[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: [rkhunter] coyote.coyote.den - Daily report

On 28.11.2017 15:16, Brian wrote:
On Tue 28 Nov 2017 at 14:04:58 +0500, Alexander V. Makartsev wrote:

IMHO "ignore it and purge" is a terrible advice for anything. It is
better to understand the logic behind those triggers, even if they are
indeed false positive in this case.
The advice was not intended to be generalised for all software. It was
given in a particular context for a software which has an extensive
track record for producing output which is of no consequence. I would
be very, very surprised if Gene Heskett had obtained firefox-esr from
an untrusted source. Yet another reason for not giving any credence to
what it reported.
That could be nothing to do with firefox-esr. Just because some package was installed last doesn't always means it will be the source of the problem.
Anyway, creating software that will reliably detect something meant to be undetectable like rootkit, while evading rootkit's protection measures against well-known anti-rootkit software is impossible.
When I read that log Gene posted and seen "6667 port" I was like "Holy shit this is serious", but then I looked up for "portsentry" and realized it is FP.
"rkhunter" had every right to panic and it's user's fault to not know about how "portsentry" works. (IF this is legit "portsentry" not something that just has its name)

"rkhunter" has panicked and rightfully so because it found a working
process with suspicious ports in listening state. As it explained these
ports were known for usage by malware, ex. 6667 could be used for
IRC-bot which is used for remote control of the malware.
The name of process was "portsentry" and as stated in its package
description is used for portscan detection, so it must have opened ports
to "see" if there any portscans of known ports going.
Did you installed "portsentry", or should you trust "portsentry" to open
ports like this, are another questions.

I don't use "rkhunter", but there is probably some mechanism to
whitelist, so it won't trigger on the same things (xinetd) every time.
I am all in favour of finding causes for software behaviour but make
an exception for rkhunter. Discovering that xinitrd is running is no
great achievement. Labelling it as suspicious and the source of a
possible rootkit comes close to generating FUD and inducing panic
in less experienced users.

That said, it is better to know at least something and investigate, than just saying "meh its another FP" and uninstall the software.
"rkhunter" has served it's purpose at least to urge "less experienced users" to do a research and learn.

With kindest regards, Alexander.

⣾⠁⢠⠒⠀⣿⡁ Debian - The universal operating system
⢿⡄⠘⠷⠚⠋⠀ https://www.debian.org

Reply to: