Bug#651119: rkhunter: False positives when checking running processes for suspicious files

Julien Valroff julien at debian.org
Sat Dec 10 13:53:17 UTC 2011 

package rkhunter
tags 651119 + moreinfo
thanks

Hi Rory,

Le lundi 05 déc. 2011 à 22:52:34 (+0100 CET), Rory Campbell-Lange a écrit :
> Package: rkhunter
> Version: 1.3.6-4
> Severity: important
> 
> 
> Processes that match any of the checked strings (noted after the colon after
> "...were found") trigger rkhunter alerts.
> 
> For instance "/usr/bin/dbus-daemon --system" appears to trigger an alert.
> 
>  Warning: Checking running processes for suspicious files [ Warning ]
>   Warning: One or more of these files were found: backdoor, adore.o,
>   mod_rootme.so, phide_mod.o, lbk.ko, vlogger.o, cleaner.o, cleaner, ava,
>   tzava, mod_klgr.o, hydra, hydra.restore, ras2xm, vobiscum, sshd3,
>   system, t0rnsb, t0rns, t0rnp, rx4u, rx2me, crontab, sshdu, glotzer,
>   holber, xhide, xh, emech, psybnc, mech, httpd.bin, mh, xl, write,
>   Phantasmagoria.o, lkt.o, nlkt.o
>            Check the output of the lsof command 'lsof -F n -w -n'
>   
>   One or more warnings have been found while checking the system.
>   Please check the log file (/var/log/rkhunter.log)

Thanks for reporting this issue.

However, I am not sure to understand what you mean: do you thin you get a
warning because "system" is found in a running process name?

I fail to understand how this could happen, at least in the current code, as
the possible suspicious *files* are grepped in the lsof output using the
following code:
  FOUNDFILES=`grep "/${FNAMEGREP}$" ${RKHLSOF_FILE}`

In the version 1.3.6 you use, the following code is used:
  FILENAME=`${LSOF_CMD} -wnlP -F n | grep '^n/' | sed -e 's/^n//' | ${SORT_CMD} | ${UNIQ_CMD} | egrep "/(${SUSP_FILES})\$"`

which means, in your example, that '--system' could not be matched.

Also, note that the suspicious files listed in the warning are checked with
the output of lsof which lists open files, and not running processes (as
does ps). 'dbus-daemon --system' is not a file, but a running process.

I hence fail to understand what triggers the warning you get. Have you
checked the logfile and the lsof output?

Cheers,
Julien

-- 
  .''`.   Julien Valroff ~ <julien at kirya.net> ~ <julien at debian.org>    
 : :'  :  Debian Developer & Free software contributor
 `. `'`   http://www.kirya.net/
   `-     4096R/ E1D8 5796 8214 4687 E416  948C 859F EF67 258E 26B1

More information about the forensics-devel mailing list