Rkhunter finds suspicious new groups and passwords

Support
1

In the last few days I noticed that Chrome started to act weirdly. For example, it would ask whether I allow microphone for Google Search although I allowed it already. And then when I would click the allow button, I wouldn’t be able to click it (I click it but the computer doesn’t recognize it, and the dialogue doesn’t go away). Also, if a power crash occurs, and chrome offers me to restore the previous session tabs, when I click the restore button - nothing happens and previous session is not restored.

I started to suspect that there is a Trojan or virus in my computer, so I ran her rkunter. And it did find something very very suspicious. Here it is:

[16:23:56] Info: Starting test name 'passwd_changes'
[16:23:56]   Checking for passwd file changes                [ Warning ]
[16:23:56] Warning: User 'rpcuser' has been added to the passwd file.
[16:23:56] Warning: User 'rabbitmq' has been added to the passwd file.
[16:23:56]
[16:23:56] Info: Starting test name 'group_changes'
[16:23:56]   Checking for group file changes                 [ Warning ]
[16:23:56] Warning: Group 'rpcuser' has been added to the group file.
[16:23:56] Warning: Group 'rabbitmq' has been added to the group file.
[16:23:56] Warning: Group 'vboxusers' has been added to the group file.
[16:23:56]   Checking root account shell history files       [ None found ]
[16:23:56]
[16:23:56] Info: Starting test name 'system_configs'
[16:23:56] Performing system configuration file checks
[16:23:57]

I don’t remember ever installing anything that has rabbitmq and rpcuser in its name. I recently installed genymotion and virtualbox, but I doubt that these programs create rabbitmq and rpcuser groups and passwords. Are these new users and password changes that are rkhunter warns me about a reason for concern?

EDIT: Also chkrootskit found this

Searching for Linux.Xor.DDoS ... /usr/bin/chkrootkit: command substitution: line 1287: syntax error near unexpected token `)'
/usr/bin/chkrootkit: command substitution: line 1287: `${ls} ${ROOTDIR}etc/cron.hourly/udev.sh ${ROOTDIR}etc/cron.hourly/gcc.sh 2> /dev/null)'
INFECTED: Possible Malicious Linux.Xor.DDoS installed

Moderator edit: In the future, please use proper formatting: [HowTo] Post command output and file content as formatted text

2

those are valid system users and groups

rabbitmq is a schedule - likely created by genymotion. rpcuser may also have been created by genymotion.

vboxusers is created by virtualbox

cat /etc/cron.hourly/gcc.sh
cat /etc/cron.hourly/udev.sh

Manjaro only get’s malware on user negligence e.g. running scripts as root or with sudo without validation

3

Are you absolutely sure that genymotion might have created those two users?

I Googled genymotion and rabbitmq group but couldn’t find anything.
Is there a way to see when these passwords and groups were created, I mean the exact date and time?

4

No I am not.

I cannot possible know what you have installed and from where so I don’t actually know for sure where they come from.

One thing is certain though - you have installed it - one way or another - and the users and groups are created by something you installed.

 $ pamac search rabbitmq
[...]
rabbitmq                                                                                     3.12.0-1   extra 
    Highly reliable and performant enterprise messaging implementation of AMQP written in
    Erlang/OTP

Provide the output from the cat command …

The rpcuser is a valid system user - used by e.g. nfs remote filesystem service

 $ cat /etc/passwd
[...]
rpc:x:32:32:Rpcbind Daemon:/var/lib/rpcbind:/usr/bin/nologin
rpcuser:x:34:34:RPC Service User:/var/lib/nfs:/usr/bin/nologin
[...]
5

None of those files appear to exist on my computer. Here is the output

[ben71@ben-inspiron3521 chkrootkit-0.48]$ cat /etc/cron.hourly/gcc.sh
cat: /etc/cron.hourly/gcc.sh: No such file or directory
[ben71@ben-inspiron3521 chkrootkit-0.48]$ cat /etc/cron.hourly/udev.sh
cat: /etc/cron.hourly/udev.sh: No such file or directory

I know for certain that I didn’t install those two programs. However, I have reason to suspect that somebody physically entered my apartment while I was not at home and installed viruses on this computer. It has already happened several times unfortunately.

