Possible rootkit found with rkhunter

Hi,

Please can someone help? I have just installed rkhunter and I have discovered that my system may have a rootkit installed. The terminal output is below for anyone who may be able to help, please:

[markandnicola@Skinbot ~]$ sudo rkhunter --check
[ Rootkit Hunter version 1.4.6 ]

Checking system commands...

  Performing 'strings' command checks
    Checking 'strings' command                               [ OK ]

  Performing 'shared libraries' checks
    Checking for preloading variables                        [ None found ]
    Checking for preloaded libraries                         [ None found ]
    Checking LD_LIBRARY_PATH variable                        [ Not found ]

  Performing file properties checks
    Checking for prerequisites                               [ Warning ]
    /usr/bin/awk                                             [ OK ]
    /usr/bin/basename                                        [ OK ]
    /usr/bin/bash                                            [ OK ]
    /usr/bin/cat                                             [ OK ]
    /usr/bin/chattr                                          [ OK ]
    /usr/bin/chmod                                           [ OK ]
    /usr/bin/chown                                           [ OK ]
    /usr/bin/chroot                                          [ OK ]
    /usr/bin/cp                                              [ OK ]
    /usr/bin/curl                                            [ OK ]
    /usr/bin/cut                                             [ OK ]
    /usr/bin/date                                            [ OK ]
    /usr/bin/depmod                                          [ OK ]
    /usr/bin/df                                              [ OK ]
    /usr/bin/diff                                            [ OK ]
    /usr/bin/dirname                                         [ OK ]
    /usr/bin/dmesg                                           [ OK ]
    /usr/bin/du                                              [ OK ]
    /usr/bin/echo                                            [ OK ]
    /usr/bin/egrep                                           [ Warning ]
    /usr/bin/env                                             [ OK ]
    /usr/bin/fgrep                                           [ Warning ]
    /usr/bin/file                                            [ OK ]
    /usr/bin/find                                            [ OK ]
    /usr/bin/fsck                                            [ OK ]
    /usr/bin/fuser                                           [ OK ]
    /usr/bin/grep                                            [ OK ]
    /usr/bin/groupadd                                        [ OK ]
    /usr/bin/groupdel                                        [ OK ]
    /usr/bin/groupmod                                        [ OK ]
    /usr/bin/groups                                          [ OK ]
    /usr/bin/grpck                                           [ OK ]
    /usr/bin/head                                            [ OK ]
    /usr/bin/id                                              [ OK ]
    /usr/bin/ifconfig                                        [ OK ]
    /usr/bin/init                                            [ OK ]
    /usr/bin/insmod                                          [ OK ]
    /usr/bin/ip                                              [ OK ]
    /usr/bin/ipcs                                            [ OK ]
    /usr/bin/kill                                            [ OK ]
    /usr/bin/killall                                         [ OK ]
    /usr/bin/last                                            [ OK ]
    /usr/bin/lastlog                                         [ OK ]
    /usr/bin/ldd                                             [ Warning ]
    /usr/bin/less                                            [ OK ]
    /usr/bin/logger                                          [ OK ]
    /usr/bin/login                                           [ OK ]
    /usr/bin/ls                                              [ OK ]
    /usr/bin/lsattr                                          [ OK ]
    /usr/bin/lsmod                                           [ OK ]
    /usr/bin/lsof                                            [ OK ]
    /usr/bin/mail                                            [ OK ]
    /usr/bin/md5sum                                          [ OK ]
    /usr/bin/mktemp                                          [ OK ]
    /usr/bin/modinfo                                         [ OK ]
    /usr/bin/modprobe                                        [ OK ]
    /usr/bin/more                                            [ OK ]
