[Rkhunter-users] false positive
Brought to you by:
dogsbody
Menu
▾
▴
[Rkhunter-users] false positive
|
From: samsamros <sam...@su...> - 2022-07-05 18:24:11
|
Hello rkhunter team!
I'd like to report a false positive while using firejail.
This may help users using similar configurations who run into this problem rule out a false positive. I'm using a debian based distro (Parrot OS) running the latest rkhunter and firejail.
firejail version 0.9.64.4
This needs the hardened ping profile. (ping-hardened.inc.profile ping.profile), and symlinks up (sudo firecfg).
Run rkhunter -c -sk
Rootkit checks...
Rootkits checked : 477
Possible rootkits: 7
Rootkit names : Ping Rootkit or other backdoor
Warning: Checking for possible rootkit strings [ Warning ]
Found string '/bin/bash' in file '/usr/local/bin/ping'. Possible rootkit: Ping Rootkit or other backdoor
After reviewing the problem and checking multiple other computers with the same config and unrelated to my setup, I was able to rule it out as a false positive.
I reviewed another computer which is also a personal laptop running Parrot OS. The same possible rootkit appeared. I did much research and couldn't find a bug anywhere or information on the rootkit directly. After purging firejail and reinstalling profiles and the software itself the warning was gone (as the symlinks were gone)
I used a friend's system who is unrelated to my network and who I seldom share any information with. He also uses Parrot OS as a desktop distro (no ports with services facing the web directly).
He had firejail installed, same version (0.9.64.4), and he also had the ping hardened profile included in /etc/firejail but had not run sudo firecfg after installing the software a few months back. He ran rkhunter -c -sk and the following came out:
Rootkit checks...
Rootkits checked : 477
Possible rootkits: 6 (all of which are confirmed false positives)
I also wrote firejail devs about the issue: https://github.com/netblue30/firejail/issues/5236 where further details may be seen. They also ruled it out as a false positive.
I hope this helps other users who run into this issue find answers on the issue. There are some false positives arising from firejail which are nothing to worry about.
thank you all!
--
|