6

Congratulations you have installed a trojan VIRUS named rkhunter
Linux does not need crap like that, if it would have needed it - it would have been installed by default on ALL Linux distros…
:vulcan_salute:

7

If the files do not exist then it is a false positive

No it didn’t - the script printed garbage because of an error …

Which programs?

nfs support comes build in …

And for the rabbitmq - it is a perfectly legal software … https://rabbitmq.com

Congratulation with your promotion - you must have a really, really important job with an intelligence agency.

Then you reported it to the agency employing you - right?

And the police - right?

It is illegal to enter apartments without legal cause - right?

8

rkhunter is a tool which you need to know (or to learn) how to use
There certainly is a readme and/or a user guide - telling you what it does, how it does it.

What you see are warnings - about users/groups that rkhunter does not know to be part of a standard installation.
However, these are totally legitimate users/groups.

Whatever the “rabbitmq” group is or which program created it … only you know.

Having a group with any name is no sign of malware - what rights the members of that group have may be worth investigating.

You where asked to provide the output of:
cat /etc/passwd

It lists the content of that file - no secrets get exposed …

What you gave instead is something completely different.

If you have trouble with chromium:

close the program

cp -a ~/.config/chromium ~/.config/chromium_backup
rm -rf ~/.config/chromium

restart chromium and re-import whatever you need from the backup that was created by the first command

9

:point_up_2: :point_up:
Is that a response from ChatCPT? :rofl:

10

No - if you meant my comment.

11

hahaha yea, you would do a great job replacing it though :+1:

12

Something wrong with it?
Did I give erroneous advise?
Seriously.
My irony detector has been inoperative for a long time now, so I do need to ask that.

13

No not at all dun worry, im just irritated by so many AI posters lately…
I know you’re a long time user like me with good intentions…

You reply was just so complete without quotes, it instantly triggered my AI-Alert :wink:

14

So: thanks for the compliment then, I guess :grinning:

15

Okay here it is

[ben71@ben-inspiron3521 ~]$ cat /etc/passwd
root:x:0:0::/root:/bin/bash
nobody:x:65534:65534:Nobody:/:/usr/bin/nologin
dbus:x:81:81:System Message Bus:/:/usr/bin/nologin
bin:x:1:1::/:/usr/bin/nologin
daemon:x:2:2::/:/usr/bin/nologin
mail:x:8:12::/var/spool/mail:/usr/bin/nologin
ftp:x:14:11::/srv/ftp:/usr/bin/nologin
http:x:33:33::/srv/http:/usr/bin/nologin
systemd-journal-remote:x:981:981:systemd Journal Remote:/:/usr/bin/nologin
systemd-network:x:980:980:systemd Network Management:/:/usr/bin/nologin
systemd-oom:x:979:979:systemd Userspace OOM Killer:/:/usr/bin/nologin
systemd-resolve:x:978:978:systemd Resolver:/:/usr/bin/nologin
systemd-timesync:x:977:977:systemd Time Synchronization:/:/usr/bin/nologin
systemd-coredump:x:976:976:systemd Core Dumper:/:/usr/bin/nologin
uuidd:x:68:68::/:/usr/bin/nologin
dhcpcd:x:975:975:dhcpcd privilege separation:/:/usr/bin/nologin
dnsmasq:x:974:974:dnsmasq daemon:/:/usr/bin/nologin
rpc:x:32:32:Rpcbind Daemon:/var/lib/rpcbind:/usr/bin/nologin
avahi:x:972:972:Avahi mDNS/DNS-SD daemon:/:/usr/bin/nologin
colord:x:971:971:Color management daemon:/var/lib/colord:/usr/bin/nologin
cups:x:209:209:cups helper user:/:/usr/bin/nologin
flatpak:x:970:970:Flatpak system helper:/:/usr/bin/nologin
geoclue:x:969:969:Geoinformation service:/var/lib/geoclue:/usr/bin/nologin
git:x:968:968:git daemon user:/:/usr/bin/git-shell
lightdm:x:967:967:Light Display Manager:/var/lib/lightdm:/usr/bin/nologin
nm-openconnect:x:966:966:NetworkManager OpenConnect:/:/usr/bin/nologin
nm-openvpn:x:965:965:NetworkManager OpenVPN:/:/usr/bin/nologin
ntp:x:87:87:Network Time Protocol:/var/lib/ntp:/bin/false
openvpn:x:964:964:OpenVPN:/:/usr/bin/nologin
polkitd:x:102:102:PolicyKit daemon:/:/usr/bin/nologin
rtkit:x:133:133:RealtimeKit:/proc:/usr/bin/nologin
saned:x:963:963:SANE daemon user:/:/usr/bin/nologin
usbmux:x:140:140:usbmux user:/:/usr/bin/nologin
ben71:x:1000:1000:Ben:/home/ben71:/bin/bash
tss:x:962:962:tss user for tpm2:/:/usr/bin/nologin
spamd:x:182:182::/var/lib/spamassassin:/usr/bin/nologin
rpcuser:x:34:34:RPC Service User:/var/lib/nfs:/usr/bin/nologin
rabbitmq:x:197:197:RabbitMQ user:/var/lib/rabbitmq:/usr/bin/nologin
[ben71@ben-inspiron3521 ~]$

