Re: [arch-general] rkhunter found possible rootkit
On 8/20/19 5:58 AM, Oliver Jaksch via arch-general wrote: > On Tuesday, 20 August 2019, 10:15:58 CEST you wrote: >> Am 20.08.19 um 10:00 schrieb Filipe Laíns via arch-general: >>> On Tue, 2019-08-20 at 08:33 +0200, Oliver Jaksch via arch-general wrote: I let rkhunter running around once a week. There were nothing since many months. But today it's report complains about */lib64/libkeyutils.so.1.9* and therefore other tools they're (seems to be) using this SO. >> >> ... >> >>> No, those libraries are used for key manipulation, that's why rkhunter >>> thinks that they might be sniffer. >> >> In this particular case the filename was apparently used by a rootkit in >> 2013 and it was blacklisted. Now the legitimate owner of the >> libkeyutils filenames has reached the blacklisted version number. I >> don't know which of the two possibilities it is in your case. >> >> https://bugs.archlinux.org/task/63369 >> https://www.webhostingtalk.com/showthread.php?t=1235797 > > Thanks to all. I think the URLs Filipe has posted are the most expressive > part. Let's hope that this really is a false alarm coming from the past. > - > Oliver > If you're in doubt, you can also try chkrootkit. When dealing with potential false positives, it sometimes helps to try more than one tool. -- brent saner https://square-r00t.net/ GPG info: https://square-r00t.net/gpg-info signature.asc Description: OpenPGP digital signature
Re: [arch-general] espeakup
Ofcourse.. windows is dumb when we compare to linux.. thats y microsoft is trying to make their useless os useful by fitting linux kernels to it On Tue, 20 Aug 2019, 11:27 am Jack Wu, wrote: > Windows is not so smart. > > Let's use Linux instead. XD > > Bjoern Franke via arch-general 於 2019/8/19 下午8:31 寫道: > > Am 18.08.19 um 16:24 schrieb adérito : > >> I have a question: how do I put the espeakup already tried to restart > espeeakup when putting arch linux in Portuguese and can not make espeakup > speak in Portuguese has another way to do this? > >> > >> Enviado do Correio para Windows 10 > >> > > Please tell your Windows 10 not to create new threads. > > -- > Best regards! > > From Jack Wu > GPG Fingerprint: 0A5B AD44 5D80 C1CC > Website: https://origincode.me/ > > >
Re: [arch-general] rkhunter found possible rootkit
On Tuesday, 20 August 2019, 10:15:58 CEST you wrote: > Am 20.08.19 um 10:00 schrieb Filipe Laíns via arch-general: > > On Tue, 2019-08-20 at 08:33 +0200, Oliver Jaksch via arch-general wrote: > >> I let rkhunter running around once a week. There were nothing since many > >> months. But today it's report complains about */lib64/libkeyutils.so.1.9* > >> and therefore other tools they're (seems to be) using this SO. > > ... > > > No, those libraries are used for key manipulation, that's why rkhunter > > thinks that they might be sniffer. > > In this particular case the filename was apparently used by a rootkit in > 2013 and it was blacklisted. Now the legitimate owner of the > libkeyutils filenames has reached the blacklisted version number. I > don't know which of the two possibilities it is in your case. > > https://bugs.archlinux.org/task/63369 > https://www.webhostingtalk.com/showthread.php?t=1235797 Thanks to all. I think the URLs Filipe has posted are the most expressive part. Let's hope that this really is a false alarm coming from the past. - Oliver
Re: [arch-general] rkhunter found possible rootkit
On Tue, 2019-08-20 at 09:31 +0100, Filipe Laíns via arch-general wrote: > so I can give any guarantees *I can't Filipe Laíns 3DCE 51D6 0930 EBA4 7858 BA41 46F6 33CB B0EB 4BF2 signature.asc Description: This is a digitally signed message part
Re: [arch-general] rkhunter found possible rootkit
On Tue, 2019-08-20 at 10:15 +0200, ProgAndy wrote: > Am 20.08.19 um 10:00 schrieb Filipe Laíns via arch-general: > > On Tue, 2019-08-20 at 08:33 +0200, Oliver Jaksch via arch-general > > wrote: > > > I let rkhunter running around once a week. There were nothing > > > since many > > > months. But today it's report complains about > > > */lib64/libkeyutils.so.1.9* and > > > therefore other tools they're (seems to be) using this SO. > > > > ... > > No, those libraries are used for key manipulation, that's why > > rkhunter > > thinks that they might be sniffer. > > > In this particular case the filename was apparently used by a rootkit > in > 2013 and it was blacklisted. Now the legitimate owner of the > libkeyutils filenames has reached the blacklisted version number. I > don't know which of the two possibilities it is in your case. > > https://bugs.archlinux.org/task/63369 > https://www.webhostingtalk.com/showthread.php?t=1235797 The sources are pulled from [1] and signed by David Howells (Redhat) so I am pretty inclined to trust them. I did not, however, inspect the sources myself so I can give any guarantees. [1] https://git.kernel.org/pub/scm/linux/kernel/git/dhowells/keyutils.git Thanks, Filipe Laíns 3DCE 51D6 0930 EBA4 7858 BA41 46F6 33CB B0EB 4BF2 signature.asc Description: This is a digitally signed message part
Re: [arch-general] rkhunter found possible rootkit
On Tue, 20 Aug 2019 10:15:58 +0200, ProgAndy wrote:
>Am 20.08.19 um 10:00 schrieb Filipe Laíns via arch-general:
>> On Tue, 2019-08-20 at 08:33 +0200, Oliver Jaksch wrote:
>> No, those libraries are used for key manipulation, that's why
>> rkhunter thinks that they might be sniffer.
