You are not logged in.

Pages: 1

#1 2010-10-03 16:57:22

evot
Member
From: Finland
Registered: 2010-02-26
Posts: 96

Adore rootkit [SOLVED]

I got new user in kde login manager. Named Realtime kit rkit
My other computer does not have this.

I run chkrootkit and rkhunter on both machines.
chkrootkit gives clean output on both.
rkhunter gave adore rootkit warning on both machines.

I havent done anything special with my computers no SSH or anything. I have fairly new install on both machines and about default configs.
Few popular packages from AUR and everything else from supported repositories.

So should i be worried??

Last edited by evot (2010-10-03 18:23:47)

Offline

#2 2010-10-03 17:08:17

anrxc
Member
From: Croatia
Registered: 2008-03-22
Posts: 834
Website

Re: Adore rootkit [SOLVED]

So should i be worried??

You should read rkhunter log to find *why* it gave the warning. Come on.

You need to install an RTFM interface.

Offline

#3 2010-10-03 17:14:32

loafer
Member
From: the pub
Registered: 2009-04-14
Posts: 1,772

Re: Adore rootkit [SOLVED]

There was a thread about this quite recently.  A search will find it.  It may well turn out to be a false positive but you need to check it out to be safe.  As pointed out above the logs will tell you ...

All men have stood for freedom...
For freedom is the man that will turn the world upside down.
Gerrard Winstanley.

Offline

#4 2010-10-03 17:26:09

evot
Member
From: Finland
Registered: 2010-02-26
Posts: 96

Re: Adore rootkit [SOLVED]

Warnings from /var/log/rkhunter.log

[19:24:01] /usr/bin/ldd                                      [ Warning ]
[19:24:04] /usr/sbin/adduser                                 [ Warning ]
[19:24:12] Checking for file '/usr/sbin/kfd'                 [ Found ]
[19:24:12] Warning: Adore Rootkit                            [ Warning ]
[19:24:12] File '/usr/sbin/kfd' found
[19:25:15] Checking for passwd file changes                [ Warning ]
[19:25:15] Checking for group file changes                 [ Warning ]
[19:25:16] Checking /dev for suspicious file types         [ Warning ]
[19:25:16] Warning: Suspicious file types found in /dev:
[19:25:16] /dev/shm/pulse-shm-1712797582: data
[19:25:16] /dev/shm/pulse-shm-2839650524: data
[19:25:16] Info: Found hidden directory '/dev/.udev': it is whitelisted.
[19:25:16] Checking for hidden files and directories       [ Warning ]
[19:25:16] Warning: Hidden directory found: /etc/.java
[19:25:30] Rootkit checks...
[19:25:30] Rootkits checked : 245
[19:25:30] Possible rootkits: 1
[19:25:30] Rootkit names    : Adore Rootkit

Offline

#5 2010-10-03 17:33:32

karol
Archivist
Registered: 2009-05-06
Posts: 25,440

Re: Adore rootkit [SOLVED]

https://bbs.archlinux.org/viewtopic.php?pid=706304

Offline

#6 2010-10-03 17:35:17

evot
Member
From: Finland
Registered: 2010-02-26
Posts: 96

Re: Adore rootkit [SOLVED]

loafer wrote:

There was a thread about this quite recently.  A search will find it.  It may well turn out to be a false positive but you need to check it out to be safe.  As pointed out above the logs will tell you ...

Ok i found thread about something similar.
And this is about the conclusion.

BTW, this is a definite false positive.  rkhunter sees any /usr/sbin/kfd file as the Arode rootkit.  e.g. move that file and all is good.  Create and empty file with that name, Adore rootkit warning.

Does my rkhunter.log file look like that i could trust that it's false positive.

What should i do with that KDM extra user entry??

This is my first rootkit experience so i don't know how to work with these. smile

Offline

#7 2010-10-03 17:35:27

loafer
Member
From: the pub
Registered: 2009-04-14
Posts: 1,772

Re: Adore rootkit [SOLVED]

pacman -Qo /usr/sbin/kfd
/usr/sbin/kfd is owned by heimdal 1.3.3-1

https://bugs.archlinux.org/task/18028

But you still need to figure out what the new user is.

All men have stood for freedom...
For freedom is the man that will turn the world upside down.
Gerrard Winstanley.

Offline

#8 2010-10-03 17:48:21

evot
Member
From: Finland
Registered: 2010-02-26
Posts: 96

Re: Adore rootkit [SOLVED]

loafer wrote:

pacman -Qo /usr/sbin/kfd
/usr/sbin/kfd is owned by heimdal 1.3.3-1

https://bugs.archlinux.org/task/18028

But you still need to figure out what the new user is.


I think that Adore rootkit subject seems to be soved.

Thank you all smile

Any ideas for that KDM user??

Kind of weird when i look it from KDE settings for KDM i found under users tab box where is list of excluded users. There is all groups like audio, power etc. and then there is tree users myuser, root and rkit .... ??

Offline

#9 2010-10-03 18:02:13

evot
Member
From: Finland
Registered: 2010-02-26
Posts: 96

Re: Adore rootkit [SOLVED]

I found this thread, but..

https://bbs.archlinux.org/viewtopic.php?id=103668

Exactly same situation.

Feel kind of strange just hide user named rkit big_smile

Is that really the right way to do this??

Offline

#10 2010-10-03 18:02:40

loafer
Member
From: the pub
Registered: 2009-04-14
Posts: 1,772

Re: Adore rootkit [SOLVED]

Is it rkit or rtkit?

All men have stood for freedom...
For freedom is the man that will turn the world upside down.
Gerrard Winstanley.

Offline

#11 2010-10-03 18:05:31

evot
Member
From: Finland
Registered: 2010-02-26
Posts: 96

Re: Adore rootkit [SOLVED]

loafer wrote:

Is it rkit or rtkit?

Sorry my bad.. It's rtkit

And that should be fine to have??

Offline

#12 2010-10-03 18:20:33

evot
Member
From: Finland
Registered: 2010-02-26
Posts: 96

Re: Adore rootkit [SOLVED]

Seems that i found the answer.

rtkit is package installed as depency for pulseaudio.. Now i feel embarraced big_smile
Found topic from fedora forums where was same kind of subject going on.

But once again i can say that i have learned something.

Thanks Loafer for leading the path smile

Next thing for me is getting to know Firewall Builder.. just for future.

Offline

Pages: 1

Board footer

Powered by FluxBB