Package: rkhunter
Version: 1.4.6-7
Severity: important
Hello and thanks for maintaining rkhunter in Debian!
After upgrading
[UPGRADE] libkeyutils1:amd64 1.6-6 -> 1.6.1-2
I get the following warning with
# rkhunter --sk -c
in /var/log/rkhunter.log:
Info: Starting test name 'running_procs'
Checking running processes for suspicious files [ Warning ]
Warning: The following processes are using suspicious files:
Command: sshd
UID: 0 PID: 7331
Pathname: /lib/x86_64-linux-gnu/libkeyutils.so.1.9
Possible Rootkit: Spam tool component
As explained in [bug #951338], this looks like a false positive
triggered by just the filename.
[bug #951338]: <https://bugs.debian.org/951338>
Please fix this false positive, since getting a daily alert
from rkhunter for this is annoying.
Thanks for your time!
Bye.
-- System Information:
Debian Release: bullseye/sid
APT prefers testing
APT policy: (800, 'testing'), (500, 'unstable')
Architecture: amd64 (x86_64)
Kernel: Linux 5.4.0-3-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8),
LANGUAGE=en_US:en (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages rkhunter depends on:
ii binutils 2.34-2
ii debconf [debconf-2.0] 1.5.73
ii file 1:5.38-4
ii lsof 4.93.2+dfsg-1
ii net-tools 1.60+git20180626.aebd88e-1
ii perl 5.30.0-9
ii ucf 3.0038+nmu1
Versions of packages rkhunter recommends:
ii curl 7.67.0-2
ii e2fsprogs 1.45.5-2
ii exim4-daemon-light [mail-transport-agent] 4.93-10
ii iproute2 5.4.0-1
ii mailutils [mailx] 1:3.7-2
ii unhide 20130526-4
ii unhide.rb 22-4
ii wget 1.20.3-1+b2
Versions of packages rkhunter suggests:
ii liburi-perl 1.76-2
ii libwww-perl 6.43-1
pn powermgmt-base <none>
-- Configuration Files:
/etc/rkhunter.conf changed [not included]
-- debconf information:
rkhunter/apt_autogen: yes
rkhunter/cron_db_update: yes
rkhunter/cron_daily_run: yes
