Unknown users and group files found by rkhunter. Is this suspicious?

Today I updated the entire Manjaro Xfce using Pamac. Since my laptop has gotten quite slow recently (when I open a program it takes ages to start it), I started to suspect that some virus/rootkit might be the culprit. I ran rkhunter and I noticed something potentially suspicious:

[21:29:55] Info: Starting test name 'group_accounts'
[21:29:55] Performing group and account checks
[21:29:56]   Checking for passwd file                        [ Found ]
[21:29:56] Info: Found password file: /etc/passwd
[21:29:56]   Checking for root equivalent (UID 0) accounts   [ None found ]
[21:29:56] Info: Found shadow file: /etc/shadow
[21:29:56]   Checking for passwordless accounts              [ None found ]
[21:29:56]
[21:29:56] Info: Starting test name 'passwd_changes'
[21:29:56]   Checking for passwd file changes                [ Warning ]
[21:29:56] Warning: User 'systemd-oom' has been added to the passwd file.
[21:29:56]
[21:29:56] Info: Starting test name 'group_changes'
[21:29:56]   Checking for group file changes                 [ Warning ]
[21:29:56] Warning: Group 'sgx' has been added to the group file.
[21:29:56] Warning: Group 'systemd-oom' has been added to the group file.
[21:29:56]   Checking root account shell history files       [ None found ]

What do you think about these two items that appear under “group file changes”, namely “sgx” and “systemd-oom”? Are these two expected to appear after regular updates? I didn’t install any new exotic apps recently, I just updated the entire system today.

By the way, recently this laptop suffered some hardware malfunction. There was probably some short circuit caused by spilled water that permanently damaged the memory slot where my laptop memory used to be. I took my laptop to a repair service and they said they only changed into which memory slot the memory stick is inserted, and that it works fine now. But I noticed that my laptop is getting slower and slower as time goes by. Not sure if that’s due to this hardware malfunction and change of memory slots, or maybe someone installed some malware on it. When I got it back from the service, it worked reasonably fast, and then it began to get slower. Today it took almost a minute to open the most simple programs such as Firefox or Gimp. Very strange indeed.

I highly doubt it. GNU / Linux is not Windows.

Please search the forum, there have been a few posts about false positives with RkHunter.

Tip: When pasting terminal output on Discourse forums, one can either…

  • Highlight it and use the Preformatted text </> toolbar button.

  • Add three backticks ` above and below the text (Markdown):

    ```
    text
    ```

  • Use HTML:

    <pre><code>
    text
    </pre></code>

Please edit your post accordingly.

I guess there is no reason to worry. You could check:

man systemd-oomd

and
https://software.intel.com/content/www/us/en/develop/blogs/protecting-application-secrets-with-intel-sgx.html

Is you system running hot and therefore throttling CPU? One simple (and stupid) way to test the system is to boot it from USB in live linux mode. If remarkable slowness still exists in the “clean” environment, you might have problem with your hardware…
How about the swap usage? Are you short of memory?

When I first installed manjaro my CPU governer was set to “powersave” with profile “balance power” on both battery and power. As a result my laptop was really slow. It’s not like that anymore after setting to “powersave” with profile “balance performance” on bat, and full performance on power.

in the terminal check

tlp-stat -c

It looks like a future plasama update should include this in the battery popup, but for now try installing tlpui and playing around in there.

Edit, nevermind the plasma thing if you are on xfce. I don’t know about xfce. You should be able to use tlpui anyway.

Most likely, those are system/service accounts created upon installation of both services.

See Arch Wiki on User and Group Management under “Example Adding a System User”

Looks like a separate issue to me, probably not related to Manjaro. You may want to open a separate thread for that.