>>
>In this particular case the filename was apparently used by a rootkit
>in 2013
If a file name should be a pointer to a {false,} positive, it still not
necessarily is a {false,} positive. rkhunter probably not only checks
file names, if at all.
https://sourceforge.net/projects/rkhunter/support
Re: [arch-general] rkhunter found possible rootkit
Am 20.08.19 um 10:00 schrieb Filipe Laíns via arch-general: > On Tue, 2019-08-20 at 08:33 +0200, Oliver Jaksch via arch-general wrote: >> I let rkhunter running around once a week. There were nothing since many >> months. But today it's report complains about */lib64/libkeyutils.so.1.9* >> and >> therefore other tools they're (seems to be) using this SO. >> ... > No, those libraries are used for key manipulation, that's why rkhunter > thinks that they might be sniffer. > In this particular case the filename was apparently used by a rootkit in 2013 and it was blacklisted. Now the legitimate owner of the libkeyutils filenames has reached the blacklisted version number. I don't know which of the two possibilities it is in your case. https://bugs.archlinux.org/task/63369 https://www.webhostingtalk.com/showthread.php?t=1235797
Re: [arch-general] rkhunter found possible rootkit
On Tue, 2019-08-20 at 08:33 +0200, Oliver Jaksch via arch-general wrote: > Should I/we be worried? Hi Oliver, if something conceivably harmful is found you should take care. If you wouldn't, then why are you using it at all? If proprietary software would detect something you suspect to be a false positive, you would attach it to a report you sent to the company, usually those companies provide an internet channel to upload such files. The company then would take a look at those files. Nobody can tell from the warnings you get when running rkhunter, if it is or isn't a false positive. Even if those files are known to be false positives when not being infected, they still could be infected on your machine. Probably rkhunter provides support channels, too. [rocketmouse@archlinux ~]$ pacman -Si rkhunter | grep URL URL : http://rkhunter.sourceforge.net/ How about https://sourceforge.net/p/rkhunter/_list/tickets ? Regards, Ralf
Re: [arch-general] rkhunter found possible rootkit
On Tue, 2019-08-20 at 08:33 +0200, Oliver Jaksch via arch-general wrote:
> I let rkhunter running around once a week. There were nothing since many
> months. But today it's report complains about */lib64/libkeyutils.so.1.9* and
> therefore other tools they're (seems to be) using this SO.
>
> The SO matches the one from 'core/keyutils 1.6.1-1' in size and hash.
> I've uploaded the SO to some "we scan it all" AV sites, but none of them
> found
> anything.
>
> Should I/we be worried? Anything else I can do? Or is this a false alarm and
> the warnings are somewhat okay because of the package's nature ("Linux Key
> Management Utilities")?
>
>
> > Warning: Checking for possible rootkit files and directories [ Warning ]
> > Found file '/lib/libkeyutils.so.1.9'. Possible rootkit: Sniffer component
> > Found file '/lib64/libkeyutils.so.1.9'. Possible rootkit: Sniffer component
> > Found file '/usr/lib/libkeyutils.so.1.9'. Possible rootkit: Sniffer
> component
> > Found file '/usr/lib64/libkeyutils.so.1.9'. Possible
> > rootkit: Sniffer component
> >
> > Warning: The following processes are using suspicious files:
> > Command: (sd-pam)
> >UID: 1001PID: 944
> >Pathname:
> >Possible Rootkit: Spam tool component
> > Command: NetworkManager
> >UID: 0PID: 381
> >Pathname:
> >Possible Rootkit: Spam tool component
> > Command: NetworkManager
> >UID: 385PID: 381
> >Pathname: 3166425
> >Possible Rootkit: Spam tool component
> > Command: NetworkManager
> >UID: 387PID: 381
> >Pathname: 3166425
> >Possible Rootkit: Spam tool component
> > Command: Xorg
> >UID: 0PID: 512
> >Pathname:
> >Possible Rootkit: Spam tool component
> > [...]
No, those libraries are used for key manipulation, that's why rkhunter
thinks that they might be sniffer.
If you are worried you can check the sources.
https://git.archlinux.org/svntogit/packages.git/tree/trunk/PKGBUILD?h=packages/keyutils
Filipe Laíns
3DCE 51D6 0930 EBA4 7858 BA41 46F6 33CB B0EB 4BF2
signature.asc
Description: This is a digitally signed message part
