Rkhunter finds suspicious new groups and passwords

No - if you meant my comment.

hahaha yea, you would do a great job replacing it though :+1:

Something wrong with it?
Did I give erroneous advise?
My irony detector has been inoperative for a long time now, so I do need to ask that.

No not at all dun worry, im just irritated by so many AI posters lately…
I know you’re a long time user like me with good intentions…

You reply was just so complete without quotes, it instantly triggered my AI-Alert :wink:

So: thanks for the compliment then, I guess :grinning:

Okay here it is

[ben71@ben-inspiron3521 ~]$ cat /etc/passwd
dbus:x:81:81:System Message Bus:/:/usr/bin/nologin
systemd-journal-remote:x:981:981:systemd Journal Remote:/:/usr/bin/nologin
systemd-network:x:980:980:systemd Network Management:/:/usr/bin/nologin
systemd-oom:x:979:979:systemd Userspace OOM Killer:/:/usr/bin/nologin
systemd-resolve:x:978:978:systemd Resolver:/:/usr/bin/nologin
systemd-timesync:x:977:977:systemd Time Synchronization:/:/usr/bin/nologin
systemd-coredump:x:976:976:systemd Core Dumper:/:/usr/bin/nologin
dhcpcd:x:975:975:dhcpcd privilege separation:/:/usr/bin/nologin
dnsmasq:x:974:974:dnsmasq daemon:/:/usr/bin/nologin
rpc:x:32:32:Rpcbind Daemon:/var/lib/rpcbind:/usr/bin/nologin
avahi:x:972:972:Avahi mDNS/DNS-SD daemon:/:/usr/bin/nologin
colord:x:971:971:Color management daemon:/var/lib/colord:/usr/bin/nologin
cups:x:209:209:cups helper user:/:/usr/bin/nologin
flatpak:x:970:970:Flatpak system helper:/:/usr/bin/nologin
geoclue:x:969:969:Geoinformation service:/var/lib/geoclue:/usr/bin/nologin
git:x:968:968:git daemon user:/:/usr/bin/git-shell
lightdm:x:967:967:Light Display Manager:/var/lib/lightdm:/usr/bin/nologin
nm-openconnect:x:966:966:NetworkManager OpenConnect:/:/usr/bin/nologin
nm-openvpn:x:965:965:NetworkManager OpenVPN:/:/usr/bin/nologin
ntp:x:87:87:Network Time Protocol:/var/lib/ntp:/bin/false
polkitd:x:102:102:PolicyKit daemon:/:/usr/bin/nologin
saned:x:963:963:SANE daemon user:/:/usr/bin/nologin
usbmux:x:140:140:usbmux user:/:/usr/bin/nologin
tss:x:962:962:tss user for tpm2:/:/usr/bin/nologin
rpcuser:x:34:34:RPC Service User:/var/lib/nfs:/usr/bin/nologin
rabbitmq:x:197:197:RabbitMQ user:/var/lib/rabbitmq:/usr/bin/nologin
[ben71@ben-inspiron3521 ~]$

In your first reply you asked me to provide the output for these two commands, which I did in my first reply to you.

cat /etc/cron.hourly/gcc.sh
cat /etc/cron.hourly/udev.sh

It appears that those two scripts do not exist on my laptop

Moderator edit: In the future, please use proper formatting: [HowTo] Post command output and file content as formatted text

No, I didn’t.
But I saw just now that @linux-aarhus did.

I will stay out of this conversation now to not confuse it further.

My 2-3 cents:
I also have rpcuser resp. rpcbind. Among others like nfs-utils, it is an optional dependency of hplip for example, so if you have a HP printer with networking that can also come from there.

Besides, the last version of rkhunter is 5 years old. For a security related software this is ages, so i would not rely on it to do anything useful except providing false positives. Better scan with clamav. Or download some live cd on a clean computer, like Kaspersky rescue cd or something similar.

