Re: [Rkhunter-users] Question on fixing an issue just saw in rkhunter log

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 454-5900

Hi Michael,
Although it could be a "positive"...

	BOINC https://boinc.berkeley.edu
	The BOINC (Berkeley Open Infrastructure for Network Computing) software
	platform is used for volunteer computing or grid computing creation.

I would have to assume that you (or the "supervisor"/root of the machine)
chose to install & run boinc, to allow your idle cpu to be used for the above
"voluntary" work.

If you didn't & don't want it, it's relatively easy to give the command,

	dnf remove boinc*

Of course that might remove some dependencies you are actually using so read
& understand what dnf is about to do before you agree with the removal.
It might also have been installed as part of a "group" of packages you are
using.

Cheers

John (Sydney - where the sun rises slightly earlier than Guam allowing
for seasonal variation ;-)

On Fri, 2022-09-30 at 05:00 +1000, Michael D. Setzer II via Rkhunter-users
wrote:
> Rkhunter reports
> 
> [04:21:27] Warning: Network TCP port 47018 is being used by /usr/bin/boinc. 
> Possible rootkit: Possible Universal Rootkit (URK) component
>            Use the 'lsof -i' or 'netstat -an' command to check this.
> 
> Using lsof -i get this.
> 
> lsof -i | grep boinc
> boinc       2766       msetzerii    7u  IPv4   35501      0t0  TCP localhost:xqosd 
> (LISTEN)
> boinc       2766       msetzerii   10u  IPv4 1331117      0t0  TCP 
> setzconote.dyndns.org:47032->einstein10.aei.uni-hannover.de:https 
> (CLOSE_WAIT)
> boinc       2766       msetzerii   14u  IPv4 1331116      0t0  TCP 
> setzconote.dyndns.org:47018->einstein10.aei.uni-hannover.de:https 
> (CLOSE_WAIT)
> 
> The address shows router that doesn't forward this port 
> to machines behind it so don't think it would go 
> anywhere. So note sure if this is an issue, or if it would be 
> something with rkhunter or with boinc einstein project..
> 
> (Also, saw an issue in report with /usr/libexec/gawk 
> linking to /usr/libexec/awk which is a directory with two 
> files. The gawk is new from earlier this month, the files in 
> awk date to 7/2021?)
> Fedora 35.
> 
> # ls -l | grep awk
> drwxr-xr-x. 2 root root                   4096 Jun  6 16:36 awk
> lrwxrwxrwx. 1 root root                      3 Sep 18 01:19 gawk -> awk
> # ls -l awk
> total 32
> -rwxr-xr-x. 1 root root 15944 Jul 22  2021 grcat
> -rwxr-xr-x. 1 root root 15928 Jul 22  2021 pwcat
> 
> +------------------------------------------------------------+
>  Michael D. Setzer II - Computer Science Instructor 
> (Retired)     
>  mailto:mi...@gu...                            
>  mailto:mse...@gm...
>  Guam - Where America's Day Begins                        
>  G4L Disk Imaging Project maintainer 
>  http://sourceforge.net/projects/g4l/
> +------------------------------------------------------------+
> 
> 
> 
> 
> 
> _______________________________________________
> Rkhunter-users mailing list
> Rkh...@li...
> https://lists.sourceforge.net/lists/listinfo/rkhunter-users