Re: rkhunter finds something suspicious
Take care when you try to analyze the rootkit: You should install new
into another partition/ boot from live cd first and then look at the
files without executing them (otherwise your new system may get
infected). The rootkit may be altered, removed or your activity may be
monitored and/or inhibited if you try to analyze fromout of an infected
Am 08.05.20 um 15:48 schrieb Elmar Stellnberger:
Am 07.05.20 um 19:14 schrieb shirish शिरीष:
Today my system was slowing much more than ever. Hence decided to run
rkhunter. It seems to have found some issues, could somebody take a
look and see if these are false positives or what ?
I don't know the hash sums it quotes are current or off-date from the
one debian provides. I did see #651119 but it will be better if
somebody better than me can see if everything is good or off.
Looks like a kernel rootkit as programs like init, modprobe and
systemd are reported to be manipulated. That should make sense if
additional kernel modules and/or daemons are loaded. Since rkhunter
seems to only report altered files where the locally stored hash has not
been attacked but not additional files in your system you may
additionally want to run debcheckroot to find out about such files
(https://www.elstel.org/debcheckroot/). Anyway, you should reinstall
your system. You could try to look at the mtime (modification time) of
the files that are reported to be manipulated and search for other files
with approximately the same date. Use the find utility to do so:
> find / -printf "%Y %p # %TY-%Tm-%Td_%TH:%TM %AY-%Am-%Ad %CY-%Cm-%Cd\n"
There are three timestamps: modification time (m), inode modification
time (c) - file attributes/creation, and last access time (a). Take care
of the last access time: even running find on the files may change that
without using -noatime or sth. the like.