RKHUNTER SHOWING WARNINGS

S

sjosephrw

New Member
Joined
Sep 2, 2020
Messages
6
Reaction score
5
Credits
54
Hello Everyone
I am new to this forum so excuse me for any mistakes I make. Since recently I have been noticing unusual activity on my Linux machine, when I visit legitimate websites (linkedin, bbc, sometimes even google) I see a NOT SECURE warning, It was then that I discovered that the DNS settings on my machine were pointing to unknown DNS servers, so after following some online tutorials I ran RKHUNTER and this was the final output

Code: 
[15:15:06] System checks summary
[15:15:06] =====================
[15:15:06]
[15:15:06] File properties checks...
[15:15:06] Files checked: 150
[15:15:06] Suspect files: 1
[15:15:06]
[15:15:06] Rootkit checks...
[15:15:06] Rootkits checked : 499
[15:15:06] Possible rootkits: 8
[15:15:06]
[15:15:06] Applications checks...
[15:15:06] All checks skipped
[15:15:06]
[15:15:06] The system checks took: 3 minutes and 33 seconds

Here is the complete output on pastebin
PasteBin
I googled most of the warnings and they showed up as nothing I should be concerned about
But I am concerned about these last few warnings

Code: 
[15:14:56] Warning: Suspicious file types found in /dev:
[15:14:56]          /dev/shm/PostgreSQL.1524281242: dBase III DBT, version number 0, next free block index 2588949810
[15:14:56]          /dev/shm/PostgreSQL.285239003: dBase III DBT, version number 0, next free block index 2588949810

Can some one please help me to find out whats happening.
Thank You
Joseph
 

Attachments

  • WhatsApp Image 2020-09-02 at 4.43.35 PM.jpeg
    WhatsApp Image 2020-09-02 at 4.43.35 PM.jpeg
    57.6 KB · Views: 401
  • WhatsApp Image 2020-09-02 at 4.41.28 PM.jpeg
    WhatsApp Image 2020-09-02 at 4.41.28 PM.jpeg
    120.5 KB · Views: 414


Everything reported in the full log from rkhunter looks benign to me.
The 8 “possible” rootkit infection’s stem from some large sections of shared memory that are being used by various Mate components that you had running at the time: Mate-panel, Caja etc.

Likewise the databases in /dev/shm/ are most likely to be owned by one of your systems running processes too.

And the warnings about various configuration changes, users added to groups etc. Looks perfectly normal too.

So I’m pretty certain that these are all false positives!

Regarding the messages in the attached images that mention an insecure connection - that’s probably because you’re viewing the page over http, rather than https.
Or if the pages in question have a mixture of http and https components, you’ll also get that warning.

I’d recommend perhaps installing the https everywhere browser extension. That will force your browser to use https wherever the option is available.

You can still view websites over plain http, if it is the only option, but you will probably see a warning like the ones you were getting if https is not available, or if a page has mixed content.
 
Last edited:
moving this thread to Linux Security, and welcome @sjosephrw :)

Cheers

Chris Turner
wizardfromoz
 
FWIW....the current offerings of anti virus stuff for Linus leaves a lot to be desired

1. I do not believe that an antivirus is necessary

2. I installed ClamAV back in 2014 or 2015....and it was probably the greatest waste of my time.....only coming a close second place to Wine.

Make your browser secure.
Using Firefox browser, install the Malwarebytes add on
Also install https everywhere.
Browse with you brain turned on
 
You must log in or register to reply here.

Members online

No members online now.
Total: 943 (members: 1, guests: 942)

Latest posts

Top