Am 07.05.20 um 19:14 schrieb shirish शिरीष:
Dear all, Today my system was slowing much more than ever. Hence decided to run rkhunter. It seems to have found some issues, could somebody take a look and see if these are false positives or what ? I don't know the hash sums it quotes are current or off-date from the one debian provides. I did see #651119 but it will be better if somebody better than me can see if everything is good or off.
Looks like a kernel rootkit as programs like init, modprobe and systemd are reported to be manipulated. That should make sense if additional kernel modules and/or daemons are loaded. Since rkhunter seems to only report altered files where the locally stored hash has not been attacked but not additional files in your system you may additionally want to run debcheckroot to find out about such files (https://www.elstel.org/debcheckroot/). Anyway, you should reinstall your system. You could try to look at the mtime (modification time) of the files that are reported to be manipulated and search for other files with approximately the same date. Use the find utility to do so:
> find / -printf "%Y %p # %TY-%Tm-%Td_%TH:%TM %AY-%Am-%Ad %CY-%Cm-%Cd\n" and:There are three timestamps: modification time (m), inode modification time (c) - file attributes/creation, and last access time (a). Take care of the last access time: even running find on the files may change that without using -noatime or sth. the like.