Bug 1472299 - rkhunter finds suspicious shared segments in evolution and xfce4-terminal
Summary: rkhunter finds suspicious shared segments in evolution and xfce4-terminal
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: rkhunter
Version: 25
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Kevin Fenzi
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2017-07-18 11:58 UTC by Martin Gregorie
Modified: 2018-07-26 13:43 UTC (History)
7 users (show)

Fixed In Version: rkhunter-1.4.4-4.fc26 rkhunter-1.4.4-4.fc25 rkhunter-1.4.4-2.el6 rkhunter-1.4.4-3.el7
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2017-08-26 19:53:07 UTC
Type: Bug


Attachments (Terms of Use)
latest rkhunter cronjob report (1.58 KB, text/plain)
2017-07-18 12:18 UTC, Martin Gregorie
no flags Details
rkhunter.log containing suspicious segment warnings (129.22 KB, text/plain)
2017-07-21 00:39 UTC, Martin Gregorie
no flags Details

Description Martin Gregorie 2017-07-18 11:58:33 UTC
Description of problem: 
rkhunter suddenly started finding suspicious shared segments


Version-Release number of selected component (if applicable): 
1.4.4


How reproducible: 
Every time its been run in the last two weeks


Steps to Reproduce:
1. run "sudo rkhunter --update --cronjob --nocolors --report-warnings-only"
2. it reports thet its found suspicious shared memory segments

Actual results:

Warning: The following suspicious shared memory segments have been found:
         Process: /usr/bin/evolution    PID: 1958    Owner: kiwi
         Process: /usr/bin/xfce4-terminal    PID: 18973    Owner: kiwi

Expected results:

Additional info: 
This started to happen after a dnf update run on July 7th
Is this a spurious result, or is rkhunter reporting valid problems?
I don't recall and updates to either evolution or xfce4-terminal in this time period.

Comment 1 Martin Gregorie 2017-07-18 12:18:41 UTC
Created attachment 1300451 [details]
latest rkhunter cronjob report

Comment 2 Martin Gregorie 2017-07-18 12:24:48 UTC
The report comes from my most recent weekly cronjob. You;ll notice that the suspicious shared segment warning comes between rkhunter's checks on its own files and the report heading for what it found while examining my system. 

Does this indicate an rkhunter bug rather than genuinely suspicious shared segments? OTOH the segments are attached to good places for sniffing email credentials and details of any ssh logins made from the XFCE terminal.

Comment 3 Kevin Fenzi 2017-07-20 23:23:26 UTC
Can you attach the full log from /var/log/rkhunter/rkhunter.log ?

Its likely a bug or normal shm segments that we should whitelist, but the log should tell us.

Comment 4 Martin Gregorie 2017-07-21 00:39:34 UTC
Created attachment 1302075 [details]
rkhunter.log containing suspicious segment warnings

As requested, heres the rkhunter log for one complete run.

Comment 5 Alex JOST 2017-07-24 08:59:37 UTC
I got similar warnings on some (not all) of my CentOS 7 servers.

Warning: The following suspicious shared memory segments have been found:
         Process:     PID: 1581    Owner: nobody


I've tried to find the process with that PID but was unable. So I did another scan with rkhunter and the same warning with the same PID showed up. Then I did one more scan and dumped the process list during the scan. Nothing to find ...

Now I'm wondering if this is a false positive or rkhunter found some hidden process that 'ps' is unable to show. Note that 'yum verify' didn't find anything suspicious.


The PID obviously differs from server to server but the phenomena stays the same. Every rkhunter scan prints a warning with the same PID, but the PID is not visible.



PS: I was unsure If I should open a new bug report for EPEL but since Fedora and EPEL share the same version of rkhunter and the problem only occurred with the latest update I think this is related.

Comment 6 Kevin Fenzi 2017-07-24 20:40:05 UTC
Yeah, There's a number more of these as well... thunderbird, firefox, gnome-shell all are also showing these. 

So, I think the best thing to do here is disable this test until we can build up a good whitelist. 

> The PID obviously differs from server to server but the phenomena stays the same. 
> Every rkhunter scan prints a warning with the same PID, but the PID is not 
visible.

Do you see /proc/1581/ existing? (or whatever the pid reported is).

Comment 7 Alex JOST 2017-07-25 08:43:02 UTC
(In reply to Kevin Fenzi from comment #6)
> > The PID obviously differs from server to server but the phenomena stays the same. 
> > Every rkhunter scan prints a warning with the same PID, but the PID is not 
> visible.
> 
> Do you see /proc/1581/ existing? (or whatever the pid reported is).

Nope.

Comment 8 Marcel Haerry 2017-07-26 15:16:28 UTC
I get the same warning consistently on any host running httpd:

Warning: The following suspicious shared memory segments have been found:
         Process: /usr/sbin/httpd    PID: 25626    Owner: root

This happens since the update to 1.4.4

Comment 9 Martin Gregorie 2017-08-01 09:06:51 UTC
It looks to me as if the process(es) being reported for suspicious shared segments could be the most recently active one using shared segments.

I run rkhunter immediately after "dnf_update" to pick up any packages that haven't updated the rkhunter datsabase. This almost always reports the login greeter process as having suspicious segments.

