LinuxQuestions.org
Latest LQ Deal: Complete CCNA, CCNP & Red Hat Certification Training Bundle
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 05-28-2018, 07:45 PM   #1
ChuangTzu
Senior Member
 
Registered: May 2015
Location: Where ever needed
Distribution: Slackware/Salix, FreeBSD
Posts: 1,065

Rep: Reputation: 825Reputation: 825Reputation: 825Reputation: 825Reputation: 825Reputation: 825Reputation: 825
Problems with rkhunter 1.4.6


Just an FYI, in case anyone runs rkhunter 1.4.6.

I noticed what is most likely a bug that is reproducible on various distros (yes I will submit the info to the dev., if possible).

When running rkhunter -c (event after --propupd) it will report finding between 2-8 rootkits, depending on the distro (Slackware 14.2, Salix 14.2, Debian 9 and Ubuntu 18.04-and derivatives). Note: Debian version is 1.4.2-6+deb9u1, but produces same results. *Clarify: 1.4.2-6 on Debian 9 does not produce these results, however, 1.4.6-2 from Debian 10 Buster/testing does.*

After downgrading to version 1.4.0, it reports 0 rootkits on the same distros and same machines. Results are same whether run from liveCD, VM or bare metal. There must be a setting or something with v. 1.4.6 that is throwing up more false positives then usual.

Anyone else notice this?

Added: Bug report submitted.

Last edited by ChuangTzu; 05-29-2018 at 03:32 PM. Reason: added clarify **
 
Old 05-29-2018, 10:53 AM   #2
luizlmarins
LQ Newbie
 
Registered: Nov 2012
Location: São Paulo
Distribution: Debian
Posts: 9
Blog Entries: 1

Rep: Reputation: Disabled
Also ... rkhunter shows the Evince pdf reader as rootkit.
 
Old 05-29-2018, 11:24 AM   #3
jsbjsb001
Senior Member
 
Registered: Mar 2009
Location: Earth? I would say I hope so but I'm not so sure about that... I could just be a figment of your imagination too.
Distribution: CentOS at the time of this writing, but some others over the years too...
Posts: 2,025

Rep: Reputation: 923Reputation: 923Reputation: 923Reputation: 923Reputation: 923Reputation: 923Reputation: 923Reputation: 923
Quote:
Originally Posted by ChuangTzu View Post
Just an FYI, in case anyone runs rkhunter 1.4.6.

I noticed what is most likely a bug that is reproducible on various distros (yes I will submit the info to the dev., if possible).

When running rkhunter -c (event after --propupd) it will report finding between 2-8 rootkits, depending on the distro (Slackware 14.2, Salix 14.2, Debian 9 and Ubuntu 18.04-and derivatives). Note: Debian version is 1.4.2-6+deb9u1, but produces same results.

After downgrading to version 1.4.0, it reports 0 rootkits on the same distros and same machines. Results are same whether run from liveCD, VM or bare metal. There must be a setting or something with v. 1.4.6 that is throwing up more false positives then usual.

Anyone else notice this?

Added: Bug report submitted.
Well, -1 for CentOS 7.4, as nope, not on my system it doesn't;

Code:
[root@jamespc ~]# rkhunter --propupd
[ Rootkit Hunter version 1.4.6 ]
File updated: searched for 176 files, found 136
Code:
[output snipped]
System checks summary
=====================

File properties checks...
    Files checked: 136
    Suspect files: 0

Rootkit checks...
    Rootkits checked : 503
    Possible rootkits: 0
CentOS 7.4 wins!
 
Old 05-29-2018, 01:09 PM   #4
AwesomeMachine
LQ Guru
 
Registered: Jan 2005
Location: USA and Italy
Distribution: Debian testing/sid; OpenSuSE; Fedora; Mint
Posts: 5,480

Rep: Reputation: 997Reputation: 997Reputation: 997Reputation: 997Reputation: 997Reputation: 997Reputation: 997Reputation: 997
Rkhunter is an advisory program. It's up to the user to check whether its correct. And, in MHO, rkhunter is just a step above hucksterism.
 
1 members found this post helpful.
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
rkhunter scan: 1 Rootkit & 6 Possible Suspect Files /var/log/rkhunter.log included Mollusc Linux - Security 10 09-29-2011 09:43 AM
/var/log/rkhunter.log - rkhunter's (rootkit detection) logfile ahartman Linux - Security 1 07-04-2009 06:28 PM
rkhunter lumiwa Linux - Newbie 1 09-17-2007 09:51 PM
rkhunter phatbastard Linux - Security 3 12-08-2004 10:44 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 10:21 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration