Re: [Rkhunter-users] Two things: (1) "support ticket" status; (2) should I worry about "Warning: Us
Brought to you by:
dogsbody
Menu
▾
▴
Re: [Rkhunter-users] Two things: (1) "support ticket" status; (2) should I worry about "Warning: User 'tcpdump' has been added to the passwd file"?
|
From: <vze...@ve...> - 2020-12-03 23:14:46
|
On Mon, 29 Jun 2020, C. Kujau wrote: > On Tue, 16 Jun 2020, vze1amckv--- via Rkhunter-users wrote: >>> [22:28:06] Info: Starting test name 'passwd_changes' >> [22:28:06] Checking for passwd file changes [ Warning ] >> [22:28:07] Warning: User 'tcpdump' has been added to the passwd file. >> [22:28:07] >> >> I haven't installed tcpdump recently. Is there any other reason why a >> "tcpdump" user would be created? For example do you know what other common >> software might have tcpdump bundled with it? > > Most of this should already be covered in the FAQ: > > https://sourceforge.net/p/rkhunter/rkh_code/ci/master/tree/files/FAQ > > Especially 3.1, "Rootkit Hunter tells me there is something wrong with my > system. What do I do?" > > We don't know anything about your system and can't tell what caused the > additional "tcpdump" user to be created. Better consult your logs and > install/update scripts to find out if this is a benign addition or not. > > Good luck, > C. Thanks for the reply to my e-mail earlier this summer- not sure why I never received it (but only found it when searching the archive for an answer.) I've satisfied myself that the "tcpdump" user is probably nothing to worry about (a third opinion is always helpful), and most of the changed-file warnings are caused by legitimate software updates, but am still curious about the one time I ran rkhunter and it said that "unhide" found hundreds of "hidden" processes. This only happened once, and of course the only way to recover from a real rootkit infection is to completely reformat and reinstall, which would seem to be overkill if nothing is really wrong. Anyway I do have another question that I asked earlier... I submitted a "support request" to the project developers on the SourceForge website some years ago: https://sourceforge.net/p/rkhunter/support-requests/44 but for some reason this ticket doesn't show in the list of open cases OR in the list of closed requests. Can an admin please help me to view the status of that request? Thank you. |