FS#63369 - [keyutils] RKhunter reports a possible rootkit

Attached to Project: Arch Linux
Opened by Andrea Amorosi (AndreaA) - Monday, 05 August 2019, 06:41 GMT
Last edited by freswa (frederik) - Saturday, 22 February 2020, 20:50 GMT
Task Type Bug Report
Category Packages: Core
Status Closed
Assigned To No-one
Architecture All
Severity Low
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 6
Private No

Details

Description:
After the upgrade when I run rkhunter, I get the following warnings:

Warning: Checking for possible rootkit files and directories [ Warning ]
Found file '/lib/libkeyutils.so.1.9'. Possible rootkit: Sniffer component
Found file '/lib64/libkeyutils.so.1.9'. Possible rootkit: Sniffer component
Found file '/usr/lib/libkeyutils.so.1.9'. Possible rootkit: Sniffer component
Found file '/usr/lib64/libkeyutils.so.1.9'. Possible rootkit: Sniffer component
Warning: The following processes are using suspicious files:
Command: sudo
UID: 0 PID: 4355
Pathname: /usr/lib/libkeyutils.so.1.9
Possible Rootkit: Spam tool component

Reverting to 1.6-1 solves the issue.


Additional info:
* package version(s) 1.6.1-1
* config and/or log files etc.
* link to upstream bug report, if any

Steps to reproduce:
This task depends upon

Closed by  freswa (frederik)
Saturday, 22 February 2020, 20:50 GMT
Reason for closing:  Not a bug
Comment by Christian Hesse (eworm) - Monday, 05 August 2019, 07:20 GMT
We had the same for keyutils 1.6... Looks like a false positive, again.
Comment by Christian Hesse (eworm) - Monday, 05 August 2019, 07:54 GMT
Looks like this is a different issue than last time. Uploaded the file to Virustotal, all good.

But rkhunter has a match on the plain file name "libkeyutils.so.1.9", see /usr/bin/rkhunter from line 9765. I guess any malicious software used that file name in the past.
Comment by helle vaanzinn (glitsj16) - Thursday, 08 August 2019, 22:35 GMT
Adding the below to a file in /etc/rkhunter.d should stop the false positive. When upstream changes lib numbering in the future, that file can simply be removed from the PKGBUILD to return to normal rkhunter functioning.

RTKT_FILE_WHITELIST=/lib/libkeyutils.so.1.9
RTKT_FILE_WHITELIST=/lib64/libkeyutils.so.1.9
RTKT_FILE_WHITELIST=/usr/lib/libkeyutils.so.1.9
RTKT_FILE_WHITELIST=/usr/lib64/libkeyutils.so.1.9
EXCLUDE_USER_FILEPROP_FILES_DIRS=/lib/libkeyutils.so.1.9
EXCLUDE_USER_FILEPROP_FILES_DIRS=/lib64/libkeyutils.so.1.9
EXCLUDE_USER_FILEPROP_FILES_DIRS=/usr/lib/libkeyutils.so.1.9
EXCLUDE_USER_FILEPROP_FILES_DIRS=/usr/lib64/libkeyutils.so.1.9
Comment by A. Bosch (progandy) - Tuesday, 13 August 2019, 20:02 GMT
It seems there was an SSHD rootkit in 2013 that used the name. That should be the reason for the entry in rkhunter.

https://www.webhostingtalk.com/showthread.php?t=1235797

Loading...