FS#63369 : [keyutils] RKhunter reports a possible rootkit

FS#63369 - [keyutils] RKhunter reports a possible rootkit

Attached to Project: Arch Linux
Opened by Andrea Amorosi (AndreaA) - Monday, 05 August 2019, 06:41 GMT
Last edited by freswa (frederik) - Saturday, 22 February 2020, 20:50 GMT

Task Type	Bug Report
Category	Packages: Core
Status	Closed
Assigned To	No-one
Architecture	All
Severity	Low
Priority	Normal
Reported Version
Due in Version	Undecided
Due Date	Undecided
Percent Complete
Votes	6 Philipp Claßen (PhCl) (2019-10-08) Shay G (Tharbad) (2019-08-23) zeta (zeta) (2019-08-14) edac val (edacval) (2019-08-13) Lubomir Krajcovic (scott32) (2019-08-08) Andrea Amorosi (AndreaA) (2019-08-07)
Private	No

Details

Description:
After the upgrade when I run rkhunter, I get the following warnings:

Warning: Checking for possible rootkit files and directories [ Warning ]
Found file '/lib/libkeyutils.so.1.9'. Possible rootkit: Sniffer component
Found file '/lib64/libkeyutils.so.1.9'. Possible rootkit: Sniffer component
Found file '/usr/lib/libkeyutils.so.1.9'. Possible rootkit: Sniffer component
Found file '/usr/lib64/libkeyutils.so.1.9'. Possible rootkit: Sniffer component
Warning: The following processes are using suspicious files:
Command: sudo
UID: 0 PID: 4355
Pathname: /usr/lib/libkeyutils.so.1.9
Possible Rootkit: Spam tool component

Reverting to 1.6-1 solves the issue.

Additional info:
* package version(s) 1.6.1-1
* config and/or log files etc.
* link to upstream bug report, if any

Steps to reproduce:

This task depends upon

Closed by freswa (frederik)
Saturday, 22 February 2020, 20:50 GMT
Reason for closing: Not a bug

Comment by Christian Hesse (eworm) - Monday, 05 August 2019, 07:20 GMT

We had the same for keyutils 1.6... Looks like a false positive, again.

Comment by Christian Hesse (eworm) - Monday, 05 August 2019, 07:54 GMT

Looks like this is a different issue than last time. Uploaded the file to Virustotal, all good.

But rkhunter has a match on the plain file name "libkeyutils.so.1.9", see /usr/bin/rkhunter from line 9765. I guess any malicious software used that file name in the past.

Comment by helle vaanzinn (glitsj16) - Thursday, 08 August 2019, 22:35 GMT

Adding the below to a file in /etc/rkhunter.d should stop the false positive. When upstream changes lib numbering in the future, that file can simply be removed from the PKGBUILD to return to normal rkhunter functioning.

RTKT_FILE_WHITELIST=/lib/libkeyutils.so.1.9
RTKT_FILE_WHITELIST=/lib64/libkeyutils.so.1.9
RTKT_FILE_WHITELIST=/usr/lib/libkeyutils.so.1.9
RTKT_FILE_WHITELIST=/usr/lib64/libkeyutils.so.1.9
EXCLUDE_USER_FILEPROP_FILES_DIRS=/lib/libkeyutils.so.1.9
EXCLUDE_USER_FILEPROP_FILES_DIRS=/lib64/libkeyutils.so.1.9
EXCLUDE_USER_FILEPROP_FILES_DIRS=/usr/lib/libkeyutils.so.1.9
EXCLUDE_USER_FILEPROP_FILES_DIRS=/usr/lib64/libkeyutils.so.1.9

Comment by A. Bosch (progandy) - Tuesday, 13 August 2019, 20:02 GMT

It seems there was an SSHD rootkit in 2013 that used the name. That should be the reason for the entry in rkhunter.

https://www.webhostingtalk.com/showthread.php?t=1235797

	Tasks related to this task (0)

Duplicate tasks of this task (0)

Arch Linux

FS#63369 - [keyutils] RKhunter reports a possible rootkit

Details

Loading...