    /usr/bin/mount                                           [ OK ]
    /usr/bin/mv                                              [ OK ]
    /usr/bin/netstat                                         [ OK ]
    /usr/bin/newgrp                                          [ OK ]
    /usr/bin/nologin                                         [ OK ]
    /usr/bin/passwd                                          [ OK ]
    /usr/bin/perl                                            [ OK ]
    /usr/bin/pgrep                                           [ OK ]
    /usr/bin/ping                                            [ OK ]
    /usr/bin/pkill                                           [ OK ]
    /usr/bin/ps                                              [ OK ]
    /usr/bin/pstree                                          [ OK ]
    /usr/bin/pwck                                            [ OK ]
    /usr/bin/pwd                                             [ OK ]
    /usr/bin/readlink                                        [ OK ]
    /usr/bin/rkhunter                                        [ OK ]
    /usr/bin/rmmod                                           [ OK ]
    /usr/bin/route                                           [ OK ]
    /usr/bin/runcon                                          [ OK ]
    /usr/bin/sed                                             [ OK ]
    /usr/bin/sh                                              [ OK ]
    /usr/bin/sha1sum                                         [ OK ]
    /usr/bin/sha224sum                                       [ OK ]
    /usr/bin/sha256sum                                       [ OK ]
    /usr/bin/sha384sum                                       [ OK ]
    /usr/bin/sha512sum                                       [ OK ]
    /usr/bin/size                                            [ OK ]
    /usr/bin/sort                                            [ OK ]
    /usr/bin/ssh                                             [ OK ]
    /usr/bin/sshd                                            [ OK ]
    /usr/bin/stat                                            [ OK ]
    /usr/bin/strings                                         [ OK ]
    /usr/bin/su                                              [ OK ]
    /usr/bin/sudo                                            [ OK ]
    /usr/bin/sulogin                                         [ OK ]
    /usr/bin/sysctl                                          [ OK ]
    /usr/bin/tail                                            [ OK ]
    /usr/bin/telnet                                          [ OK ]
    /usr/bin/test                                            [ OK ]
    /usr/bin/top                                             [ OK ]
    /usr/bin/touch                                           [ OK ]
    /usr/bin/tr                                              [ OK ]
    /usr/bin/uname                                           [ OK ]
    /usr/bin/uniq                                            [ OK ]
    /usr/bin/useradd                                         [ OK ]
    /usr/bin/userdel                                         [ OK ]
    /usr/bin/usermod                                         [ OK ]
    /usr/bin/users                                           [ OK ]
    /usr/bin/vipw                                            [ OK ]
    /usr/bin/vmstat                                          [ OK ]
    /usr/bin/w                                               [ OK ]
    /usr/bin/watch                                           [ OK ]
    /usr/bin/wc                                              [ OK ]
    /usr/bin/wget                                            [ OK ]
    /usr/bin/whatis                                          [ OK ]
    /usr/bin/whereis                                         [ OK ]
    /usr/bin/which                                           [ OK ]
    /usr/bin/who                                             [ OK ]
    /usr/bin/whoami                                          [ OK ]
    /usr/bin/unhide                                          [ OK ]
    /usr/bin/unhide-linux                                    [ OK ]
    /usr/bin/unhide-posix                                    [ OK ]
    /usr/bin/unhide-tcp                                      [ OK ]
    /usr/bin/numfmt                                          [ OK ]
    /usr/bin/gawk                                            [ OK ]
    /usr/bin/kmod                                            [ OK ]
    /usr/bin/vendor_perl/GET                                 [ Warning ]
    /usr/lib/systemd/systemd                                 [ OK ]
    /etc/rkhunter.conf                                       [ OK ]

