what is this after todays updates from updates-testing? 2021-01-06T15:55:19+0100 SUBDEBUG Upgraded: perl-libwww-perl-6.50-1.fc32.noarch 2021-01-06T15:55:19+0100 SUBDEBUG Upgraded: perl-HTTP-Cookies-6.09-1.fc32.noarch 2021-01-06T15:55:19+0100 SUBDEBUG Upgraded: youtube-dl-2020.12.31-1.fc32.noarch 2021-01-06T15:55:19+0100 SUBDEBUG Upgraded: system-config-printer-libs-1.5.13-2.fc32.noarch 2021-01-06T15:55:19+0100 SUBDEBUG Upgraded: firewalld-filesystem-0.8.4-1.fc32.noarch 2021-01-06T15:55:19+0100 SUBDEBUG Upgraded: keyutils-1.6-4.fc32.x86_64 2021-01-06T15:55:19+0100 SUBDEBUG Upgraded: jmtpfs-0.4-12.fc32.x86_64 2021-01-06T15:55:19+0100 SUBDEBUG Upgraded: libmtp-1.1.16-4.fc32.x86_64 2021-01-06T15:55:19+0100 SUBDEBUG Upgraded: keyutils-libs-1.6-4.fc32.x86_64 2021-01-06T15:55:19+0100 SUBDEBUG Upgraded: socat-1.7.3.4-2.fc32.x86_64 2021-01-06T15:55:19+0100 SUBDEBUG Upgraded: libffado-2.4.3-2.fc32.x86_64 [root@srv-rhsoft:~]$ rkhunter --check Warning: Checking for possible rootkit files and directories [ Warning ] Found file '/lib64/libkeyutils.so.1.9'. Possible rootkit: Sniffer component Found file '/usr/lib64/libkeyutils.so.1.9'. Possible rootkit: Sniffer component Warning: The following processes are using suspicious files: Command: cantata UID: 1048995 PID: 1048994 Pathname: 24376 Possible Rootkit: Spam tool component Command: cantata UID: 1048996 PID: 1048994 Pathname: 24376 Possible Rootkit: Spam tool component Command: cantata UID: 1049004 PID: 1048994 Pathname: 24376 Possible Rootkit: Spam tool component Command: cantata UID: 1049005 PID: 1048994 Pathname: 24376 Possible Rootkit: Spam tool component Command: cantata UID: 1049009 PID: 1048994 Pathname: 24376 Possible Rootkit: Spam tool component Command: cantata UID: 1049010 PID: 1048994 Pathname: 24376 Possible Rootkit: Spam tool component Command: cantata UID: 1049011 PID: 1048994 Pathname: 24376 Possible Rootkit: Spam tool component Command: cantata UID: 1049012 PID: 1048994 Pathname: 24376 Possible Rootkit: Spam tool component Command: cantata UID: 1049013 PID: 1048994 Pathname: 24376 Possible Rootkit: Spam tool component Command: cantata UID: 1049018 PID: 1048994 Pathname: 24376 Possible Rootkit: Spam tool component Command: cantata UID: 1049019 PID: 1048994 Pathname: 24376 Possible Rootkit: Spam tool component Command: cantata UID: 1049020 PID: 1048994 Pathname: 24376 Possible Rootkit: Spam tool component Command: cantata UID: 500 PID: 1048994 Pathname: /usr/lib64/libkeyutils.so.1.9 Possible Rootkit: Spam tool component Command: cleanupd UID: 0 PID: 1236411 Pathname: /usr/lib64/libkeyutils.so.1.9 Possible Rootkit: Spam tool component Command: dhcpd UID: 177 PID: 1051153 Pathname: /usr/lib64/libkeyutils.so.1.9 Possible Rootkit: Spam tool component Command: dhcpd UID: 177 PID: 1051158 Pathname: /usr/lib64/libkeyutils.so.1.9 Possible Rootkit: Spam tool component Command: dhcpd UID: 177 PID: 1051163 Pathname: /usr/lib64/libkeyutils.so.1.9 Possible Rootkit: Spam tool component Command: file.so UID: 500 PID: 1323247 Pathname: /usr/lib64/libkeyutils.so.1.9 Possible Rootkit: Spam tool component Command: httpd UID: 5002 PID: 1050820 Pathname: /usr/lib64/libkeyutils.so.1.9 Possible Rootkit: Spam tool component Command: httpd UID: 48 PID: 1050823 Pathname: /usr/lib64/libkeyutils.so.1.9 Possible Rootkit: Spam tool component Command: httpd UID: 5002 PID: 1050826 Pathname: /usr/lib64/libkeyutils.so.1.9 Possible Rootkit: Spam tool component Command: httpd UID: 5002 PID: 1050827 Pathname: /usr/lib64/libkeyutils.so.1.9 Possible Rootkit: Spam tool component Command: httpd UID: 5002 PID: 1050828 Pathname: /usr/lib64/libkeyutils.so.1.9 