[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: rkhunter finds something suspicious

Take care when you try to analyze the rootkit: You should install new into another partition/ boot from live cd first and then look at the files without executing them (otherwise your new system may get infected). The rootkit may be altered, removed or your activity may be monitored and/or inhibited if you try to analyze fromout of an infected system.

Am 08.05.20 um 15:48 schrieb Elmar Stellnberger:
Am 07.05.20 um 19:14 schrieb shirish शिरीष:
Dear all,

Today my system was slowing much more than ever. Hence decided to run
rkhunter. It seems to have found some issues, could somebody take a
look and see if these are false positives or what ?

I don't know the hash sums it quotes are current or off-date from the
one debian provides. I did see #651119 but it will be better if
somebody better than me can see if everything is good or off.

  Looks like a kernel rootkit as programs like init, modprobe and systemd are reported to be manipulated. That should make sense if additional kernel modules and/or daemons are loaded. Since rkhunter seems to only report altered files where the locally stored hash has not been attacked but not additional files in your system you may additionally want to run debcheckroot to find out about such files (https://www.elstel.org/debcheckroot/). Anyway, you should reinstall your system. You could try to look at the mtime (modification time) of the files that are reported to be manipulated and search for other files with approximately the same date. Use the find utility to do so:
 > find / -printf "%Y %p # %TY-%Tm-%Td_%TH:%TM %AY-%Am-%Ad %CY-%Cm-%Cd\n"
  There are three timestamps: modification time (m), inode modification time (c) - file attributes/creation, and last access time (a). Take care of the last access time: even running find on the files may change that without using -noatime or sth. the like.

Reply to: