2

When I do an rkhunter --check it shows me that I have possible rootkits:

/usr/bin/rkhunter: 14795: [: /usr/lib/firefox/firefox: unexpected operator
/usr/bin/rkhunter: 14795: [: /usr/lib/firefox/firefox: unexpected operator
/usr/bin/rkhunter: 14795: [: /usr/bin/konsole: unexpected operator
    Checking for suspicious (large) shared memory segments   [ Warning ]

/var/log/rkhunter.log show me this:

Warning: The following suspicious (large) shared memory segments have been found:
[21:17:06]          Process: /usr/lib/firefox/firefox (deleted)    PID: 9750    Owner: louie    Size: 4,0MB (configured size allowed: 1,0MB)
[21:17:07]          Process: /usr/lib/firefox/firefox (deleted)    PID: 9750    Owner: louie    Size: 4,0MB (configured size allowed: 1,0MB)
[21:17:07]          Process: /usr/bin/konsole (deleted)    PID: 11415    Owner: louie    Size: 1,7MB (configured size allowed: 1,0MB)

The alternative chkrootkit only shows me an infection: "tcpd" which I have read in several places is a false positive.

Can rkhunter also show false positives?

rubo77
  • 31,573
  • 49
  • 159
  • 281
louiesanchezdj
  • 722
  • 2
  • 6
  • 13

1 Answers1

0

Sure, on a first run, rkhunter shows a lot of false positives and firefox is one of the commonly known. It can be ignored in the /etc/rkhunter.conffile by uncommenting the already shown example

ALLOWIPCPROC=/usr/bin/firefox

There are some other known false positives around, but I couldn't find any explanation how to find out, if a process is known to use large memories.

I hope I will get an answer here soon: https://security.stackexchange.com/questions/220302/find-out-if-a-process-is-allowed-to-use-shared-memory-segments

see also: https://serverfault.com/a/937301/128892

rubo77
  • 31,573
  • 49
  • 159
  • 281