Menu

#170 keyutils-libs false positive (2013 SSHD rootkit signature)

main
closed-fixed
John Horne
None
5
2021-08-23
2021-01-08
Mike
No

The minor version of the /lib64/libkeyutils.so library has caught up with the signature of the 2013 sshd rootkit (/lib64/libkeyutils.so.1.9), thus the latest keyutils-libs package is falsely recognized as the 2013 sshd rootkit:

---------------------- Start Rootkit Hunter Scan ----------------------
Warning: Checking for possible rootkit files and directories [ Warning ]
Found file '/lib64/libkeyutils.so.1.9'. Possible rootkit: Sniffer component
Found file '/usr/lib64/libkeyutils.so.1.9'. Possible rootkit: Sniffer component
Warning: The following processes are using suspicious files:
Command: kscreenlocker_g
UID: 2823702 PID: 2823701
Pathname: 811279
Possible Rootkit: Spam tool component
Command: kscreenlocker_g
UID: 2823703 PID: 2823701
Pathname: 811279
Possible Rootkit: Spam tool component
Command: kscreenlocker_g
UID: 2823704 PID: 2823701
Pathname: 811279
Possible Rootkit: Spam tool component
Command: kscreenlocker_g
UID: 2823705 PID: 2823701
Pathname: 811279
Possible Rootkit: Spam tool component

Discussion

  • John Horne

    John Horne - 2021-02-07

    Fixed in next release.

     

  • John Horne

    John Horne - 2021-02-07
    • status: open --> closed-fixed
    • assigned_to: John Horne
     

  • Nils Toedtmann

    Nils Toedtmann - 2021-08-23

    We are observing this.
    Where would I find the aforementioned next release?

     
    👍
    2

    Last edit: Nils Toedtmann 2021-08-23

Log in to post a comment.

MongoDB Logo MongoDB