And finally, someone broke into your Apartment to install smth… you are watching too much movies. But in the future you can set a password for your hard drive or bios boot for example. Or encrypt everything with LUKS if you are that paranoid.

You asked for timestamps - I cannot give you that.

What I can do is tell you what users are created after you installed the system.

This is deducted from the passwd file.

If you look at the users created after your user - you will see they are system users - id below 1000 and they cannot login as the shell assigned is /usr/bin/nologin

If you want to know when the rabbitmq service user was created I suggest you open pamac (add remove programs) - then click on the :hamburger: menu and selelct view history - input rabbitmq in the search field.

spamd user is because you installed spamassasin - but that does not trigger rkhunter l- right - why not - if rkhunter is right - why not that too - and what about tss ?


1 Like

If you want to know when the rabbitmq service user was created I suggest you open pamac (add remove programs) - then click on the :hamburger: menu and selelct view history - input rabbitmq in the search field.

spamd user is because you installed spamassasin - but that does not trigger rkhunter l- right - why not - if rkhunter is right - why not that too - and what about tss ?

Ok I followed your advice and here is when rabbitmq was installed

``[2022-11-16T13:20:24+0100] [ALPM] installed rabbitmq (3.10.7-1)

That is a lot earlier than when this strange chrome behaviors started to happen. So they are probably not related.
And as for spamassassin, I don’t remember installing that either. It is possible that some mailing program, such as sylpheed might have installed it, but I am not sure.

some mail apps has optional dependency on spamassassin which you may have opted to install

So you see - not rembering is not an excuse - I mean - I have a bad memory too - I have years I cannot remember due to stress thus creating massive holes in my memory.

The pacman log can be a help to lookup when certain packages was synced.

1 Like

So obviously that rabbitmq package was installed as a dependency for some other package. If I search for rabbitmq in pamac and look at its info, it says

install reason: installed as a dependency for another package

Is there a way to find out which is that another package that installed it in the first place?

By the way, rabbitmq is not available in the start menu, and neither can it be run from the terminal. If I type in rabbitmq in the terminal it says command not found.

pacman -Qi rabbitmq


pacfree -r rabbitmq

or with oprional

pactree -ro rabbitmq

Well, Only the first command gives some information, but it’s the same information that can be seen in pamac’s graphical interface. It just says that it’s a dependency for another package, but it doesn’t say which package.

The other two commands just give rabbitmq as the output without any other details

[ben71@ben-inspiron3521 ~]$ pacman -Qi rabbitmq
Name            : rabbitmq
Version         : 3.11.16-1
Description     : Highly reliable and performant enterprise messaging
                  implementation of AMQP written in Erlang/OTP
Architecture    : any
URL             : https://rabbitmq.com
Licenses        : MPL
Groups          : None
Provides        : None
Depends On      : util-linux  inetutils  erlang-nox  socat
Optional Deps   : rabbitmqadmin: CLI management tool
                  logrotate: rotate log files [installed]
Required By     : None
Optional For    : None
Conflicts With  : None
Replaces        : None
Installed Size  : 27.22 MiB
Packager        : Antonio Rojas <arojas@archlinux.org>
Build Date      : Mon 15 May 2023 06:50:43 PM CEST
Install Date    : Thu 08 Jun 2023 12:13:22 AM CEST
Install Reason  : Installed as a dependency for another package
Install Script  : Yes
Validated By    : Signature

[ben71@ben-inspiron3521 ~]$ pactree -ro rabbitmq
[ben71@ben-inspiron3521 ~]$ pactree -r rabbitmq

You will find it within the same transaction - that is the date and time in the log

pacman -Qii rabbitmq


pacman -Sii rabbitmq

Thank you for providing me with the answers so far Linux-aarhus. Looking at the transactions on that date and around that time I cannot figure out which package installed rabbitmq. But perhaps that is not the culprit.

I don’t know if you noticed that I edited my first post and added that chkrootkit found something as well. It mentions the same files that you told me might be an indication of infection.

