Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I put Linux Mint Cinnamon on my laptop and was just installing various software from the software manager. I installed rootkit hunter, ran it, and these were in the results.
File Properties Check
Suspect Properties: 1
Rootkit Checks
Possible Rootkits: 8
The FAQ for the software actually told me to check out here, so here I am.
Best advice is to check the rkhunter logs, look at what it "found" and make an educated decision after searching for those discoveries online. You can also login to tty and run rkhunter without your DE and programs running, often times in newer versions of rkhunter, things will show up as large memory use and its fine. Don't panic, its probably false positives, research more....
You can also double check with chkrootkit and lynis.
Distribution: Slackware/Salix while testing others
Posts: 1,718
Rep:
Most likely, did it find any large share memory segments? Those are almost always false positives as rkhunter is really designed for servers and not workstations with DE's.
You can also run it as:
Code:
sudo rkhunter --rwo
Which will only report warnings, that way you don't go blind reading the scrolls.
Distribution: Slackware/Salix while testing others
Posts: 1,718
Rep:
All good...that's why it reports as "possible rootkits". Always read the logs then investigate, in this case it sees the DE programs as being suspicious since they are using alot of shared memory, however, as long as you used the official repos then your good. Note:
Code:
sudo rkhunter --help
is beneficial as well.
Lynis is a much more comprehensive hunter then just rkhunter alone, also has a nifty benefit of making suggestions on how to harden/secure your system.
Rkhunter is an anomaly-based checker, meaning that it will search for last known good properties of a file (ctime,atime,mtime,sha256 hash etc) from the baseline which you would make with the "--propupd" command. Hopefully before your first run of Rkhunter post-install.
It will interpret any deviations as a warning. Your job is to determine whether those deviations are benign (from a package update that you commanded via apt-get) or something else.
If it finds files that you're still unsure about, can't remember updating, you can cross check their Rkhunter "current checksum" with the stat command and update history logs.
Bit late but also consider RKH is a post-incident anomaly checker, meaning 0) you should use it as part of a hardened setup as per SANS / Cisecurity / OWASP / common sense / your distro's pointers and 1) you should not rely on RKH as your sole instrument for detecting anomalies but include "early warning" tools be it Samhain in daemon mode, audit daemon, et cetera. Also also consider RKH hasn't been updated and released by John or me in -=[ ages ]=-.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.