suspscan tests even if in DISABLE_TESTS and NOT in ENABLE_TESTS
Brought to you by:
dogsbody
Menu
▾
▴
#174 suspscan tests even if in DISABLE_TESTS and NOT in ENABLE_TESTS
Running 1.4.6
ENABLE_TESTS=hidden_ports hidden_procs deleted_files packet_cap_apps apps additional_rkts attributes avail_modules filesystem group_accounts group_changes hashes immutable ipc_shared_mem known_rkts loaded_modules local_host login_backdoors malware network os_specific packet_cap_apps passwd_changes ports possible_rkt_files possible_rkt_strings promisc properties rootkits running_procs scripts shared_libs shared_libs_path sniffer_logs startup_files start up_malware strings system_commands system_configs system_configs_ssh system_configs_syslog trojans
Still runs suspscan and whitelist for suspicious files not working either.
Suspscan is part of the 'malware' test which you have enabled (looking at the above). You haven't said what your DISABLE_TESTS setting is.
John.
I have: DISABLE_TESTS=suspscan, and yet:
[20:37:04] Warning: The following processes are using suspicious files:
[20:37:04] Command: dbus-daemon
[20:37:04] UID: 105 PID: 816
[20:37:04] Pathname: /usr/lib/x86_64-linux-gnu/libkeyutils.so.1.9
[20:37:04] Possible Rootkit: Spam tool component
[20:37:04] Command: in.ftpd
[20:37:04] UID: 14 PID: 1011422
[20:37:04] Pathname: /usr/lib/x86_64-linux-gnu/libkeyutils.so.1.9
[20:37:04] Possible Rootkit: Spam tool component
[20:37:04] Command: in.ftpd
[20:37:04] UID: 14 PID: 1038712
[20:37:04] Pathname: /usr/lib/x86_64-linux-gnu/libkeyutils.so.1.9
[20:37:04] Possible Rootkit: Spam tool component
[20:37:04] Command: lsof
[20:37:04] UID: 0 PID: 1209048
[20:37:04] Pathname: /usr/lib/x86_64-linux-gnu/libkeyutils.so.1.9
[20:37:04] Possible Rootkit: Spam tool component
[20:37:04] Command: lsof
[20:37:04] UID: 0 PID: 1209054
[20:37:04] Pathname: /usr/lib/x86_64-linux-gnu/libkeyutils.so.1.9
[20:37:04] Possible Rootkit: Spam tool component
[20:37:04] Command: master
[20:37:04] UID: 0 PID: 2354
[20:37:04] Pathname: /usr/lib/x86_64-linux-gnu/libkeyutils.so.1.9
[20:37:04] Possible Rootkit: Spam tool component
[20:37:04] Command: named
[20:37:04] UID: 1065 PID: 1064
[20:37:04] Pathname: 22600
[20:37:04] Possible Rootkit: Spam tool component
[20:37:04] Command: named
[20:37:04] UID: 1066 PID: 1064
[20:37:04] Pathname: 22600
[20:37:04] Possible Rootkit: Spam tool component
[20:37:04] Command: named
[20:37:04] UID: 1067 PID: 1064
[20:37:04] Pathname: 22600
[20:37:04] Possible Rootkit: Spam tool component
[20:37:04] Command: named
[20:37:04] UID: 1068 PID: 1064
[20:37:04] Pathname: 22600
[20:37:04] Possible Rootkit: Spam tool component
[20:37:04] Command: named
[20:37:04] UID: 1069 PID: 1064
[20:37:04] Pathname: 22600
[20:37:04] Possible Rootkit: Spam tool component
[20:37:04] Command: named
[20:37:04] UID: 1070 PID: 1064
... and on it goes, and white listing the files does not work either.
The output shown is from the 'running_procs' test, not suspscan.
If you run something like: grep 'Disabled tests' /var/log/rkhunter.log
then it will show you which tests are disabled.
The issue with the libkeyutils library, and whitelisting failing (as can be seen by the pathname being a number) are known about and fixed in the development version of rkhunter.
---------------------------------------_-
Eskimo North Linux Friendly Internet Access, Shell Accounts, and Hosting.
Knowledgeable human assistance, not telephone trees or script readers.
See our web site: http://www.eskimo.com/ (206) 812-0051 or (800) 246-6874.
On Sun, 9 Oct 2022, John Horne wrote:
Related
Bugs: #174
The development release can be found at: https://sourceforge.net/p/rkhunter/rkh_code/ci/develop/tree/
Then click on the 'download snapshot' to the top-right. Unzip the downloaded zip file, and run the installer.