Searching for Linux.Xor.DDoS ... /usr/bin/chkrootkit: command substitution: line 1287: syntax error near unexpected token `)'
/usr/bin/chkrootkit: command substitution: line 1287: `${ls} ${ROOTDIR}etc/cron.hourly/udev.sh ${ROOTDIR}etc/cron.hourly/gcc.sh 2> /dev/null)'
INFECTED: Possible Malicious Linux.Xor.DDoS installed

Is this perhaps a cause for concern?

This is your original concern.
Address it.
It’s easy.
I told you how.
You essentially create a new browser profile that way.
There are other ways to achieve the same.

rkhunter is a tool you don’t know how to use
and a tool the use of which is only justified by taking for granted your assumptions …
and the use of which after the fact is not how it is supposed to be used

You don’t have a virus or a malware infested system.

Fix your browser profile.

You are on the wrong track with this.

Good luck anyway! - I said I would keep out but could not resist to make this final comment.

Is this perhaps a cause for concern?

To answer my own question - it appears that chkrootkit actually found that code in itself, in its own files. Kind of dumb for a program that is supposed to detect rootkits…

A similar, or same issue appears in this forum thread:

This is something new to me, because I ran chkrootkit many times in the past, both on this one and other laptops, and it never found that “suspicious thing” in its own files. But what do I know?

This is your original concern.
Address it.
It’s easy.
I told you how.
You essentially create a new browser profile that way.
There are other ways to achieve the same.

Okay thank you, I will try what you proposed with chrome. I already tried to reset its settings to default values from its settings menu, but that didn’t solve the issues.

I do not profess to be knowledgeable about rkhunter, but neither are 90% of other users who use it. That’s why these forums exist, so that we can ask questions and hopefully get answers from those people who know more than us.

I realise that that program can have many false positives, and the same situation is with chkrootkit, but at least those detection tools can notify us if there is a real problem, so that we can check with other programs and other methods, and with other people who know more. I don’t take their positives at face value, and I always try to check, first on Google and then on forums like this.

While I experienced only mocking and derission when I said that I had another Linux laptop infected with rootkits and Trojans, I can only say that I assure you that it really happened. I tried to find the post where I explained that issue in great detail, but it seems that it was posted in the old Manjaro forum, which (as I understand) doesn’t exist anymore.

It happened on a different laptop, and the signs that made me think there was a rootkit included things such as:

  1. in many cases when I downloaded a file with Firefox, only a few minutes after the file was downloaded to a specific folder, it would simply vanish, as if it was deleted, and it couldn’t be found anymore in that folder. The proof that the file has been really downloaded was still in firefoxes downloaded files screen, but it would be missing from the folder where it was supposed to be placed.

  2. Songs and entire playlists were deleted continuously from Audacious.

  3. Sometimes I would hear a ringing sound, like from an old fashioned telephone coming from my computer.

  4. At one point I couldn’t even access the terminal. When I clicked the terminal icon in the start menu or in the quick access menu in Linux Mint (I had Linux Mint on that laptop), nothing would happen and the terminal wouldn’t open.

  5. This strange behavior would continue even if I deleted the entire hard disk with something like parted magic, using its erase hard disk tool and then if I installed a fresh installation of Linux Mint. In the first few days everything would seem normal with this new Linux mint installation, and then the strange behavior would start again. One by one, all of these weird things would happen again. And yes, rkhunter and chkrootkit DID report that there were infected files.

  6. This problem plagued me for at least one year on that laptop. Eventually, I decided to flash the BIOS with the latest version for that laptop, and that seemed to have solved the problem.

After a few months that laptop broke down because of faulty hardware, so I didn’t have enough time to test it properly. But I think I found the culprit in its BIOS. It’s as if somebody flashed the BIOS so that it would reinfect every new installation of any operating system that was installed on it.

I don’t know of any other way to infect the computer’s BIOS except if somebody had physical access to that computer.