Description of problem: rkhunter suddenly started finding suspicious shared segments Version-Release number of selected component (if applicable): 1.4.4 How reproducible: Every time its been run in the last two weeks Steps to Reproduce: 1. run "sudo rkhunter --update --cronjob --nocolors --report-warnings-only" 2. it reports thet its found suspicious shared memory segments Actual results: Warning: The following suspicious shared memory segments have been found: Process: /usr/bin/evolution PID: 1958 Owner: kiwi Process: /usr/bin/xfce4-terminal PID: 18973 Owner: kiwi Expected results: Additional info: This started to happen after a dnf update run on July 7th Is this a spurious result, or is rkhunter reporting valid problems? I don't recall and updates to either evolution or xfce4-terminal in this time period.
Created attachment 1300451 [details] latest rkhunter cronjob report
The report comes from my most recent weekly cronjob. You;ll notice that the suspicious shared segment warning comes between rkhunter's checks on its own files and the report heading for what it found while examining my system. Does this indicate an rkhunter bug rather than genuinely suspicious shared segments? OTOH the segments are attached to good places for sniffing email credentials and details of any ssh logins made from the XFCE terminal.
Can you attach the full log from /var/log/rkhunter/rkhunter.log ? Its likely a bug or normal shm segments that we should whitelist, but the log should tell us.
Created attachment 1302075 [details] rkhunter.log containing suspicious segment warnings As requested, heres the rkhunter log for one complete run.
I got similar warnings on some (not all) of my CentOS 7 servers. Warning: The following suspicious shared memory segments have been found: Process: PID: 1581 Owner: nobody I've tried to find the process with that PID but was unable. So I did another scan with rkhunter and the same warning with the same PID showed up. Then I did one more scan and dumped the process list during the scan. Nothing to find ... Now I'm wondering if this is a false positive or rkhunter found some hidden process that 'ps' is unable to show. Note that 'yum verify' didn't find anything suspicious. The PID obviously differs from server to server but the phenomena stays the same. Every rkhunter scan prints a warning with the same PID, but the PID is not visible. PS: I was unsure If I should open a new bug report for EPEL but since Fedora and EPEL share the same version of rkhunter and the problem only occurred with the latest update I think this is related.
Yeah, There's a number more of these as well... thunderbird, firefox, gnome-shell all are also showing these. So, I think the best thing to do here is disable this test until we can build up a good whitelist. > The PID obviously differs from server to server but the phenomena stays the same. > Every rkhunter scan prints a warning with the same PID, but the PID is not visible. Do you see /proc/1581/ existing? (or whatever the pid reported is).
(In reply to Kevin Fenzi from comment #6) > > The PID obviously differs from server to server but the phenomena stays the same. > > Every rkhunter scan prints a warning with the same PID, but the PID is not > visible. > > Do you see /proc/1581/ existing? (or whatever the pid reported is). Nope.
I get the same warning consistently on any host running httpd: Warning: The following suspicious shared memory segments have been found: Process: /usr/sbin/httpd PID: 25626 Owner: root This happens since the update to 1.4.4
It looks to me as if the process(es) being reported for suspicious shared segments could be the most recently active one using shared segments. I run rkhunter immediately after "dnf_update" to pick up any packages that haven't updated the rkhunter datsabase. This almost always reports the login greeter process as having suspicious segments. However, when rkhunter is run as a weekly cron job its most likely to report evolution, which is my preferred mail client, as having the suspicious segments when its run on my laptop which will, almost be definition, have evolution up and running. The reported process on my server is more likely to be httpd or the greeter.
rkhunter-1.4.4-4.fc26 has been submitted as an update to Fedora 26. https://bodhi.fedoraproject.org/updates/FEDORA-2017-98bd4ee8ab
rkhunter-1.4.4-3.el7 has been submitted as an update to Fedora EPEL 7. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2017-02058d29d2
rkhunter-1.4.4-2.el6 has been submitted as an update to Fedora EPEL 6. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2017-bc4003cb37
rkhunter-1.4.4-4.fc25 has been pushed to the Fedora 25 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-944875338d
rkhunter-1.4.4-4.fc26 has been pushed to the Fedora 26 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-98bd4ee8ab
rkhunter-1.4.4-2.el6 has been pushed to the Fedora EPEL 6 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2017-bc4003cb37
rkhunter-1.4.4-3.el7 has been pushed to the Fedora EPEL 7 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2017-02058d29d2
rkhunter-1.4.4-4.fc26 has been pushed to the Fedora 26 stable repository. If problems still persist, please make note of it in this bug report.
rkhunter-1.4.4-4.fc25 has been pushed to the Fedora 25 stable repository. If problems still persist, please make note of it in this bug report.
rkhunter-1.4.4-2.el6 has been pushed to the Fedora EPEL 6 stable repository. If problems still persist, please make note of it in this bug report.
rkhunter-1.4.4-3.el7 has been pushed to the Fedora EPEL 7 stable repository. If problems still persist, please make note of it in this bug report.
On a CentOS 6 box, whith # cat /etc/redhat-release CentOS release 6.9 (Final) # rpm -qi rkhunter Name : rkhunter Relocations: (not relocatable) Version : 1.4.4 Vendor: Fedora Project Release : 2.el6 Build Date: Sb 12 aug 2017 21:30:42 +0200 Install Date: Jo 01 feb 2018 11:34:04 +0100 Build Host: buildhw-02.phx2.fedoraproject.org Group : Applications/System Source RPM: rkhunter-1.4.4-2.el6.src.rpm Size : 836199 License: GPLv2+ Signature : RSA/8, Sb 12 aug 2017 21:30:58 +0200, Key ID 3b49df2a0608b895 within /etc/rkhunter.conf.local I have ALLOWIPCPROC=/usr/sbin/httpd but each check complains about[12:31:56] Info: Starting test name 'ipc_shared_mem' [12:31:56] Checking for suspicious shared memory segments [ Warning ] [12:31:56] Warning: The following suspicious shared memory segments have been found: [12:31:57] Process: PID: 2589 Owner: nobody [12:31:57] Info: Found process pathname '/usr/sbin/httpd': it is whitelisted. [12:31:57] Process 2589 seems not to exist or is hard to catch, although repeated runs of rkhunter checks always show the same PID in the warning. Thanks for looking into it!
[root@host etc]# cat /etc/redhat-release CentOS Linux release 7.5.1804 (Core) [root@host etc]# rkhunter --version Rootkit Hunter 1.4.6 [root@host etc]# cat rkhunter.conf | grep ALLOWIPC ALLOWIPCPROC=/usr/sbin/httpd rkhunter.log: [13:38:39] Info: The minimum shared memory segment size to be checked (in bytes): 1048576 (1.0MB) [13:38:39] Checking for suspicious (large) shared memory segments [ Warning ] [13:38:39] Warning: The following suspicious (large) shared memory segments have b een found: [13:38:39] Process: /usr/sbin/httpd;5b3ca57f (deleted) PID: 10414 O wner: od_uk Size: 1.2MB (configured size allowed: 1.0MB) [13:38:39] Info: Found process pathname '/usr/sbin/httpd': it is whitelisted.