Join Log in
Score:0
Dcodewin avatar Ubuntu

rkhunter warnings

td flag
Dcodewin

Hi I just ran rkhunters and got a lot of warnings which are not the first ones I found the first time a I ran it.

I'll drop here the results to see if someone can help me and tell tell me if they are rootkits.

It say's there is a possible rootkit but it does not say which warning might be.

[ Rootkit Hunter version 1.4.6 ]

Checking system commands...

  Performing 'strings' command checks

/usr/sbin/groupadd                                       [ Warning ]
    /usr/sbin/groupdel                                       [ Warning ]
    /usr/sbin/groupmod                                       [ Warning ]
    /usr/sbin/grpck                                          [ Warning ]


/usr/sbin/ifdown                                         [ Warning ]
    /usr/sbin/ifup                                           [ Warning ]

/usr/sbin/nologin                                        [ Warning ]
    /usr/sbin/pwck                                           [ Warning ]


/usr/sbin/useradd                                        [ Warning ]
    /usr/sbin/userdel                                        [ Warning ]
    /usr/sbin/usermod                                        [ Warning ]
    /usr/sbin/vipw                                           [ Warning ]


    /usr/bin/lastlog                                         [ Warning ]


    /usr/bin/login                                           [ Warning ]


/usr/bin/newgrp                                          [ Warning ]
    /usr/bin/passwd                                          [ Warning ]


    /usr/bin/size                                            [ Warning ]


    /usr/bin/strings                                         [ Warning ]


    /usr/bin/lwp-request                                     [ Warning ]


 /usr/bin/x86_64-linux-gnu-size                           [ Warning ]
    /usr/bin/x86_64-linux-gnu-strings                        [ Warning ]


 Performing additional rootkit checks


    Checking for suspicious (large) shared memory segments   [ Warning ]


   Checking for passwd file changes                         [ Warning ]
    Checking for group file changes                          [ Warning ]


    Checking for hidden files and directories                [ Warning ]


System checks summary
=====================

File properties checks...
    Files checked: 145
    Suspect files: 21

Rootkit checks...
    Rootkits checked : 477
    Possible rootkits: 1

Applications checks...
    All checks skipped

The system checks took: 54 seconds

All results have been written to the log file: /var/log/rkhunter.log

One or more warnings have been found while checking the system.
Please check the log file (/var/log/rkhunter.log)

==========================================================================

/var/log/rkhunter.log


[18:38:13]   Checking for enabled inetd services             [ Skipped ]


[18:38:13]   Checking for enabled xinetd services            [ Skipped ]


Checking for local host name                    [ Found ]
[18:38:19]
[18:38:19] Info: Starting test name 'startup_malware'
[18:38:19]   Checking for system startup files               [ Found ]
[18:38:21]   Checking system startup files for malware       [ None found ]
[18:38:21]
[18:38:21] Info: Starting test name 'group_accounts'
[18:38:21] Performing group and account checks
[18:38:21]   Checking for passwd file                        [ Found ]
[18:38:21] Info: Found password file: /etc/passwd
[18:38:21]   Checking for root equivalent (UID 0) accounts   [ None found ]
[18:38:21] Info: Found shadow file: /etc/shadow
[18:38:21]   Checking for passwordless accounts              [ None found ]
[18:38:21]
[18:38:21] Info: Starting test name 'passwd_changes'
[18:38:21]   Checking for passwd file changes                [ Warning ]
[18:38:21] Warning: User 'snapd-range-524288-root' has been added to the passwd file.
[18:38:21] Warning: User 'snap_daemon' has been added to the passwd file.
[18:38:21] Warning: User 'lightdm' has been added to the passwd file.
[18:38:21]
[18:38:21] Info: Starting test name 'group_changes'
[18:38:21]   Checking for group file changes                 [ Warning ]
[18:38:21] Warning: Group 'vboxusers' has been removed from the group file.
[18:38:21] Warning: Group 'snapd-range-524288-root' has been added to the group file.
[18:38:21] Warning: Group 'snap_daemon' has been added to the group file.
[18:38:21] Warning: Group 'lightdm' has been added to the group file.
[18:38:21] Warning: Group 'nopasswdlogin' has been added to the group file.
[18:38:21]   Checking root account shell history files       [ OK ]


[18:38:21] Info: Starting test name 'filesystem'
[18:38:21] Performing filesystem checks
[18:38:21] Info: SCAN_MODE_DEV set to 'THOROUGH'
[18:38:22]   Checking /dev for suspicious file types         [ None found ]
[18:38:22]   Checking for hidden files and directories       [ Warning ]
[18:38:22] Warning: Hidden directory found: /etc/.java
[18:38:22]   Checking for missing log files                  [ Skipped ]
[18:38:22] Info: No missing log file names configured.
[18:38:22]   Checking for empty log files                    [ Skipped ]
[18:38:22] Info: No empty log file names configured.
[18:38:35]
[18:38:35] Info: Test 'apps' disabled at users request.
[18:38:35]
[18:38:35] System checks summary
[18:38:35] =====================
[18:38:35]
[18:38:35] File properties checks...
[18:38:35] Files checked: 145
[18:38:35] Suspect files: 21
[18:38:35]
[18:38:35] Rootkit checks...
[18:38:35] Rootkits checked : 477
[18:38:35] Possible rootkits: 1
[18:38:35]
[18:38:35] Applications checks...
[18:38:35] All checks skipped
[18:38:35]
[18:38:35] The system checks took: 54 seconds
[18:38:35]
[18:38:35] Info: End date is mar 13 dic 2022 18:38:35 CET
668
0 + 6
cn flag
Rinzwind
too much text. please trim the "not founds" and the "OK"s No need for those. And it would be the 1st ever positive so chances are it is fake. Do check /var/log/rkhunter.log as told for more info.
0
Reply
Dcodewin avatar
td flag
Dcodewin
@Rinzwind Thank you very much for your quick responese. It's edited already and I added the warnings of /var/log/rkhunter.log
0
Reply
Dcodewin avatar
td flag
Dcodewin
I am specially worried about /usr/bin/size as I didn't find any info at all about it. I don't really understand about the rest.
0
Reply
zwets avatar
us flag
zwets
`/usr/bin/size` has been in GNU for over 30 years. Voting to close because this same question "please interpret these RKHunter warnings for me" has been discussed at least a dozen times already (see the links under "Related" on this page).
0
Reply
zwets avatar
us flag
zwets
Does this answer your question? [RKhunter possible false positive](https://askubuntu.com/questions/1123953/rkhunter-possible-false-positive)
1
Reply
Dcodewin avatar
td flag
Dcodewin
Hi @zwets thanks for your response and sorry for my ignorance. I know there are other posts that talk about it but their warnings are different to mine and my computer was acting up so I was worried about it as I don't know the OS as deeply as you. I'll keep the question for a while to see different opinions and close it after a few days. Thank you very much.
0
Reply
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.