I put Linux Mint Cinnamon on my laptop and was just installing various software from the software manager. I installed rootkit hunter, ran it, and these were in the results.

File Properties Check
Suspect Properties: 1

Rootkit Checks
Possible Rootkits: 8



The FAQ for the software actually told me to check out here, so here I am.



FAQ
https://sourceforge.net/p/rkhunter/r...tree/files/FAQ

How did you get so many?

Which ones were they?

Guessing some are false positives. That or you're pretty hosed.

rkhunter is notorious for false positives especially 1.4.6 version.

https://help.ubuntu.com/community/RKhunter
https://www.linuxquestions.org/quest...hunter-780043/
https://www.linuxquestions.org/quest...ts-4175626755/

Best advice is to check the rkhunter logs, look at what it "found" and make an educated decision after searching for those discoveries online. You can also login to tty and run rkhunter without your DE and programs running, often times in newer versions of rkhunter, things will show up as large memory use and its fine. Don't panic, its probably false positives, research more....

You can also double check with chkrootkit and lynis.

I ran it again. This time 1 suspect file but only 5 "rootkits"


Checking for hidden files and directories: [WARNING]
hidden directory found /etc/.java



Some of the warnings I found in the log:
/usr/bin/lwp-request

[19:15:24] Warning: The command '/usr/bin/lwp-request' has been replaced by a script: /usr/bin/lwp-request: Perl script text executable

[19:15:27] Info: Found file '/bin/egrep': it is whitelisted for the 'script replacement' check. (a few more of this kind)


I assume these are false positives?
chkrootkit found nothing

Most likely, did it find any large share memory segments? Those are almost always false positives as rkhunter is really designed for servers and not workstations with DE's.

You can also run it as:
Which will only report warnings, that way you don't go blind reading the scrolls.

It did

Info: Starting test name 'ipc_shared_mem'
[19:15:57] Info: The minimum shared memory segment size to be checked (in bytes): 1048576 (1.0MB)
[19:15:57] Checking for suspicious (large) shared memory segments [ Warning ]
[19:15:57] Warning: The following suspicious (large) shared memory segments have been found:
[19:15:57] Process: /usr/bin/mate-panel PID: 1448 Owner: chris Size: 4.0MB (configured size allowed: 1.0MB)
[19:15:57] Process: /usr/bin/caja PID: 1452 Owner: chris Size: 4.0MB (configured size allowed: 1.0MB)
[19:15:57] Process: /usr/bin/caja PID: 1452 Owner: chris Size: 64MB (configured size allowed: 1.0MB)
[19:15:57] Process: /usr/bin/nm-applet PID: 1478 Owner: chris Size: 4.0MB (configured size allowed: 1.0MB)
[19:15:57] Process: /usr/bin/mate-terminal PID: 15297 Owner: chris Size: 4.0MB (configured size allowed: 1.0MB)

All good...that's why it reports as "possible rootkits". Always read the logs then investigate, in this case it sees the DE programs as being suspicious since they are using alot of shared memory, however, as long as you used the official repos then your good. Note: is beneficial as well.

Lynis is a much more comprehensive hunter then just rkhunter alone, also has a nifty benefit of making suggestions on how to harden/secure your system.

Thanks guys. Appreciate it

Those false positives are by design.

Rkhunter is an anomaly-based checker, meaning that it will search for last known good properties of a file (ctime,atime,mtime,sha256 hash etc) from the baseline which you would make with the "--propupd" command. Hopefully before your first run of Rkhunter post-install.

It will interpret any deviations as a warning. Your job is to determine whether those deviations are benign (from a package update that you commanded via apt-get) or something else.

If it finds files that you're still unsure about, can't remember updating, you can cross check their Rkhunter "current checksum" with the stat command and update history logs.

Bit late but also consider RKH is a post-incident anomaly checker, meaning 0) you should use it as part of a hardened setup as per SANS / Cisecurity / OWASP / common sense / your distro's pointers and 1) you should not rely on RKH as your sole instrument for detecting anomalies but include "early warning" tools be it Samhain in daemon mode, audit daemon, et cetera. Also also consider RKH hasn't been updated and released by John or me in -=[ ages ]=-.