Hello, digger44.
Extracted the section from rkhunter.log, where rkhunter checks for processes, which use large shared memory segments (what rkhunter considers large):
Code: Select all
[21:56:19] Info: Starting test name 'ipc_shared_mem'
[21:56:19] Info: The minimum shared memory segment size to be checked (in bytes): 1048576 (1.0MB)
[21:56:20] Checking for suspicious (large) shared memory segments [ Warning ]
[21:56:20] Warning: The following suspicious (large) shared memory segments have been found:
[21:56:20] Process: /usr/lib/firefox/firefox-bin PID: 2239 Owner: foobar Size: 1.2MB (configured size allowed: 1.0MB)
[21:56:20] Process: /usr/lib/firefox/firefox-bin PID: 2239 Owner: foobar Size: 1.2MB (configured size allowed: 1.0MB)
[21:56:20] Process: /usr/bin/mate-screensaver PID: 5185 Owner: foobar Size: 64MB (configured size allowed: 1.0MB)
[21:56:20] Process: /usr/lib/firefox/firefox-bin PID: 2239 Owner: foobar Size: 1.2MB (configured size allowed: 1.0MB)
[21:56:20] Process: /usr/lib/firefox/firefox-bin PID: 2239 Owner: foobar Size: 1.2MB (configured size allowed: 1.0MB)
[21:56:20] Process: /usr/lib/mate-panel/wnck-applet PID: 1913 Owner: foobar Size: 32MB (configured size allowed: 1.0MB)
[21:56:20] Process: /usr/bin/ghb PID: 44870 Owner: foobar Size: 4.0MB (configured size allowed: 1.0MB)
[21:56:20] Process: /usr/lib/mate-panel/wnck-applet PID: 1913 Owner: foobar Size: 32MB (configured size allowed: 1.0MB)
[21:56:20] Process: /usr/lib/firefox/firefox-bin PID: 2239 Owner: foobar Size: 1.3MB (configured size allowed: 1.0MB)
[21:56:21] Process: /usr/lib/firefox/firefox-bin PID: 2239 Owner: foobar Size: 1.3MB (configured size allowed: 1.0MB)
[21:56:21] Process: /usr/lib/firefox/firefox-bin PID: 2239 Owner: foobar Size: 1.1MB (configured size allowed: 1.0MB)
[21:56:21] Process: /usr/lib/firefox/firefox-bin PID: 2239 Owner: foobar Size: 1.1MB (configured size allowed: 1.0MB)
[21:56:21] Process: /usr/bin/mate-settings-daemon PID: 1832 Owner: foobar Size: 64MB (configured size allowed: 1.0MB)
[21:56:21] Process: /usr/lib/thunderbird/thunderbird PID: 5041 Owner: foobar Size: 3.9MB (configured size allowed: 1.0MB)
[21:56:21] Process: /usr/bin/caja PID: 1880 Owner: foobar Size: 4.0MB (configured size allowed: 1.0MB)
[21:56:21] Process: /usr/bin/caja PID: 1880 Owner: foobar Size: 64MB (configured size allowed: 1.0MB)
[21:56:21] Process: /usr/lib/thunderbird/thunderbird PID: 5041 Owner: foobar Size: 3.8MB (configured size allowed: 1.0MB)
[21:56:21] Process: /usr/bin/ghb PID: 44870 Owner: foobar Size: 16MB (configured size allowed: 1.0MB)
[21:56:21] Process: /usr/lib/firefox/firefox-bin PID: 2239 Owner: foobar Size: 1.4MB (configured size allowed: 1.0MB)
[21:56:21] Process: /usr/lib/firefox/firefox-bin PID: 2239 Owner: foobar Size: 1.4MB (configured size allowed: 1.0MB)
[21:56:21] Process: /usr/lib/mate-panel/wnck-applet PID: 1913 Owner: foobar Size: 32MB (configured size allowed: 1.0MB)
[21:56:21] Process: /usr/lib/firefox/firefox-bin PID: 2239 Owner: foobar Size: 1.2MB (configured size allowed: 1.0MB)
[21:56:21] Process: /usr/lib/firefox/firefox-bin PID: 2239 Owner: foobar Size: 1.2MB (configured size allowed: 1.0MB)
[21:56:21] Process: /usr/lib/firefox/firefox-bin PID: 2239 Owner: foobar Size: 1.2MB (configured size allowed: 1.0MB)
[21:56:21] Process: /usr/lib/x86_64-linux-gnu/polkit-mate/polkit-mate-authentication-agent-1 PID: 1948 Owner: foobar Size: 4.0MB (configured size allowed: 1.0MB)
[21:56:21] Process: /usr/lib/firefox/firefox-bin PID: 2239 Owner: foobar Size: 1.2MB (configured size allowed: 1.0MB)
[21:56:21] Process: /usr/bin/ghb PID: 44870 Owner: foobar Size: 32MB (configured size allowed: 1.0MB)
[21:56:21] Process: /usr/lib/firefox/firefox-bin PID: 2239 Owner: foobar Size: 1.2MB (configured size allowed: 1.0MB)
[21:56:21] Process: /usr/lib/firefox/firefox-bin PID: 2239 Owner: foobar Size: 1.2MB (configured size allowed: 1.0MB)
[21:56:21] Process: /usr/bin/mate-terminal PID: 86935 Owner: foobar Size: 4.0MB (configured size allowed: 1.0MB)
[21:56:21]
If you take the time to read those lines above closely, you will realize that they all give the names of applications, which you had open at the same time, when rkhunter was checking the system.
They all are false positives.
There you have what rkhunter flags as 30 possible rootkits in its summary.
Code: Select all
[21:57:52] System checks summary
[21:57:52] =====================
[21:57:52]
[21:57:52] File properties checks...
[21:57:52] Files checked: 145
[21:57:52] Suspect files: 0
[21:57:53]
[21:57:53] Rootkit checks...
[21:57:53] Rootkits checked : 479
[21:57:53] Possible rootkits: 30
[21:57:53]
[21:57:53] Applications checks...
[21:57:53] All checks skipped
[21:57:53]
[21:57:53] The system checks took: 4 minutes and 58 seconds
[21:57:53]
[21:57:53] Info: End date is Wednesday, 19 January, 2022 09:57:53 PM PST
Nothing detected by rkhunter which you have to be worried about.
You can avoid most of these false positives by closing all graphical applications, before you launch an rkhunter check, and leaving the system alone for the 5 minutes which the rkhunter check takes.
Regards,
Karl