I obtained the development release from the from the git server referenced in the above URL and I still get the following errors:
[16:57:22] Checking running processes for suspicious files [ Warning ]
[16:57:22] Warning: The following processes are using suspicious files:
[16:57:22] Command: cron
[16:57:22] UID: 0 PID: 3612284
[16:57:22] Pathname: /usr/lib/x86_64-linux-gnu/libkeyutils.so.1.9
[16:57:22] Possible Rootkit: Spam tool component
[16:57:22] Command: dbus-daemon
[16:57:22] UID: 105 PID: 809
[16:57:22] Pathname: /usr/lib/x86_64-linux-gnu/libkeyutils.so.1.9
[16:57:22] Possible Rootkit: Spam tool component
[16:57:22] Command: lsof
[16:57:22] UID: 0 PID: 4107760
[16:57:22] Pathname: /usr/lib/x86_64-linux-gnu/libkeyutils.so.1.9
[16:57:22] Possible Rootkit: Spam tool component
[16:57:22] Command: lsof
[16:57:22] UID: 0 PID: 4107765
[16:57:22] Pathname: /usr/lib/x86_64-linux-gnu/libkeyutils.so.1.9
[16:57:22] Possible Rootkit: Spam tool component
[16:57:22] Command: master
[16:57:22] UID: 0 PID: 2791
[16:57:22] Pathname: /usr/lib/x86_64-linux-gnu/libkeyutils.so.1.9
[16:57:22] Possible Rootkit: Spam tool component
[16:57:22] Command: named
[16:57:22] UID: 1043 PID: 1042
[16:57:22] Pathname: 22600
[16:57:22] Possible Rootkit: Spam tool component
[16:57:22] Command: named
[16:57:22] UID: 1044 PID: 1042
[16:57:22] Pathname: 22600
[16:57:22] Possible Rootkit: Spam tool component
[16:57:22] Command: named
[16:57:22] UID: 1045 PID: 1042
[16:57:22] Pathname: 22600
[16:57:22] Possible Rootkit: Spam tool component
[16:57:22] Command: named
[16:57:22] UID: 1046 PID: 1042
[16:57:22] Pathname: 22600
[16:57:22] Possible Rootkit: Spam tool component
[16:57:22] Command: named
[16:57:22] UID: 1047 PID: 1042
[16:57:22] Pathname: 22600
[16:57:22] Possible Rootkit: Spam tool component
[16:57:22] Command: named
[16:57:22] UID: 1048 PID: 1042
[16:57:22] Pathname: 22600
[16:57:22] Possible Rootkit: Spam tool component
[16:57:22] Command: named
[16:57:22] UID: 1049 PID: 1042
[16:57:22] Pathname: 22600
[16:57:22] Possible Rootkit: Spam tool component
[16:57:22] Command: named
[16:57:23] UID: 1050 PID: 1042
[16:57:23] Pathname: 22600
[16:57:23] Possible Rootkit: Spam tool component
[16:57:23] Command: named
[16:57:23] UID: 1051 PID: 1042
[16:57:23] Pathname: 22600
[16:57:23] Possible Rootkit: Spam tool component
[16:57:23] Command: named
[16:57:23] UID: 1052 PID: 1042
[16:57:23] Pathname: 22600
[16:57:23] Possible Rootkit: Spam tool component
[16:57:23] Command: named
[16:57:23] UID: 1053 PID: 1042
[16:57:23] Pathname: 22600
[16:57:23] Possible Rootkit: Spam tool component
[16:57:23] Command: named
[16:57:23] UID: 1054 PID: 1042
[16:57:23] Pathname: 22600
[16:57:23] Possible Rootkit: Spam tool component
[16:57:23] Command: named
[16:57:23] UID: 1055 PID: 1042
[16:57:23] Pathname: 22600
[16:57:23] Possible Rootkit: Spam tool component
You can't be running the right version. The development version does not contain 'libkeyutils.so.1.9' or 'Spam tool component' anywhere in its code.
Run 'rkhunter -V' to see what version you have.
Ok, the version I have is 1.4.6 which is same version number as what I was running but I obtained it via: git clone https://git.code.sf.net/p/rkhunter/rkh_code rkhunter-rkh_code, I got this off the website you provided, it had:
HTTPS Access: git clone https://git.code.sf.net/p/rkhunter/rkh_code rkhunter-rkh_code
So that is what I did and the version I have installed is definitely from that as I wiped the previous and verified that it was all gone with locate.
Yes, that just clones the master branch which is version 1.4.6.
You need to click on the 'download snapshot' button to get the latest development version.
Ah thank you. Now have 1.4.7 and it appears to be fixed. Thank you very much.