rkhunter: 1479 unexpected operator and large shared memory segments

Brought to you by: dogsbody, dogsbodymark

#58 rkhunter: 1479 unexpected operator and large shared memory segments

Milestone: main

Status: closed-fixed

Owner: John Horne

Labels: None

Priority: 5

Updated: 2018-12-09

Created: 2018-02-24

Creator: jeffs chips

Private: No

Version Rootkit Hunter 1.4.6 on Ubuntu 16.04

1) What does this mean after running sudo rkhunter -c
/usr/local/bin/rkhunter: 14795: [: /usr/lib/x86_64-linux-gnu/notify-osd: unexpected operator
/usr/local/bin/rkhunter: 14795: [: /usr/bin/compiz: unexpected operator
/usr/local/bin/rkhunter: 14795: [: /usr/bin/nautilus: unexpected operator
/usr/local/bin/rkhunter: 14795: [: /usr/lib/gnome-terminal/gnome-terminal-server: unexpected operator

Rootkit checks...
Rootkits checked : 480
Possible rootkits: 4

2) Also, running rkhunter as:
sudo rkhunter --rwo
produces: "You must enter an option for the program to perform."
Is this switch ONLY for cronjobs and if so, why doesn't the help file specify that?

3) what does "checking for suspicious (large) shared memory segments [ Warning ]" mean?

Thank you.

Discussion

John Horne - 2018-02-24

1) Can you run 'rkhunter --enable ipc_shared_mem --debug' and send me the output file created in /tmp please.

2) The 'rwo' is not just for cronjobs. It simply stands for 'report warnings only', it runs through whatever checks are requested but shows nothing on the screen except for any warnings. It is for use with the '--check' command option. In your example '--rwo' is not telling RKH what to do. For that you must use something like '--check' or '--propupd'. See 'Command options' in the man page.

3) Malware can typically use large memory segments. So any segments considered 'large' are flagged as a warning. Some legitimate programs will also use large segments, so these can be whitelisted. If RKH is run regularly then the test can indicate when a large sgement is unexpectedly being used. Your log file will give more details about what the test has found.

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

John Horne - 2018-02-25

Forget about creating the debug file. I found the problem. It is a bug in the code using an unportable operator.
I have updated the release files on sourceforge, so if you download version 1.4.6 again it should resolve your problem.
(I haven't been able to send out a message about this yet as it seems the sourceforge mail server is rejecting messages as spam. Reported by other users/projects as well. Once it's fixed, I'll then announce the re-release.)

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Richard Kimber - 2018-05-07

I'm using what Synaptic says is 1.4.6-1, on Ubuntu-mate 18.04, and I'm getting similar messages. Does this mean that the Ubuntu package is not upt-to-date?
/etc/cron.daily/rkhunter:
/usr/bin/rkhunter: 14795: [: /usr/bin/konsole: unexpected operator
/usr/bin/rkhunter: 14795: [: /usr/bin/caja: unexpected operator
/usr/bin/rkhunter: 14795: [: /usr/bin/caja: unexpected operator
/usr/bin/rkhunter: 14795: [: /usr/lib/thunderbird/thunderbird: unexpected operator
/usr/bin/rkhunter: 14795: [: /usr/lib/thunderbird/thunderbird: unexpected operator
/usr/bin/rkhunter: 14795: [: /usr/bin/marco: unexpected operator
/usr/bin/rkhunter: 14795: [: /usr/lib/firefox/firefox: unexpected operator
/usr/bin/rkhunter: 14795: [: /usr/lib/firefox/firefox: unexpected operator
/usr/bin/rkhunter: 14795: [: /usr/bin/mate-screensaver: unexpected operator
/usr/bin/rkhunter: 14795: [: /usr/bin/mate-panel: unexpected operator

The same processes generate 'suspicious (large) shared memory segments' warnings.

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

John Horne - 2018-05-08

Yes, probably. There was a minor update to the released 1.4.6 code. If Ubuntu didn't update their code/package again, then you are running the original (bugged) code.

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Francois Marier - 2018-06-09

By the way, I would highly recommend that you bump the version number next time. I packaged the original 1.4.6 release in Debian (which then made it to Ubuntu) but never noticed that there was a "new release" available since the latest version is still showing up as 1.4.6 and I have packaged that one.

Had it been bumped it to 1.4.6.1 after that minor fix, I would have noticed and Ubuntu LTS would not be stuck with that problem. I will add a patch to the Debian package, but I'd say it would still be highly desirable to cut a new release. Other distros may have the same problem.

The general expectation for packagers is that upstream version numbers:

always go up

are never re-used
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Francois Marier - 2018-06-09

In case anybody else is looking for the changes between the first 1.4.6 and the second 1.4.6, here it is.

rkhunter-1.4.6.1.diff

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

John Horne - 2018-12-09

status: open --> closed-fixed

assigned_to: John Horne
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Log in to post a comment.