[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: [rkhunter] coyote.coyote.den - Daily report

On Tue 28 Nov 2017 at 14:04:58 +0500, Alexander V. Makartsev wrote:

> On 28.11.2017 07:45, Gene Heskett wrote:
> > On Monday 27 November 2017 17:39:45 Brian wrote:
> >
> >> On Mon 27 Nov 2017 at 16:56:15 -0500, Gene Heskett wrote:
> >>> On Monday 27 November 2017 15:57:34 Brian wrote:
> >>>> On Mon 27 Nov 2017 at 15:46:55 -0500, Gene Heskett wrote:
> >>>>> On Monday 27 November 2017 14:35:17 root wrote:
> >>>>>
> >>>>> Installed new firefox-esr yesterday, from the wheezy repos.
> >>>>> Today, rkhunter has a cow:
> >>>> [rkhunter nonsense snipped]
> >>>>
> >> I'd ignore it. Better still, purge rkhunter from the system. It is
> >> renowned for giving false positives. There is no well-substantiated
> >> account of it ever discovering anything of consequence.
> > Thats another possibility, I get tired of its mewling about stuff thats 
> > normal here. I use amanda, so yes, xinetd is in use, and other similar 
> > crap. I am amazed it doesn't fuss about ~/gene/bin/mailwatcher, which is 
> > my coupling between fetchmail and kmail.
> >
> > Cheers, Gene Heskett
> IMHO "ignore it and purge" is a terrible advice for anything. It is
> better to understand the logic behind those triggers, even if they are
> indeed false positive in this case.

The advice was not intended to be generalised for all software. It was
given in a particular context for a software which has an extensive
track record for producing output which is of no consequence. I would
be very, very surprised if Gene Heskett had obtained firefox-esr from
an untrusted source. Yet another reason for not giving any credence to
what it reported.

> "rkhunter" has panicked and rightfully so because it found a working
> process with suspicious ports in listening state. As it explained these
> ports were known for usage by malware, ex. 6667 could be used for
> IRC-bot which is used for remote control of the malware.
> The name of process was "portsentry" and as stated in its package
> description is used for portscan detection, so it must have opened ports
> to "see" if there any portscans of known ports going.
> Did you installed "portsentry", or should you trust "portsentry" to open
> ports like this, are another questions.
> 
> I don't use "rkhunter", but there is probably some mechanism to
> whitelist, so it won't trigger on the same things (xinetd) every time.

I am all in favour of finding causes for software behaviour but make
an exception for rkhunter. Discovering that xinitrd is running is no
great achievement. Labelling it as suspicious and the source of a
possible rootkit comes close to generating FUD and inducing panic
in less experienced users.

-- 
Brian.
Reply to: