Package: rkhunter
Version: 1.4.6-8
Severity: important
Dear Maintainer,
I'm getting warning on the a possible 'Spanish' due Rootkit
File '/bin/server'
System checks summary
=====================
File properties checks...
Files checked: 139
[17:18:26] Running Rootkit Hunter version 1.4.6 on r5
[17:18:26]
[17:18:26] Info: Start date is Sat 28 Mar 2020 05:18:26 PM CET
[...]
[17:20:11] Checking for directory '/usr/share/...' [ Not found ]
[17:20:11] Warning: 'Spanish' Rootkit [ Warning ]
[17:20:11] File '/bin/server' found
[17:20:11]
[17:20:11] Checking for Suckit Rootkit...
[17:20:11] Checking for file '/sbin/initsk12' [ Not found ]
[...]
[17:24:39] System checks summary
[17:24:39] =====================
[17:24:39]
[17:24:39] File properties checks...
[17:24:39] Files checked: 139
[17:24:39] Suspect files: 3
[17:24:39]
[17:24:39] Rootkit checks...
[17:24:39] Rootkits checked : 478
[17:24:39] Possible rootkits: 25
[17:24:39] Rootkit names : 'Spanish' Rootkit
[17:24:39]
[17:24:39] Applications checks...
[17:24:39] All checks skipped
[17:24:39]
[17:24:39] The system checks took: 6 minutes and 12 seconds
[17:24:39]
[17:24:39] Info: End date is Sat 28 Mar 2020 05:24:39 PM CET
and loaded the executable to virustotal.com:
https://www.virustotal.com/gui/file/a1deab0758d3ef2975626ab4b43e7594d61fefa67e1c17be78e57405006f63e0/detection
So far seems ok but I also unable to find the exact package where it
belongs to:
~# dpkg -S /bin/server
dpkg-query: no path found matching pattern /bin/server
Maybe due usrmerge ? (https://wiki.debian.org/UsrMerge)
~# dpkg -S /sbin/server
dpkg-query: no path found matching pattern /sbin/server
~# dpkg -S /lib/server
dpkg-query: no path found matching pattern /lib/server
~# dpkg -S /usr/bin/server
golang-golang-x-tools: /usr/bin/server
~# dpkg -S /usr/sbin/server
dpkg-query: no path found matching pattern /usr/sbin/server
~# dpkg -S /usr/lib/server
dpkg-query: no path found matching pattern /usr/lib/server
Thanks in advance!
xiscu
-- System Information:
Debian Release: bullseye/sid
APT prefers testing
APT policy: (900, 'testing'), (10, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Kernel: Linux 5.4.0-4-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8),
LANGUAGE=en_US:en (charmap=UTF-8)
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages rkhunter depends on:
ii binutils 2.34-5
ii debconf [debconf-2.0] 1.5.73
ii file 1:5.38-4
ii lsof 4.93.2+dfsg-1
ii net-tools 1.60+git20180626.aebd88e-1
ii perl 5.30.0-9
ii ucf 3.0038+nmu1
Versions of packages rkhunter recommends:
ii bsd-mailx [mailx] 8.1.2-0.20180807cvs-1+b1
ii curl 7.68.0-1
ii e2fsprogs 1.45.6-1
ii exim4-daemon-light [mail-transport-agent] 4.93-13
ii iproute2 5.5.0-1
pn unhide <none>
pn unhide.rb <none>
ii wget 1.20.3-1+b2
Versions of packages rkhunter suggests:
ii liburi-perl 1.76-2
ii libwww-perl 6.43-1
pn powermgmt-base <none>
-- Configuration Files:
/etc/logcheck/ignore.d.server/rkhunter [Errno 13] Permission denied:
'/etc/logcheck/ignore.d.server/rkhunter'
/etc/rkhunter.conf changed:
UPDATE_MIRRORS=0
MIRRORS_MODE=1
TMPDIR=/var/lib/rkhunter/tmp
DBDIR=/var/lib/rkhunter/db
SCRIPTDIR=/usr/share/rkhunter/scripts
UPDATE_LANG="en"
LOGFILE=/var/log/rkhunter.log
USE_SYSLOG=authpriv.warning
AUTO_X_DETECT=1
ALLOW_SSH_PROT_V1=0
ENABLE_TESTS=ALL
DISABLE_TESTS=suspscan deleted_files packet_cap_apps apps
SCRIPTWHITELIST=/bin/egrep
SCRIPTWHITELIST=/bin/fgrep
SCRIPTWHITELIST=/bin/which
SCRIPTWHITELIST=/usr/bin/ldd
SCRIPTWHITELIST=/usr/sbin/adduser
ALLOWIPCPROC=/usr/bin/firefox
WEB_CMD="/bin/false"
INSTALLDIR=/usr
-- debconf information:
* rkhunter/cron_db_update: true
* rkhunter/cron_daily_run: true
* rkhunter/apt_autogen: true
