Today I updated the entire Manjaro Xfce using Pamac. Since my laptop has gotten quite slow recently (when I open a program it takes ages to start it), I started to suspect that some virus/rootkit might be the culprit. I ran rkhunter and I noticed something potentially suspicious:
[21:29:55] Info: Starting test name 'group_accounts'
[21:29:55] Performing group and account checks
[21:29:56] Checking for passwd file [ Found ]
[21:29:56] Info: Found password file: /etc/passwd
[21:29:56] Checking for root equivalent (UID 0) accounts [ None found ]
[21:29:56] Info: Found shadow file: /etc/shadow
[21:29:56] Checking for passwordless accounts [ None found ]
[21:29:56]
[21:29:56] Info: Starting test name 'passwd_changes'
[21:29:56] Checking for passwd file changes [ Warning ]
[21:29:56] Warning: User 'systemd-oom' has been added to the passwd file.
[21:29:56]
[21:29:56] Info: Starting test name 'group_changes'
[21:29:56] Checking for group file changes [ Warning ]
[21:29:56] Warning: Group 'sgx' has been added to the group file.
[21:29:56] Warning: Group 'systemd-oom' has been added to the group file.
[21:29:56] Checking root account shell history files [ None found ]
What do you think about these two items that appear under “group file changes”, namely “sgx” and “systemd-oom”? Are these two expected to appear after regular updates? I didn’t install any new exotic apps recently, I just updated the entire system today.
By the way, recently this laptop suffered some hardware malfunction. There was probably some short circuit caused by spilled water that permanently damaged the memory slot where my laptop memory used to be. I took my laptop to a repair service and they said they only changed into which memory slot the memory stick is inserted, and that it works fine now. But I noticed that my laptop is getting slower and slower as time goes by. Not sure if that’s due to this hardware malfunction and change of memory slots, or maybe someone installed some malware on it. When I got it back from the service, it worked reasonably fast, and then it began to get slower. Today it took almost a minute to open the most simple programs such as Firefox or Gimp. Very strange indeed.
I guess there is no reason to worry. You could check:
man systemd-oomd
and
Is you system running hot and therefore throttling CPU? One simple (and stupid) way to test the system is to boot it from USB in live linux mode. If remarkable slowness still exists in the “clean” environment, you might have problem with your hardware…
How about the swap usage? Are you short of memory?
When I first installed manjaro my CPU governer was set to “powersave” with profile “balance power” on both battery and power. As a result my laptop was really slow. It’s not like that anymore after setting to “powersave” with profile “balance performance” on bat, and full performance on power.
in the terminal check
tlp-stat -c
It looks like a future plasama update should include this in the battery popup, but for now try installing tlpui and playing around in there.
Edit, nevermind the plasma thing if you are on xfce. I don’t know about xfce. You should be able to use tlpui anyway.
Well, whatdoyaknow… today I ran rkhunter check again and those same two items did NOT show up! I haven’t changed anything on my system and I didn’t tell rkhunter to consider those items to be normal (with rkhunter --propupd). So it begs the question, how the heck it didn’t show these two items again today? Maybe this is the smoking gun that there IS some virus/rootkit installed on this system after all?
this is from today’s rkhunter’s check:
[22:43:55] Info: Starting test name 'group_accounts'
[22:43:55] Performing group and account checks
[22:43:55] Checking for passwd file [ Found ]
[22:43:55] Info: Found password file: /etc/passwd
[22:43:55] Checking for root equivalent (UID 0) accounts [ None found ]
[22:43:55] Info: Found shadow file: /etc/shadow
[22:43:55] Checking for passwordless accounts [ None found ]
[22:43:55]
[22:43:55] Info: Starting test name 'passwd_changes'
[22:43:56] Checking for passwd file changes [ None found ]
[22:43:56]
[22:43:56] Info: Starting test name 'group_changes'
[22:43:56] Checking for group file changes [ None found ]
[22:43:56] Checking root account shell history files [ None found ]
[22:43:56]
[22:43:56] Info: Starting test name 'system_configs'
[22:43:56] Performing system configuration file checks
[22:43:56]
[22:43:56] Info: Starting test name 'system_configs_ssh'
[22:43:56] Checking for an SSH configuration file [ Found ]
[22:43:56] Info: Found an SSH configuration file: /etc/ssh/sshd_config
[22:43:56] Info: Rkhunter option ALLOW_SSH_ROOT_USER set to 'no'.
[22:43:56] Info: Rkhunter option ALLOW_SSH_PROT_V1 set to '0'.
[22:43:56] Checking if SSH root access is allowed [ Warning ]
[22:43:56] Warning: The SSH configuration option 'PermitRootLogin' has not been set.
The default value may be 'yes', to allow root access.
[22:43:56] Checking if SSH protocol v1 is allowed [ Warning ]
[22:43:56] Warning: The SSH configuration option 'Protocol' has not been set.
The default value may be '2,1', to allow the use of protocol version 1.
[22:43:56] Checking for other suspicious configuration settings [ None found ]
No, it is not. It’s working just like it is supposed to.
Irrelevant.
Run 1: sgx and systemd-oom new groups detected. proper warning issued, and the entry for /etc/group is updated.
Run 2: No NEW groups are detected, thus:
Checking for group file changes [ None found ]
Don’t believe me? Check it yourself:
Add a new group:
# groupadd testgroup
Run rkhunter. testgroup will be detected. If you run it from a terminal, you should get something like this:
Warning: Group 'testgroup' has been added to the group file.
And in the log:
[20:40:40] Info: Starting test name 'group_changes'
[20:40:40] Checking for group file changes [ Warning ]
[20:40:40] Warning: Group 'testgroup' has been added to the group file.
Run 2:
[20:49:49] Performing group and account checks
[20:49:49] Info: Starting test name 'group_changes'
[20:49:49] Checking for group file changes [ None found ]
And, it works both ways:
21:02:34] Info: Starting test name 'group_changes'
[21:02:34] Checking for group file changes [ Warning ]
[21:02:34] Warning: Group 'testgroup' has been removed from the group file.
Of course you didn’t. Those accounts/groups are created automatically by packages at the time they get installed.
No point to discuss this topic further. You already got fairly enough replies explaining what happened. So far, @merlock’s post is the best answer you can get.
I’ll go ahead marking this thread as solved and closing.