Possible Rootkit: Spam tool component Command: httpd UID: 48 PID: 1050830 Pathname: /usr/lib64/libkeyutils.so.1.9 Possible Rootkit: Spam tool component Command: httpd UID: 48 PID: 1050831 Pathname: /usr/lib64/libkeyutils.so.1.9 Possible Rootkit: Spam tool component Command: httpd UID: 48 PID: 1050832 Pathname: /usr/lib64/libkeyutils.so.1.9 Possible Rootkit: Spam tool component Command: httpd UID: 48 PID: 1050833 Pathname: /usr/lib64/libkeyutils.so.1.9 Possible Rootkit: Spam tool component Command: httpd UID: 48 PID: 1050834 Pathname: /usr/lib64/libkeyutils.so.1.9 Possible Rootkit: Spam tool component Command: httpd UID: 5002 PID: 1050835 Pathname: /usr/lib64/libkeyutils.so.1.9 Possible Rootkit: Spam tool component Command: httpd UID: 5002 PID: 1050836 Pathname: /usr/lib64/libkeyutils.so.1.9 Possible Rootkit: Spam tool component Command: httpd UID: 48 PID: 1061751 Pathname: /usr/lib64/libkeyutils.so.1.9 Possible Rootkit: Spam tool component Command: lsof UID: 0 PID: 1353911 Pathname: /usr/lib64/libkeyutils.so.1.9 Possible Rootkit: Spam tool component Command: lsof UID: 0 PID: 1353915 Pathname: /usr/lib64/libkeyutils.so.1.9 Possible Rootkit: Spam tool component Command: master UID: 0 PID: 1050942 Pathname: /usr/lib64/libkeyutils.so.1.9 Possible Rootkit: Spam tool component Command: named UID: 1051238 PID: 1051237 Pathname: 24376 Possible Rootkit: Spam tool component Command: named UID: 1051239 PID: 1051237 Pathname: 24376 Possible Rootkit: Spam tool component Command: named UID: 1051240 PID: 1051237 Pathname: 24376 Possible Rootkit: Spam tool component Command: named UID: 1051241 PID: 1051237 Pathname: 24376 Possible Rootkit: Spam tool component Command: named UID: 1051242 PID: 1051237 Pathname: 24376 Possible Rootkit: Spam tool component Command: named UID: 1051243 PID: 1051237 Pathname: 24376 Possible Rootkit: Spam tool component Command: named UID: 1051244 PID: 1051237 Pathname: 24376 Possible Rootkit: Spam tool component Command: named UID: 1051245 PID: 1051237 Pathname: 24376 Possible Rootkit: Spam tool component Command: named UID: 1051246 PID: 1051237 Pathname: 24376 Possible Rootkit: Spam tool component Command: named UID: 1051247 PID: 1051237 Pathname: 24376 Possible Rootkit: Spam tool component Command: named UID: 25 PID: 1051237 Pathname: /usr/lib64/libkeyutils.so.1.9 Possible Rootkit: Spam tool component Command: pickup UID: 89 PID: 1295683 Pathname: /usr/lib64/libkeyutils.so.1.9 Possible Rootkit: Spam tool component Command: plasmashell UID: 1048407 PID: 1048405 Pathname: 24376 Possible Rootkit: Spam tool component Command: plasmashell UID: 1048408 PID: 1048405 Pathname: 24376 Possible Rootkit: Spam tool component Command: plasmashell UID: 1048409 PID: 1048405 Pathname: 24376 Possible Rootkit: Spam tool component Command: plasmashell UID: 1048410 PID: 1048405 Pathname: 24376 Possible Rootkit: Spam tool component Command: plasmashell UID: 1048411 PID: 1048405 Pathname: 24376 Possible Rootkit: Spam tool component Command: plasmashell UID: 1048412 PID: 1048405 Pathname: 24376 Possible Rootkit: Spam tool component Command: plasmashell UID: 1048413 PID: 1048405 Pathname: 24376 Possible Rootkit: Spam tool component Command: plasmashell UID: 1048419 PID: 1048405 Pathname: 24376 Possible Rootkit: Spam tool component Command: plasmashell UID: 1048424 PID: 1048405 Pathname: 24376 Possible Rootkit: Spam tool component Command: plasmashell UID: 1048426 PID: 1048405 Pathname: 24376 Possible Rootkit: Spam tool component Command: plasmashell UID: 1048428 PID: 1048405 Pathname: 24376 Possible Rootkit: Spam tool component Command: plasmashell UID: 1048456 PID: 