rkhunter 1.4.2 volc rootkit found & then gone?
 

Hello.

I don't usually come here too often but rkhunter running via cron caught something weird today.

I forgot that running rkhunter more than once will overwrite the /var/log/rkhunter.log file (and I overwrote rkhunter.log.old as well), so unfortunately I don't have the necessary rkhunter logs.

This is on a Slackware system.

What I post next is from memory:

1. The rootkit "found" was called "Volc" rootkit and it mentioned something about "divine" (based on rkhunter.logs I'm assuming it was talking about /usr/lib/volc/backdoor/divine).

2. The rkhunter message given in the previous rkhunter.log (the one that caught the supposed rootkit) said to use:
and that irssi may have been the source of the problem.

So afterwards...

1. The output of "lsof -i" just gave me firefox and irssi connections.

2. Searching for the string "irssi" or "firefox" in the output of "netstat -an" didn't give any results.

3. I /quit out of irssi.

4. Re-scanning (twice, hence my lack of the necessary log) produced 0 rootkit results.

5. Didn't list anything.

So I guess my question is, should I have investigated further and am I in the OK because I honestly can't tell if this was a false positive (and I realize without logs its hard to believe me)? What can/should I do further in case I am still affected (I went through the CERT checklist on archive.org) Irssi seems to be okay. Restarting it didn't pick it up as a problem, nor did a reinstall of irssi (with gpg key of the package verified) pick it up as a problem.

I apologize for double posting (and not waiting the 24 hour bump limit).

After further investigation it seems like a false positive and below is why I believe it to be so (please correct me if I'm wrong):

I did some more research and came upon rkhunter's database files, most notably -- $install_root/var/lib/rkhunter/db/backdoorports.dat

This line in particular stood out
Which produces this in rkhunter's log:
The line from my memory.

For temporary testing I changed the line from port 33369 to something else that is currently in use and established. Lo and behold that program now becomes the "problem" and the possible rootkit is detected.

The Volc rootkit itself was not picked up by rkhunter, and if the system had been compromised (from http://sourceforge.net/apps/trac/rkhunter/wiki/SPRKH)
Therefore, is it safe to assume that this was a false positive (and that I got an unlucky port)?

Do note we're trying to enhance RKH with ClamAV signatures to be more effective scanning for "evidence". Right now is an ongoing effort anyone could help with. But as traditional rootkit threats dwindle I do not intend to spend much time creating kernel 2.4 or kernel 2.6-era rootkit signs though anyone could petition specific ones found right now via our Sourceforge bug tracker. So, if you didn't find evidence of file /usr/bin/volc and directory /usr/lib/volc but only the port then, yes, I'd mark that as a false positive.

Does the volc rootkit only affect Linux kernel versions 2.4 and 2.6? Otherwise I'm not quite sure why you brought those kernel versions up. If that is the case, I'm not on either of those kernel versions.

I did not find evidence of either the file /usr/bin/volc or directory /usr/lib/volc by hand or via rkhunter.

The kit never was shared with me so I don't know. If I had to guesstimate then I'd doubt it would run on 2.6 and up.


Good.