This is what I get when I type that command:

[blueflame@blueflame-inspiron3521 ~]$ tlp-stat -c
--- TLP 1.3.1 --------------------------------------------

+++ Configured Settings:
defaults.conf L0004: TLP_ENABLE="1"
defaults.conf L0005: TLP_PERSISTENT_DEFAULT="0"
defaults.conf L0006: DISK_IDLE_SECS_ON_AC="0"
defaults.conf L0007: DISK_IDLE_SECS_ON_BAT="2"
defaults.conf L0008: MAX_LOST_WORK_SECS_ON_AC="15"
defaults.conf L0009: MAX_LOST_WORK_SECS_ON_BAT="60"
defaults.conf L0010: CPU_ENERGY_PERF_POLICY_ON_AC="balance_performance"
defaults.conf L0011: CPU_ENERGY_PERF_POLICY_ON_BAT="balance_power"
defaults.conf L0012: SCHED_POWERSAVE_ON_AC="0"
defaults.conf L0013: SCHED_POWERSAVE_ON_BAT="1"
defaults.conf L0014: NMI_WATCHDOG="0"
defaults.conf L0015: DISK_DEVICES="nvme0n1 sda"
defaults.conf L0016: DISK_APM_LEVEL_ON_AC="254 254"
defaults.conf L0017: DISK_APM_LEVEL_ON_BAT="128 128"
defaults.conf L0018: DISK_IOSCHED="keep keep"
defaults.conf L0019: SATA_LINKPWR_ON_AC="med_power_with_dipm max_performance"
defaults.conf L0020: SATA_LINKPWR_ON_BAT="med_power_with_dipm min_power"
defaults.conf L0021: AHCI_RUNTIME_PM_TIMEOUT="15"
defaults.conf L0022: PCIE_ASPM_ON_AC="default"
defaults.conf L0023: PCIE_ASPM_ON_BAT="default"
defaults.conf L0024: RADEON_POWER_PROFILE_ON_AC="default"
defaults.conf L0025: RADEON_POWER_PROFILE_ON_BAT="default"
defaults.conf L0026: RADEON_DPM_PERF_LEVEL_ON_AC="auto"
defaults.conf L0027: RADEON_DPM_PERF_LEVEL_ON_BAT="auto"
defaults.conf L0028: WIFI_PWR_ON_AC="off"
defaults.conf L0029: WIFI_PWR_ON_BAT="on"
defaults.conf L0030: WOL_DISABLE="Y"
defaults.conf L0031: SOUND_POWER_SAVE_ON_AC="0"
defaults.conf L0032: SOUND_POWER_SAVE_ON_BAT="1"
defaults.conf L0033: SOUND_POWER_SAVE_CONTROLLER="Y"
defaults.conf L0034: BAY_POWEROFF_ON_AC="0"
defaults.conf L0035: BAY_POWEROFF_ON_BAT="0"
defaults.conf L0036: BAY_DEVICE="sr0"
defaults.conf L0037: RUNTIME_PM_ON_AC="on"
defaults.conf L0038: RUNTIME_PM_ON_BAT="auto"
defaults.conf L0039: RUNTIME_PM_DRIVER_BLACKLIST="amdgpu mei_me nouveau nvidia pcieport radeon"
defaults.conf L0040: USB_AUTOSUSPEND="1"
defaults.conf L0041: USB_BLACKLIST_BTUSB="0"
defaults.conf L0042: USB_BLACKLIST_PHONE="0"
defaults.conf L0043: USB_BLACKLIST_PRINTER="1"
defaults.conf L0044: USB_BLACKLIST_WWAN="0"
defaults.conf L0045: USB_AUTOSUSPEND_DISABLE_ON_SHUTDOWN="0"
defaults.conf L0046: RESTORE_DEVICE_STATE_ON_STARTUP="0"
defaults.conf L0047: RESTORE_THRESHOLDS_ON_BAT="0"
defaults.conf L0048: NATACPI_ENABLE="1"
defaults.conf L0049: TPACPI_ENABLE="1"
defaults.conf L0050: TPSMAPI_ENABLE="1"

And yes, I use Manjaro Xfce.

