Hi guys,
Im new to Ubuntu and im looking for some help.
I've scanned my Ubuntu with rkhunter and I have some concerning results:
Warning: The following processes are using deleted files:
Process: /sbin/init PID: 1 File: /var/log/upstart/systemd-logind.log.1
Process: /usr/sbin/cups-browsed PID: 1168 File: /etc/passwd
Process: /sbin/init PID: 2170 File: /home/pwn20wn/.cache/upstart/indicator-bluetooth.log.1
Process: /usr/lib/x86_64-linux-gnu/bamf/bamfdaemon PID: 2400 File: /home/pwn20wn/.local/share/gvfs-metadata/root
Process: /usr/lib/firefox/firefox PID: 2703 File: /var/tmp/etilqs_F4ZmiXL3Bx5CrjT
Process: /usr/bin/unity-scope-loader PID: 2959 File: /home/pwn20wn/.cache/software-center/software-center-agent.db/record.DB
Warning: Process '/sbin/wpa_supplicant' (PID 1167) is listening on the network.
Warning: Process '/sbin/dhclient' (PID 1349) is listening on the network.
Warning: Suspicious file types found in /dev:
/dev/.udev/rules.d/root.rules: ASCII text
Warning: Hidden directory found: /etc/.java: directory
Warning: Hidden directory found: /dev/.udev: directory
Warning: Hidden file found: /dev/.initramfs: symbolic link to `/run/initramfs'
Warning: Application 'openssl', version '1.0.1f', is out of date, and possibly a security risk.
I would like to know if these are false positives or real threats and how to fix them.
Thank you very much!

One of the first things people should do is not run the software but read the README, FAQ and other documentation. I the case of RKH it clearly states where one should look (rkhunter-users mailing list archives) and ask (rkhunter-users mailing list)...


Common causes are log rotation, (temporary) file usage and such. From file names in /home/pwn20wn/ looks like a desktop environment session. Most importantly: any file still open on a file descriptor could be copied out and inspected if unsure (as in 'strings /path/to/file|less;' or somesuch).


While file names or argv[0] aren't exactly good indicators (so verify using your package management features) these are common false positives.


Its ASCII text. Read it and see.


"Hidden" here means a file name that starts with a dot. Old school. False positives most of the time.


Check your distros package nfo and know using the RKH application version check was discouraged long time ago. (The latter because we all like to use stuff. But help maintain it? No thanks...)

1 members found this post helpful.

Thank you very much for help unSpawn.
If I understand right these are false positives so nothing dangerous.

If you have properly hardened your machine, didn't unduly expose it and properly maintain and audit it then chances are slim these are anything but false positives. However that is not the point. The point is in knowing how to assess things. Start with the last 2 parts of the FAQ please?

1 members found this post helpful.