Hello.
I don't usually come here too often but rkhunter running via cron caught something weird today.
I forgot that running rkhunter more than once will overwrite the /var/log/rkhunter.log file (and I overwrote rkhunter.log.old as well), so unfortunately I don't have the necessary rkhunter logs.
This is on a Slackware system.
What I post next is from memory:
1. The rootkit "found" was called "Volc" rootkit and it mentioned something about "divine" (based on rkhunter.logs I'm assuming it was talking about /usr/lib/volc/backdoor/divine).
2. The rkhunter message given in the previous rkhunter.log (the one that caught the supposed rootkit) said to use:
Code:
lsof -i # or
netstat -an
and that irssi may have been the source of the problem.
So afterwards...
1. The output of "lsof -i" just gave me firefox and irssi connections.
2. Searching for the string "irssi" or "firefox" in the output of "netstat -an" didn't give any results.
3. I /quit out of irssi.
4. Re-scanning (twice, hence my lack of the necessary log) produced 0 rootkit results.
5.
Didn't list anything.
So I guess my question is, should I have investigated further and am I in the OK because I honestly can't tell if this was a false positive (and I realize without logs its hard to believe me)? What can/should I do further in case I am still affected (I went through the CERT checklist on archive.org) Irssi seems to be okay. Restarting it didn't pick it up as a problem, nor did a reinstall of irssi (with gpg key of the package verified) pick it up as a problem.