rkhunter, a false positive into MX19x32 ?

[oops]

Hi,
rkhunter, a false positive into MX19 x32 ? "Rootkit names : xorddos component"

Code: Select all

  /usr/bin/rkhunter --checkall --skip-keypress (ou --report-warnings-only --cronjob) (la 1st time: rkhunter --propupd ):
 cat /var/log/rkhunter.log | tail -19 
[11:30:15]
[11:30:15] System checks summary
[11:30:15] =====================
[11:30:15]
[11:30:15] File properties checks...
[11:30:15] Files checked: 140
[11:30:15] Suspect files: 4
[11:30:15]
[11:30:15] Rootkit checks...
[11:30:15] Rootkits checked : 483
[11:30:15] Possible rootkits: 2
[11:30:15] Rootkit names    : xorddos component
[11:30:15]
[11:30:15] Applications checks...
[11:30:15] All checks skipped
[11:30:15]
[11:30:15] The system checks took: 1 minute and 19 seconds
[11:30:15]
[11:30:15] Info: End date is jeudi 7 novembre 2019, 11:30:15 (UTC+0100)

[BitJam]

I get that same xorddos message on my Gentoo box. Elsewhere in the log file it says:

Code: Select all

Found file '/var/run/udev.pid'. Possible rootkit: xorddos component

but this is just the pid file for the udev process and all it contains is the pid of the udev process so I think this is a false alarm. Google seems to agree.

[andyprough]

I get a similar result this morning on MX19 64-bit:

Code: Select all

sudo cat /var/log/rkhunter.log | tail -19
[07:05:00]
[07:05:00] System checks summary
[07:05:00] =====================
[07:05:00]
[07:05:00] File properties checks...
[07:05:00] Files checked: 140
[07:05:00] Suspect files: 4
[07:05:00]
[07:05:00] Rootkit checks...
[07:05:00] Rootkits checked : 483
[07:05:00] Possible rootkits: 10
[07:05:00] Rootkit names    : xorddos component
[07:05:00]
[07:05:00] Applications checks...
[07:05:00] All checks skipped
[07:05:00]
[07:05:00] The system checks took: 1 minute and 21 seconds
[07:05:00]
[07:05:00] Info: End date is Thu 07 Nov 2019 07:05:00 AM CST

Two Gentoo forum threads have dealt with it as a possible false positive earlier this year:
https://groups.google.com/d/topic/linux ... LqUIHV4Afk
https://forums.gentoo.org/viewtopic-t-1 ... ight-.html

Also, one rkhunter thread on sourceforge earlier this year with no clear resolution, although the user decided to whitelist /udev/pid to get rid of the warning: https://sourceforge.net/p/rkhunter/mail ... /36596124/

[oops]

I get that same xorddos message on my Gentoo box. Elsewhere in the log file it says:

Code: Select all

Found file '/var/run/udev.pid'. Possible rootkit: xorddos component

but this is just the pid file for the udev process and all it contains is the pid of the udev process so I think this is a false alarm. Google seems to agree.

Right, I have the same file for (MX 19 x32 and x64)

an user decided to whitelist /udev/pid to get rid of the warning:

... A good idea in this case.

[andyprough]

I get that same xorddos message on my Gentoo box. Elsewhere in the log file it says:

Code: Select all

Found file '/var/run/udev.pid'. Possible rootkit: xorddos component

but this is just the pid file for the udev process and all it contains is the pid of the udev process so I think this is a false alarm. Google seems to agree.

Same warning message content here on MX19 64-bit -

Code: Select all

Warning: Checking for possible rootkit files and directories [ Warning ]
         Found file '/var/run/udev.pid'. Possible rootkit: xorddos component

[ChrisUK]

Using Rkhunter 1.4.6-5~mx17+1 on MX 18.3 - I just get the following:

Code: Select all

Warning: The following suspicious (large) shared memory segments have been found:
         Process: /usr/bin/xfce4-terminal    PID: 13717    Owner: chris    Size: 4.0MB (configured size allowed: 1.0MB)
         Process: /usr/bin/xfdesktop    PID: 2725    Owner: chris    Size: 64MB (configured size allowed: 1.0MB)
         Process: /usr/lib/policykit-1-gnome/polkit-gnome-authentication-agent-1    PID: 2772    Owner: chris    Size: 4.0MB (configured size allowed: 1.0MB)
         Process: /usr/bin/thunar    PID: 7438    Owner: chris    Size: 1.0MB (configured size allowed: 1.0MB)

AFAIK, all can be safely ignored.

I do have an edited/custom rkhunter.conf file ,that whitelists certain files/scripts which might make a difference.

[enricota]

Hi everyone
Can anyone help me understand these warnings?
********** If this only false positive...

- Found file '/var/run/udev.pid'. Possible rootkit: xorddos component
Warning: The following suspicious (large) shared memory segments have been found:
Process: /usr/bin/vncviewer PID: 4373 Owner: mario Size: 2,2MB (configured size allowed: 1,0MB)
Process: /usr/bin/xfce4-terminal PID: 6189 Owner: mario Size: 16MB (configured size allowed: 1,0MB)

********* what are that?

Warning: The command '/usr/bin/egrep' has been replaced by a script: /usr/bin/egrep: POSIX shell script, ASCII text executable
Warning: The command '/usr/bin/fgrep' has been replaced by a script: /usr/bin/fgrep: POSIX shell script, ASCII text executable
Warning: The command '/usr/bin/which' has been replaced by a script: /usr/bin/which: POSIX shell script, ASCII text executable
Warning: The command '/usr/bin/lwp-request' has been replaced by a script: /usr/bin/lwp-request: Perl script text executable



Bottom a complete output

Code: Select all

mario@mx-19:~
$ sudo rkhunter -c --rwo
Warning: The command '/usr/bin/egrep' has been replaced by a script: /usr/bin/egrep: POSIX shell script, ASCII text executable
Warning: The command '/usr/bin/fgrep' has been replaced by a script: /usr/bin/fgrep: POSIX shell script, ASCII text executable
Warning: The command '/usr/bin/which' has been replaced by a script: /usr/bin/which: POSIX shell script, ASCII text executable
Warning: The command '/usr/bin/lwp-request' has been replaced by a script: /usr/bin/lwp-request: Perl script text executable
Warning: Checking for possible rootkit files and directories [ Warning ]
         Found file '/var/run/udev.pid'. Possible rootkit: xorddos component
Warning: The following suspicious (large) shared memory segments have been found:
         Process: /usr/bin/vncviewer    PID: 4373    Owner: mario    Size: 2,2MB (configured size allowed: 1,0MB)
         Process: /usr/bin/xfce4-terminal    PID: 6189    Owner: mario    Size: 16MB (configured size allowed: 1,0MB)
Warning: Hidden directory found: /etc/.java

Thanks in advence...