[Press <ENTER> to continue]


Checking for rootkits...

  Performing check of known rootkit files and directories
    55808 Trojan - Variant A                                 [ Not found ]
    ADM Worm                                                 [ Not found ]
    AjaKit Rootkit                                           [ Not found ]
    Adore Rootkit                                            [ Not found ]
    aPa Kit                                                  [ Not found ]
    Apache Worm                                              [ Not found ]
    Ambient (ark) Rootkit                                    [ Not found ]
    Balaur Rootkit                                           [ Not found ]
    BeastKit Rootkit                                         [ Not found ]
    beX2 Rootkit                                             [ Not found ]
    BOBKit Rootkit                                           [ Not found ]
    cb Rootkit                                               [ Not found ]
    CiNIK Worm (Slapper.B variant)                           [ Not found ]
    Danny-Boy's Abuse Kit                                    [ Not found ]
    Devil RootKit                                            [ Not found ]
    Diamorphine LKM                                          [ Not found ]
    Dica-Kit Rootkit                                         [ Not found ]
    Dreams Rootkit                                           [ Not found ]
    Duarawkz Rootkit                                         [ Not found ]
    Ebury backdoor                                           [ Not found ]
    Enye LKM                                                 [ Not found ]
    Flea Linux Rootkit                                       [ Not found ]
    Fu Rootkit                                               [ Not found ]
    ■■■■`it Rootkit                                          [ Not found ]
    GasKit Rootkit                                           [ Not found ]
    Heroin LKM                                               [ Not found ]
    HjC Kit                                                  [ Not found ]
    ignoKit Rootkit                                          [ Not found ]
    IntoXonia-NG Rootkit                                     [ Not found ]
    Irix Rootkit                                             [ Not found ]
    Jynx Rootkit                                             [ Not found ]
    Jynx2 Rootkit                                            [ Not found ]
    KBeast Rootkit                                           [ Not found ]
    Kitko Rootkit                                            [ Not found ]
    Knark Rootkit                                            [ Not found ]
    ld-linuxv.so Rootkit                                     [ Not found ]
    Li0n Worm                                                [ Not found ]
    Lockit / LJK2 Rootkit                                    [ Not found ]
    Mokes backdoor                                           [ Not found ]
    Mood-NT Rootkit                                          [ Not found ]
    MRK Rootkit                                              [ Not found ]
    Ni0 Rootkit                                              [ Not found ]
    Ohhara Rootkit                                           [ Not found ]
    Optic Kit (Tux) Worm                                     [ Not found ]
    Oz Rootkit                                               [ Not found ]
    Phalanx Rootkit                                          [ Not found ]
    Phalanx2 Rootkit                                         [ Not found ]
    Phalanx2 Rootkit (extended tests)                        [ Not found ]
    Portacelo Rootkit                                        [ Not found ]
    R3dstorm Toolkit                                         [ Not found ]
    RH-Sharpe's Rootkit                                      [ Not found ]
    RSHA's Rootkit                                           [ Not found ]
    Scalper Worm                                             [ Not found ]
    Sebek LKM                                                [ Not found ]
    Shutdown Rootkit                                         [ Not found ]
    SHV4 Rootkit                                             [ Not found ]
    SHV5 Rootkit                                             [ Not found ]
    Sin Rootkit                                              [ Not found ]
    Slapper Worm                                             [ Not found ]
    Sneakin Rootkit                                          [ Not found ]
    'Spanish' Rootkit                                        [ Not found ]
    Suckit Rootkit                                           [ Not found ]
    Superkit Rootkit                                         [ Not found ]
    TBD (Telnet BackDoor)                                    [ Not found ]
    TeLeKiT Rootkit                                          [ Not found ]
    T0rn Rootkit                                             [ Not found ]
    trNkit Rootkit                                           [ Not found ]
    Trojanit Kit                                             [ Not found ]
    Tuxtendo Rootkit                                         [ Not found ]
    URK Rootkit                                              [ Not found ]
    Vampire Rootkit                                          [ Not found ]
    VcKit Rootkit                                            [ Not found ]
    Volc Rootkit                                             [ Not found ]
    Xzibit Rootkit                                           [ Not found ]
    zaRwT.KiT Rootkit                                        [ Not found ]
    ZK Rootkit                                               [ Not found ]

[Press <ENTER> to continue]


  Performing additional rootkit checks
    Suckit Rootkit additional checks                         [ OK ]
    Checking for possible rootkit files and directories      [ None found ]
    Checking for possible rootkit strings                    [ None found ]

  Performing malware checks
    Checking running processes for suspicious files          [ None found ]
    Checking for login backdoors                             [ None found ]
    Checking for sniffer log files                           [ None found ]
    Checking for suspicious directories                      [ None found ]
    Checking for suspicious (large) shared memory segments   [ Warning ]
    Checking for Apache backdoor                             [ Not found ]

  Performing Linux specific checks
    Checking loaded kernel modules                           [ OK ]
    Checking kernel module names                             [ OK ]

[Press <ENTER> to continue]


Checking the network...

  Performing checks on the network ports
    Checking for backdoor ports                              [ None found ]

  Performing checks on the network interfaces
    Checking for promiscuous interfaces                      [ None found ]

Checking the local host...