However, when rkhunter is run as a weekly cron job its most likely to report evolution, which is my preferred mail client, as having the suspicious segments when its run on my laptop which will, almost be definition, have evolution up and running.

The reported process on my server is more likely to be httpd or the greeter.

Comment 10 Fedora Update System 2017-08-12 19:29:18 UTC
rkhunter-1.4.4-4.fc26 has been submitted as an update to Fedora 26. https://bodhi.fedoraproject.org/updates/FEDORA-2017-98bd4ee8ab

Comment 11 Fedora Update System 2017-08-12 19:37:02 UTC
rkhunter-1.4.4-3.el7 has been submitted as an update to Fedora EPEL 7. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2017-02058d29d2

Comment 12 Fedora Update System 2017-08-12 19:38:41 UTC
rkhunter-1.4.4-2.el6 has been submitted as an update to Fedora EPEL 6. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2017-bc4003cb37

Comment 13 Fedora Update System 2017-08-14 02:27:18 UTC
rkhunter-1.4.4-4.fc25 has been pushed to the Fedora 25 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-944875338d

Comment 14 Fedora Update System 2017-08-14 06:00:18 UTC
rkhunter-1.4.4-4.fc26 has been pushed to the Fedora 26 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-98bd4ee8ab

Comment 15 Fedora Update System 2017-08-14 07:19:27 UTC
rkhunter-1.4.4-2.el6 has been pushed to the Fedora EPEL 6 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2017-bc4003cb37

Comment 16 Fedora Update System 2017-08-14 07:23:27 UTC
rkhunter-1.4.4-3.el7 has been pushed to the Fedora EPEL 7 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2017-02058d29d2

Comment 17 Fedora Update System 2017-08-26 19:53:07 UTC
rkhunter-1.4.4-4.fc26 has been pushed to the Fedora 26 stable repository. If problems still persist, please make note of it in this bug report.

Comment 18 Fedora Update System 2017-08-27 06:21:18 UTC
rkhunter-1.4.4-4.fc25 has been pushed to the Fedora 25 stable repository. If problems still persist, please make note of it in this bug report.

Comment 19 Fedora Update System 2017-09-08 02:18:54 UTC
rkhunter-1.4.4-2.el6 has been pushed to the Fedora EPEL 6 stable repository. If problems still persist, please make note of it in this bug report.

Comment 20 Fedora Update System 2017-09-08 02:49:00 UTC
rkhunter-1.4.4-3.el7 has been pushed to the Fedora EPEL 7 stable repository. If problems still persist, please make note of it in this bug report.

Comment 21 Iosif Fettich 2018-02-01 11:35:06 UTC
On a CentOS 6 box, whith

# cat /etc/redhat-release 
CentOS release 6.9 (Final)

# rpm -qi rkhunter
Name        : rkhunter                     Relocations: (not relocatable)
Version     : 1.4.4                             Vendor: Fedora Project
Release     : 2.el6                         Build Date: Sb 12 aug 2017 21:30:42 +0200
Install Date: Jo 01 feb 2018 11:34:04 +0100      Build Host: buildhw-02.phx2.fedoraproject.org
Group       : Applications/System           Source RPM: rkhunter-1.4.4-2.el6.src.rpm
Size        : 836199                           License: GPLv2+
Signature   : RSA/8, Sb 12 aug 2017 21:30:58 +0200, Key ID 3b49df2a0608b895

within /etc/rkhunter.conf.local I have 

ALLOWIPCPROC=/usr/sbin/httpd

but each check complains about[12:31:56] Info: Starting test name 'ipc_shared_mem'
[12:31:56]   Checking for suspicious shared memory segments  [ Warning ]
[12:31:56] Warning: The following suspicious shared memory segments have been found:
[12:31:57]          Process:     PID: 2589    Owner: nobody
[12:31:57] Info: Found process pathname '/usr/sbin/httpd': it is whitelisted.
[12:31:57]

Process 2589 seems not to exist or is hard to catch, although repeated runs of rkhunter checks always show the same PID in the warning. 

Thanks for looking into it!

Comment 22 dnastala 2018-07-26 13:43:29 UTC
[root@host etc]# cat /etc/redhat-release 
CentOS Linux release 7.5.1804 (Core)

[root@host etc]# rkhunter --version
Rootkit Hunter 1.4.6

[root@host etc]# cat rkhunter.conf | grep ALLOWIPC
ALLOWIPCPROC=/usr/sbin/httpd

rkhunter.log:

[13:38:39] Info: The minimum shared memory segment size to be checked (in bytes): 
1048576 (1.0MB)
[13:38:39]   Checking for suspicious (large) shared memory segments [ Warning ]
[13:38:39] Warning: The following suspicious (large) shared memory segments have b
een found:
[13:38:39]          Process: /usr/sbin/httpd;5b3ca57f (deleted)    PID: 10414    O
wner: od_uk    Size: 1.2MB (configured size allowed: 1.0MB)
[13:38:39] Info: Found process pathname '/usr/sbin/httpd': it is whitelisted.


Note You need to log in before you can comment on or make changes to this bug.