In your first reply you asked me to provide the output for these two commands, which I did in my first reply to you.


cat /etc/cron.hourly/gcc.sh
cat /etc/cron.hourly/udev.sh

It appears that those two scripts do not exist on my laptop

Moderator edit: In the future, please use proper formatting: [HowTo] Post command output and file content as formatted text

16

No, I didn’t.
But I saw just now that @linux-aarhus did.

I will stay out of this conversation now to not confuse it further.

17

My 2-3 cents:
I also have rpcuser resp. rpcbind. Among others like nfs-utils, it is an optional dependency of hplip for example, so if you have a HP printer with networking that can also come from there.

Besides, the last version of rkhunter is 5 years old. For a security related software this is ages, so i would not rely on it to do anything useful except providing false positives. Better scan with clamav. Or download some live cd on a clean computer, like Kaspersky rescue cd or something similar.

And finally, someone broke into your Apartment to install smth… you are watching too much movies. But in the future you can set a password for your hard drive or bios boot for example. Or encrypt everything with LUKS if you are that paranoid.

18

You asked for timestamps - I cannot give you that.

What I can do is tell you what users are created after you installed the system.

This is deducted from the passwd file.

If you look at the users created after your user - you will see they are system users - id below 1000 and they cannot login as the shell assigned is /usr/bin/nologin

If you want to know when the rabbitmq service user was created I suggest you open pamac (add remove programs) - then click on the :hamburger: menu and selelct view history - input rabbitmq in the search field.

spamd user is because you installed spamassasin - but that does not trigger rkhunter l- right - why not - if rkhunter is right - why not that too - and what about tss ?

19

:wink:

1 Like
20

If you want to know when the rabbitmq service user was created I suggest you open pamac (add remove programs) - then click on the :hamburger: menu and selelct view history - input rabbitmq in the search field.

spamd user is because you installed spamassasin - but that does not trigger rkhunter l- right - why not - if rkhunter is right - why not that too - and what about tss ?

Ok I followed your advice and here is when rabbitmq was installed

``[2022-11-16T13:20:24+0100] [ALPM] installed rabbitmq (3.10.7-1)

That is a lot earlier than when this strange chrome behaviors started to happen. So they are probably not related.
`
And as for spamassassin, I don’t remember installing that either. It is possible that some mailing program, such as sylpheed might have installed it, but I am not sure.