Package: rkhunter Version: 1.4.6-8 Severity: important Dear Maintainer,
I'm getting warning on the a possible 'Spanish' due Rootkit File '/bin/server' System checks summary ===================== File properties checks... Files checked: 139 [17:18:26] Running Rootkit Hunter version 1.4.6 on r5 [17:18:26] [17:18:26] Info: Start date is Sat 28 Mar 2020 05:18:26 PM CET [...] [17:20:11] Checking for directory '/usr/share/...' [ Not found ] [17:20:11] Warning: 'Spanish' Rootkit [ Warning ] [17:20:11] File '/bin/server' found [17:20:11] [17:20:11] Checking for Suckit Rootkit... [17:20:11] Checking for file '/sbin/initsk12' [ Not found ] [...] [17:24:39] System checks summary [17:24:39] ===================== [17:24:39] [17:24:39] File properties checks... [17:24:39] Files checked: 139 [17:24:39] Suspect files: 3 [17:24:39] [17:24:39] Rootkit checks... [17:24:39] Rootkits checked : 478 [17:24:39] Possible rootkits: 25 [17:24:39] Rootkit names : 'Spanish' Rootkit [17:24:39] [17:24:39] Applications checks... [17:24:39] All checks skipped [17:24:39] [17:24:39] The system checks took: 6 minutes and 12 seconds [17:24:39] [17:24:39] Info: End date is Sat 28 Mar 2020 05:24:39 PM CET and loaded the executable to virustotal.com: https://www.virustotal.com/gui/file/a1deab0758d3ef2975626ab4b43e7594d61fefa67e1c17be78e57405006f63e0/detection So far seems ok but I also unable to find the exact package where it belongs to: ~# dpkg -S /bin/server dpkg-query: no path found matching pattern /bin/server Maybe due usrmerge ? (https://wiki.debian.org/UsrMerge) ~# dpkg -S /sbin/server dpkg-query: no path found matching pattern /sbin/server ~# dpkg -S /lib/server dpkg-query: no path found matching pattern /lib/server ~# dpkg -S /usr/bin/server golang-golang-x-tools: /usr/bin/server ~# dpkg -S /usr/sbin/server dpkg-query: no path found matching pattern /usr/sbin/server ~# dpkg -S /usr/lib/server dpkg-query: no path found matching pattern /usr/lib/server Thanks in advance! xiscu -- System Information: Debian Release: bullseye/sid APT prefers testing APT policy: (900, 'testing'), (10, 'unstable'), (1, 'experimental') Architecture: amd64 (x86_64) Kernel: Linux 5.4.0-4-amd64 (SMP w/4 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US:en (charmap=UTF-8) Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages rkhunter depends on: ii binutils 2.34-5 ii debconf [debconf-2.0] 1.5.73 ii file 1:5.38-4 ii lsof 4.93.2+dfsg-1 ii net-tools 1.60+git20180626.aebd88e-1 ii perl 5.30.0-9 ii ucf 3.0038+nmu1 Versions of packages rkhunter recommends: ii bsd-mailx [mailx] 8.1.2-0.20180807cvs-1+b1 ii curl 7.68.0-1 ii e2fsprogs 1.45.6-1 ii exim4-daemon-light [mail-transport-agent] 4.93-13 ii iproute2 5.5.0-1 pn unhide <none> pn unhide.rb <none> ii wget 1.20.3-1+b2 Versions of packages rkhunter suggests: ii liburi-perl 1.76-2 ii libwww-perl 6.43-1 pn powermgmt-base <none> -- Configuration Files: /etc/logcheck/ignore.d.server/rkhunter [Errno 13] Permission denied: '/etc/logcheck/ignore.d.server/rkhunter' /etc/rkhunter.conf changed: UPDATE_MIRRORS=0 MIRRORS_MODE=1 TMPDIR=/var/lib/rkhunter/tmp DBDIR=/var/lib/rkhunter/db SCRIPTDIR=/usr/share/rkhunter/scripts UPDATE_LANG="en" LOGFILE=/var/log/rkhunter.log USE_SYSLOG=authpriv.warning AUTO_X_DETECT=1 ALLOW_SSH_PROT_V1=0 ENABLE_TESTS=ALL DISABLE_TESTS=suspscan deleted_files packet_cap_apps apps SCRIPTWHITELIST=/bin/egrep SCRIPTWHITELIST=/bin/fgrep SCRIPTWHITELIST=/bin/which SCRIPTWHITELIST=/usr/bin/ldd SCRIPTWHITELIST=/usr/sbin/adduser ALLOWIPCPROC=/usr/bin/firefox WEB_CMD="/bin/false" INSTALLDIR=/usr -- debconf information: * rkhunter/cron_db_update: true * rkhunter/cron_daily_run: true * rkhunter/apt_autogen: true