  Performing system boot checks
    Checking for local host name                             [ Found ]
    Checking for system startup files                        [ Found ]
    Checking system startup files for malware                [ None found ]

  Performing group and account checks
    Checking for passwd file                                 [ Found ]
    Checking for root equivalent (UID 0) accounts            [ None found ]
    Checking for passwordless accounts                       [ None found ]
    Checking for passwd file changes                         [ Warning ]
    Checking for group file changes                          [ Warning ]
    Checking root account shell history files                [ OK ]

  Performing system configuration file checks
    Checking for an SSH configuration file                   [ Found ]
    Checking if SSH root access is allowed                   [ Warning ]
    Checking if SSH protocol v1 is allowed                   [ Warning ]
    Checking for other suspicious configuration settings     [ None found ]
    Checking for a running system logging daemon             [ Found ]
    Checking for a system logging configuration file         [ Found ]

  Performing filesystem checks
    Checking /dev for suspicious file types                  [ None found ]
    Checking for hidden files and directories                [ Warning ]

[Press <ENTER> to continue]



System checks summary
=====================

File properties checks...
    Required commands check failed
    Files checked: 126
    Suspect files: 4

Rootkit checks...
    Rootkits checked : 502
    **Possible rootkits: 1**

Any comments or suggestions for actions I can take to fix this issue will be greatly appreciated. Many thanks in advance.

At this point it is not sure there is an issue, it may simply be because there is an existing SSH configuration file found and simply that may trigger a positive (because it could be improperly configured or configured in a way that it could be dangerous).

I’m not really sure what you should do but I wouldn’t be too alarmed. Check this configuration file and see what is in it (maybe you could share it). Maybe retry a scan after disabling SSH if you don’t need it, it may trigger simply because it is enabled.

Experts will surely come and explain the situation better so you can also just wait :rofl:

2 Likes

Thanks, @omano I did a search for SSH in my App menu and found it is linked to Avahi. I then ran the following in Terminal to find out more about Avahi:

[markandnicola@Skinbot ~]$ pacman -Qi avahi
Name            : avahi
Version         : 0.8+20+gd1e71b3-1
Description     : Service Discovery for Linux using mDNS/DNS-SD -- compatible with Bonjour
Architecture    : x86_64
URL             : https://github.com/lathiat/avahi
Licenses        : LGPL
Groups          : None
Provides        : libavahi-client.so=3-64  libavahi-common.so=3-64  libavahi-core.so=7-64  libavahi-glib.so=1-64  libavahi-gobject.so=0-64  libavahi-libevent.so=1-64  libavahi-qt5.so=1-64
                  libavahi-ui-gtk3.so=0-64  libdns_sd.so=1-64
Depends On      : expat  libdaemon  glib2  libcap  gdbm  dbus  libdbus-1.so=3-64
Optional Deps   : gtk3: avahi-discover, avahi-discover-standalone, bshell, bssh, bvnc [installed]
                  qt5-base: qt5 bindings [installed]
                  libevent: libevent bindings [installed]
                  nss-mdns: NSS support for mDNS [installed]
                  python-twisted: avahi-bookmarks
                  python-gobject: avahi-bookmarks, avahi-discover [installed]
                  python-dbus: avahi-bookmarks, avahi-discover [installed]
Required By     : geoclue  gnustep-base  gvfs  kdnssd  libcups  mpd  nss-mdns  ostree  pulseaudio-zeroconf  sane
Optional For    : vlc
Conflicts With  : None
Replaces        : None
Installed Size  : 1890.24 KiB
Packager        : Jan Alexander Steffens (heftig) <heftig@archlinux.org>
Build Date      : Wed 21 Apr 2021 11:56:11 BST
Install Date    : Mon 14 Jun 2021 16:03:04 BST
Install Reason  : Explicitly installed
Install Script  : No
Validated By    : Signature

By the looks of it, I may need Avahi as I have a wireless printer connected by CUPS. Hopefully someone can tell me if I do need this or I can remove it to lower the risk. Thanks!

I just ran rkhunter and here is my result

System checks summary
=====================

File properties checks...
    Required commands check failed
    Files checked: 126
    Suspect files: 4

Rootkit checks...
    Rootkits checked : 502
    Possible rootkits: 1

same as yours I think

So now it is just a matter of searching probably on google why these warnings, it may not be that alarming.

//EDIT: but Yochanan already gave the answer actually.

avahi is just a framework to make the discovery of network services easier. Strictly speaking, you don’t need it, but then things like remote printers and network shares need to be configured manually and statically.

I wouldn’t worry about those rkhunter results if I were you. rkhunter always reports false positives on its first run. The idea is that you’d make a list of what it reports and that you then whitelist those particular files before running rkhunter again.

Thanks @Aragorn :slight_smile:

Thanks @omano :slight_smile:

1 Like

Thanks @Yochanan Great to meet a member of the Manjaro team on here. I’m a complete newbie when it comes to Manjaro having just switched from Windows 10. I’m enjoying it so far and I have a lot to learn.

All the best,

Mark

1 Like