Well, whatdoyaknow… today I ran rkhunter check again and those same two items did NOT show up! I haven’t changed anything on my system and I didn’t tell rkhunter to consider those items to be normal (with rkhunter --propupd). So it begs the question, how the heck it didn’t show these two items again today? Maybe this is the smoking gun that there IS some virus/rootkit installed on this system after all?

this is from today’s rkhunter’s check:

[22:43:55] Info: Starting test name 'group_accounts'
[22:43:55] Performing group and account checks
[22:43:55]   Checking for passwd file                        [ Found ]
[22:43:55] Info: Found password file: /etc/passwd
[22:43:55]   Checking for root equivalent (UID 0) accounts   [ None found ]
[22:43:55] Info: Found shadow file: /etc/shadow
[22:43:55]   Checking for passwordless accounts              [ None found ]
[22:43:55]
[22:43:55] Info: Starting test name 'passwd_changes'
[22:43:56]   Checking for passwd file changes                [ None found ]
[22:43:56]
[22:43:56] Info: Starting test name 'group_changes'
[22:43:56]   Checking for group file changes                 [ None found ]
[22:43:56]   Checking root account shell history files       [ None found ]
[22:43:56]
[22:43:56] Info: Starting test name 'system_configs'
[22:43:56] Performing system configuration file checks
[22:43:56]
[22:43:56] Info: Starting test name 'system_configs_ssh'
[22:43:56]   Checking for an SSH configuration file          [ Found ]
[22:43:56] Info: Found an SSH configuration file: /etc/ssh/sshd_config
[22:43:56] Info: Rkhunter option ALLOW_SSH_ROOT_USER set to 'no'.
[22:43:56] Info: Rkhunter option ALLOW_SSH_PROT_V1 set to '0'.
[22:43:56]   Checking if SSH root access is allowed          [ Warning ]
[22:43:56] Warning: The SSH configuration option 'PermitRootLogin' has not been set.
           The default value may be 'yes', to allow root access.
[22:43:56]   Checking if SSH protocol v1 is allowed          [ Warning ]
[22:43:56] Warning: The SSH configuration option 'Protocol' has not been set.
           The default value may be '2,1', to allow the use of protocol version 1.
[22:43:56]   Checking for other suspicious configuration settings [ None found ]

If you have suspicion the system is compromised reinstall OS. Do an external dd reset on the data as its unlikely its persisting via flashed firmware.

Perhaps make an image of current state for later analysis in VM, since Linux rootkit is extremely rare in the wild.

No, it is not. It’s working just like it is supposed to.

Irrelevant.

Run 1: sgx and systemd-oom new groups detected. proper warning issued, and the entry for /etc/group is updated.

Run 2: No NEW groups are detected, thus:

Checking for group file changes                 [ None found ]

Don’t believe me? Check it yourself:

Add a new group:

# groupadd testgroup

Run rkhunter. testgroup will be detected. If you run it from a terminal, you should get something like this:

Warning: Group 'testgroup' has been added to the group file.

And in the log:

[20:40:40] Info: Starting test name 'group_changes'
[20:40:40]   Checking for group file changes                 [ Warning ]
[20:40:40] Warning: Group 'testgroup' has been added to the group file.

Run 2:

[20:49:49] Performing group and account checks
[20:49:49] Info: Starting test name 'group_changes'
[20:49:49]   Checking for group file changes                 [ None found ]

And, it works both ways:

21:02:34] Info: Starting test name 'group_changes'
[21:02:34]   Checking for group file changes                 [ Warning ]
[21:02:34] Warning: Group 'testgroup' has been removed from the group file.
2 Likes

Well, I have the same user/goups and I’m not concerned about their presence on my system:

~ >>> grep -e 'sgx\|systemd-oom' /etc/group /etc/passwd                                                                                                                                                             
/etc/group:sgx:x:988:
/etc/group:systemd-oom:x:979:
/etc/passwd:systemd-oom:x:979:979:systemd Userspace OOM Killer:/:/usr/bin/nologin

Of course you didn’t. Those accounts/groups are created automatically by packages at the time they get installed.

No point to discuss this topic further. You already got fairly enough replies explaining what happened. So far, @merlock’s post is the best answer you can get.

I’ll go ahead marking this thread as solved and closing.