Bug#651119: rkhunter: False positives when checking running processes for suspicious files

Rory Campbell-Lange rory at campbell-lange.net
Mon Dec 5 21:52:34 UTC 2011 

Package: rkhunter
Version: 1.3.6-4
Severity: important


Processes that match any of the checked strings (noted after the colon after
"...were found") trigger rkhunter alerts.

For instance "/usr/bin/dbus-daemon --system" appears to trigger an alert.

 Warning: Checking running processes for suspicious files [ Warning ]
  Warning: One or more of these files were found: backdoor, adore.o, mod_rootme.so, phide_mod.o, lbk.ko, vlogger.o, cleaner.o, cleaner, ava, tzava, mod_klgr.o, hydra, hydra.restore, ras2xm, vobiscum, sshd3, system, t0rnsb, t0rns, t0rnp, rx4u, rx2me, crontab, sshdu, glotzer, holber, xhide, xh, emech, psybnc, mech, httpd.bin, mh, xl, write, Phantasmagoria.o, lkt.o, nlkt.o
           Check the output of the lsof command 'lsof -F n -w -n'
  
  One or more warnings have been found while checking the system.
  Please check the log file (/var/log/rkhunter.log)


-- System Information:
Debian Release: 6.0.2
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.32-5-xen-amd64 (SMP w/1 CPU core)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to en_GB.UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages rkhunter depends on:
ii  binutils               2.20.1-16         The GNU assembler, linker and bina
ii  debconf [debconf-2.0]  1.5.36.1          Debian configuration management sy
ii  exim4                  4.72-6+squeeze2   metapackage to ease Exim MTA (v4) 
ii  exim4-daemon-light [ma 4.72-6+squeeze2   lightweight Exim MTA (v4) daemon
ii  file                   5.04-5            Determines file type using "magic"
ii  net-tools              1.60-23           The NET-3 networking toolkit
ii  perl                   5.10.1-17squeeze2 Larry Wall's Practical Extraction 

Versions of packages rkhunter recommends:
ii  iproute                20100519-3        networking and traffic control too
ii  lsof                   4.81.dfsg.1-1     List open files
ii  perl [libdigest-sha-pe 5.10.1-17squeeze2 Larry Wall's Practical Extraction 
ii  unhide                 20100201-1        Forensic tool to find hidden proce
ii  wget                   1.12-2.1          retrieves files from the web

Versions of packages rkhunter suggests:
ii  bsd-mailx          8.1.2-0.20100314cvs-1 simple mail user agent
pn  tripwire           <none>                (no description available)

-- Configuration Files:
/etc/default/rkhunter changed [not included]
/etc/rkhunter.conf changed [not included]

-- debconf information:
  rkhunter/apt_autogen: false
  rkhunter/cron_daily_run:
  rkhunter/cron_db_update:

More information about the forensics-devel mailing list