[Rkhunter-users] Potential rootkit warning, regarding systemd...

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 454-5900

<html><head></head><body><div style="font-family: Verdana;font-size: 12.0px;"><div>Hello,</div>

<div>I&#39;ve got a Linux Server (openSUSE 15.2) that suddenly showed a suspicious warning during the night after a timed rkhunter scan (cron job), the days before it was quite.</div>

<div>There was no update on the machine before, no reboot or something like that...</div>

<div>&nbsp;</div>

<div>RKHunter shows a warning about &#39;systemd&#39; as a possible rootkit, can anybody help me with that?</div>

<div>Any hints how I could verify what that means?</div>

<div>Is there a known false positive relating to that message or something like that?</div>

<div>&nbsp;</div>

<div>&nbsp;</div>

<div>Running Rootkit Hunter version 1.4.6 (updated):</div>

<div>&nbsp;</div>

<div>...</div>

<div>[04:06:33] Info: Starting test name &#39;malware&#39;<br/>
[04:06:33] Performing malware checks<br/>
[04:06:33]<br/>
[04:06:33] Info: Test &#39;deleted_files&#39; disabled at users request.<br/>
[04:06:33]<br/>
[04:06:33] Info: Starting test name &#39;running_procs&#39;<br/>
[04:06:50]&nbsp;&nbsp; Checking running processes for suspicious files [ Warning ]<br/>
[04:06:50] Warning: The following processes are using suspicious files:<br/>
[04:06:50]&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Command: systemd<br/>
[04:06:50]&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; UID: 0&nbsp;&nbsp;&nbsp; PID: 1<br/>
[04:06:50]&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Pathname:<br/>
[04:06:50]&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Possible Rootkit: Unknown rootkit<br/>
[04:06:50]<br/>
[04:06:50] Info: Test &#39;hidden_procs&#39; disabled at users request.<br/>
[04:06:50]<br/>
[04:06:50] Info: Test &#39;suspscan&#39; disabled at users request.<br/>
[04:06:50]<br/>
[04:06:50] Info: Starting test name &#39;login_backdoors&#39;<br/>
[04:06:50]&nbsp;&nbsp;&nbsp;&nbsp; Checking for &#39;/bin/.login&#39;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; [ Not found ]<br/>
[04:06:50]&nbsp;&nbsp;&nbsp;&nbsp; Checking for &#39;/sbin/.login&#39;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; [ Not found ]<br/>
[04:06:50]&nbsp;&nbsp; Checking for login backdoors&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; [ None found ]<br/>
...</div>

<div>&nbsp;</div>

<div>Thanks for any help!</div>

<div>&nbsp;</div>

<div>Bye</div>

<div>Kristof S.</div>

<div>&nbsp;</div>

<div>&nbsp;</div>

<div class="signature">&nbsp;</div></div></body></html>