.so.1.9
992d3dfa004ddd20392b5cad11079c03bd0eca8502593411fd1bba37c0bad363 /usr/lib/libkeyutils.so.1.9
992d3dfa004ddd20392b5cad11079c03bd0eca8502593411fd1bba37c0bad363 /usr/lib64/libkeyutils.so.1.9
Workarounds:
Downgrading keyutils from 1.6.1-1 back to 1.6-1 (which uses libkeyutils.so.1.8) will not throw any warnings with rkhunter.
Having rkhunter ignore the above libkeyutils.so.1.9 files causes rkhunter to not show any warnings (obviously), not even with the applications.
Last edited by smoothsailing (2019-08-20 21:57:40)
Offline
Offline
I had the same issue. Downgrading keyutils to 1.6-1 solved the problem.
Offline