1048405 Pathname: 24376 Possible Rootkit: Spam tool component Command: plasmashell UID: 1048754 PID: 1048405 Pathname: 24376 Possible Rootkit: Spam tool component Command: plasmashell UID: 1323243 PID: 1048405 Pathname: 24376 Possible Rootkit: Spam tool component Command: plasmashell UID: 500 PID: 1048405 Pathname: /usr/lib64/libkeyutils.so.1.9 Possible Rootkit: Spam tool component Command: proxymap UID: 89 PID: 1050946 Pathname: /usr/lib64/libkeyutils.so.1.9 Possible Rootkit: Spam tool component Command: qmgr UID: 89 PID: 1050944 Pathname: /usr/lib64/libkeyutils.so.1.9 Possible Rootkit: Spam tool component Command: smbd UID: 0 PID: 1236406 Pathname: /usr/lib64/libkeyutils.so.1.9 Possible Rootkit: Spam tool component Command: smbd-notifyd UID: 0 PID: 1236410 Pathname: /usr/lib64/libkeyutils.so.1.9 Possible Rootkit: Spam tool component Command: ssh UID: 500 PID: 1052740 Pathname: /usr/lib64/libkeyutils.so.1.9 Possible Rootkit: Spam tool component Command: tlsmgr UID: 89 PID: 1230534 Pathname: /usr/lib64/libkeyutils.so.1.9 Possible Rootkit: Spam tool component
I hit this on Fedora 33 this week both on an existing workstation and on a fresh install onto a laptop. Seems like the same issue as https://bugs.archlinux.org/task/63369 My most recent update for this was 2021-01-06T22:38:21-0800 INFO Downloading: http://mirror.atl.genesisadaptive.com/fedora/linux/updates/33/Everything/x86_64/Pac kages/k/keyutils-libs-1.6.1-1.fc33.x86_64.rpm
Same with me. # dnf downgrade keyutils-libs followed by rebooting fixes it for now. The downgrade reverted me to 1.6-5.
It's due to the name of the libraries. Workaround for now: Create /etc/rkhunter.d/ with the following file inside (you can name the file whatever): nokeyutilsfp.conf with the contents: RTKT_FILE_WHITELIST=/lib/libkeyutils.so.1.9 RTKT_FILE_WHITELIST=/lib64/libkeyutils.so.1.9 RTKT_FILE_WHITELIST=/usr/lib/libkeyutils.so.1.9 RTKT_FILE_WHITELIST=/usr/lib64/libkeyutils.so.1.9 EXCLUDE_USER_FILEPROP_FILES_DIRS=/lib/libkeyutils.so.1.9 EXCLUDE_USER_FILEPROP_FILES_DIRS=/lib64/libkeyutils.so.1.9 EXCLUDE_USER_FILEPROP_FILES_DIRS=/usr/lib/libkeyutils.so.1.9 EXCLUDE_USER_FILEPROP_FILES_DIRS=/usr/lib64/libkeyutils.so.1.9
(In reply to Steve La Rocque from comment #2) > Same with me. > > # dnf downgrade keyutils-libs > > followed by rebooting fixes it for now. The downgrade reverted me to 1.6-5. Same here. I also downgraded to temporarily work around the issue. There are several posts (such as that archlinux bug report mentioned above) that recommend adding a whitelist line to /etc/rkhunter.conf.local (or equivalent), which I'll do if necessary, but I'd prefer a proper rkhunter fix instead, such as the Debian fix described in this bug report: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=951366.
I vote for the /etc/rkhunter.d "workaround" above for now. Regardless of what it is named, it should have 1) a pointer to this BR, 2) brief history (e.g. "used to be used by a key sniffer") and 3)the RTKT_FILE_WHITELIST and EXCLUDE_USER_FILEPROP_FILES_DIRS lines listed above. Seems like a very rapid and clean fix to me. Much better than letting/making thousands of Fedora users waste time trying to figure it out on their own (like the people in this BR, including myself).
This should have been filed on rkhunter... :) Unless the libkeysutils maintainer(s) want to fix this by bumping the soname? It's only libkeyutils.so.1.9 thats misdetected this way. If it's bumped to 2.0 it will save all the false positives for rkhunter users. Anyhow, lets move discussion to the rkhunter bug. *** This bug has been marked as a duplicate of bug 1914662 ***