Menard wrote: ⤴Thu Oct 28, 2021 3:47 am
/usr/bin/lwp-request [ Warning ]
[08:19:32] Warning: The command '/usr/bin/lwp-request' has been replaced by a script: /usr/bin/lwp-request: Perl script text executable
rkhunter assumes that malware (rootkits) may have replaced the genuine binary file lwp-request by a Perl script.
Malicious goal: injecting additional malicious activity into lwp-request, before at the end invoking the genuine lwp-request binary.
But:
On Ubuntu based Linux distributions like Ubuntu itself and Linux Mint, lwp-request is a Perl script by design. So rkhunter is not right in this case.
Solution on Ubuntu/Mint:
Whitelist the lwp-request in the rkhunter configuration file /etc/rkhunter.conf.
(You can edit the file /etc/rkhunter.conf with root privileges only. Look for the word "lwp-request". Whitelist it.)
Menard wrote: ⤴Thu Oct 28, 2021 3:47 am
Warning: The following suspicious (large) shared memory segments have been found:
[08:20:42] Process: /usr/libexec/csd-background PID: 1372 Owner: u1 Size: 64MB (configured size allowed: 1,0MB)
[08:20:42] Process: /usr/bin/nemo-desktop PID: 1540 Owner: u1 Size: 4,0MB (configured size allowed: 1,0MB)
[08:20:42] Process: /usr/lib/policykit-1-gnome/polkit-gnome-authentication-agent-1 PID: 1551 Owner: u1 Size: 4,0MB (configured size allowed: 1,0MB)
[08:20:42] Process: /usr/lib/libreoffice/program/soffice.bin PID: 22414 Owner: u1 Size: 16MB (configured size allowed: 1,0MB)
[08:20:42] Process: /usr/libexec/gnome-terminal-server PID: 23005 Owner: u1 Size: 4,0MB (configured size allowed: 1,0MB)
[08:20:42]
rkhunter assumes that processes which allocate large chunks of shared memory segments are suspicious, because malware (rootkits) might have injected themselves into such processes.
The problem with this assumption is:
+ legitimate processes may allocate large shared memory segments
+ the rkhunter default maximum size limit of 1 MB is very small
Result:
rkhunter is extremely likely to list genuine unmodified application processes as "potential rootkits".
This is what we see here as well.
(I could run rkhunter here on LM 19.3 Cinnamon and rkhunter would "flag" almost the same processes here as well.)
Please, look at the process names and their complete pathnames. They are all genuine system processes (csd-background, nemo-desktop, polkit-gnome-authentication-agent-1) or genuine application processes (Libre Office soffice.bin and gnome-terminal-server).
Solution:
To avoid such false positives you can whitelist precisely theses processes (giving the pathnames specified in the rkhunter logfile) in the rkhunter configuration file /etc/rkhunter.comf.
General issues with rkhunter (scan results):
- rkhunter assumes that the first rkhunter run has been done on a clean system.
- rkhunter compares the current scan results with the scan results from its previous run for many of its checks.
- It will display differences as "suspicious". -> The verification however is left to the user, who invoked rkhunter.
- rkhunter defines a limit for the not suspicious size of shared memory segments. The limit is very low and pretty arbitrary. -> It will flag genuine processes as "suspected of being rootkit activity", based on a pretty questionable assumption.
- In the end the user has to decide, which of the rkhunter findings really spells danger and which all are "false positives".
- In case all findings have been cleared up as "false positives", the user has to execute
sudo rkhunter --propupd in order to make sure that rkhunter honours the current state of executable files as "clean" in future.
- In case all findings have been cleared up as "false positives", the user may have to whitelist certain files or processes in /etc/rkhunter.conf in order not to be presented the same "false positives" over and over again in future.
