Bug 1914662 - rkhunter warnings after keyutils-1.6.1-1.fc33.x86_64
Summary: rkhunter warnings after keyutils-1.6.1-1.fc33.x86_64
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: rkhunter
Version: 33
Hardware: x86_64
OS: Linux
unspecified
unspecified
Target Milestone: ---
Assignee: Kevin Fenzi
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
: 1913512 (view as bug list)
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2021-01-10 16:38 UTC by Anthony Messina
Modified: 2021-01-25 01:15 UTC (History)
5 users (show)

Fixed In Version: rkhunter-1.4.6-10.fc34 rkhunter-1.4.6-10.fc33 rkhunter-1.4.6-10.fc32
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2021-01-16 19:13:39 UTC
Type: Bug
Embargoed:

Attachments (Terms of Use)

Description Anthony Messina 2021-01-10 16:38:29 UTC 
After upgrading to keyutils-1.6.1-1.fc33.x86_64 rkunher issues these warnings:

---------------------- Start Rootkit Hunter Scan ----------------------
Warning: Checking for possible rootkit files and directories [ Warning ]
         Found file '/lib64/libkeyutils.so.1.9'. Possible rootkit: Sniffer component
         Found file '/usr/lib64/libkeyutils.so.1.9'. Possible rootkit: Sniffer component
Warning: The following processes are using suspicious files:
         Command: gssproxy
           UID: 0    PID: 2739681
           Pathname: /usr/lib64/libkeyutils.so.1.9
           Possible Rootkit: Spam tool component
         Command: gssproxy
           UID: 2739682    PID: 2739681
           Pathname: 24432
           Possible Rootkit: Spam tool component
         Command: gssproxy
           UID: 2739683    PID: 2739681
           Pathname: 24432
           Possible Rootkit: Spam tool component
         Command: gssproxy
           UID: 2739684    PID: 2739681
           Pathname: 24432
           Possible Rootkit: Spam tool component
         Command: gssproxy
           UID: 2739685    PID: 2739681
           Pathname: 24432
           Possible Rootkit: Spam tool component
         Command: gssproxy
           UID: 2739686    PID: 2739681
           Pathname: 24432
           Possible Rootkit: Spam tool component
         Command: gssproxy
           UID: 2783187    PID: 2783186
           Pathname: 306249
           Possible Rootkit: Spam tool component
         Command: gssproxy
           UID: 2783188    PID: 2783186
           Pathname: 306249
           Possible Rootkit: Spam tool component
         Command: gssproxy
           UID: 2783189    PID: 2783186
           Pathname: 306249
           Possible Rootkit: Spam tool component
         Command: gssproxy
           UID: 2783190    PID: 2783186
           Pathname: 306249
           Possible Rootkit: Spam tool component
         Command: gssproxy
           UID: 2783191    PID: 2783186
           Pathname: 306249
           Possible Rootkit: Spam tool component
         Command: gssproxy
           UID: 80596172    PID: 2783186
           Pathname: 
           Possible Rootkit: Spam tool component
         Command: idled
           UID: 76    PID: 2722422
           Pathname: /usr/lib64/libkeyutils.so.1.9
           Possible Rootkit: Spam tool component
         Command: imapd
           UID: 76    PID: 2722423
           Pathname: /usr/lib64/libkeyutils.so.1.9
           Possible Rootkit: Spam tool component
         Command: imapd
           UID: 76    PID: 2722424
           Pathname: /usr/lib64/libkeyutils.so.1.9
           Possible Rootkit: Spam tool component
         Command: imapd
           UID: 76    PID: 2722570
           Pathname: /usr/lib64/libkeyutils.so.1.9
           Possible Rootkit: Spam tool component
         Command: imapd
           UID: 76    PID: 2785910
           Pathname: /usr/lib64/libkeyutils.so.1.9
           Possible Rootkit: Spam tool component
         Command: imapd
           UID: 76    PID: 2790381
           Pathname: /usr/lib64/libkeyutils.so.1.9
           Possible Rootkit: Spam tool component
         Command: imapd
           UID: 76    PID: 2790836
           Pathname: /usr/lib64/libkeyutils.so.1.9
           Possible Rootkit: Spam tool component
         Command: imapd
           UID: 76    PID: 2791634
           Pathname: /usr/lib64/libkeyutils.so.1.9
           Possible Rootkit: Spam tool component
         Command: imapd
           UID: 76    PID: 2791636
           Pathname: /usr/lib64/libkeyutils.so.1.9
           Possible Rootkit: Spam tool component
         Command: imapd
           UID: 76    PID: 2791956
           Pathname: /usr/lib64/libkeyutils.so.1.9
           Possible Rootkit: Spam tool component
         Command: imapd
           UID: 76    PID: 2791963
           Pathname: /usr/lib64/libkeyutils.so.1.9
           Possible Rootkit: Spam tool component
         Command: imapd
           UID: 76    PID: 2792027
           Pathname: /usr/lib64/libkeyutils.so.1.9
           Possible Rootkit: Spam tool component
         Command: imapd
           UID: 76    PID: 2792028
           Pathname: /usr/lib64/libkeyutils.so.1.9
           Possible Rootkit: Spam tool component
         Command: kamailio
           UID: 985    PID: 2730800
           Pathname: /usr/lib64/libkeyutils.so.1.9
           Possible Rootkit: Spam tool component
         Command: kamailio
           UID: 985    PID: 2730815
           Pathname: /usr/lib64/libkeyutils.so.1.9
           Possible Rootkit: Spam tool component
         Command: kamailio
           UID: 985    PID: 2730816
           Pathname: /usr/lib64/libkeyutils.so.1.9
           Possible Rootkit: Spam tool component
         Command: kamailio
           UID: 985    PID: 2730818
           Pathname: /usr/lib64/libkeyutils.so.1.9
           Possible Rootkit: Spam tool component
         Command: kamailio
           UID: 985    PID: 2730820
           Pathname: /usr/lib64/libkeyutils.so.1.9
           Possible Rootkit: Spam tool component
         Command: kamailio
           UID: 985    PID: 2730822
           Pathname: /usr/lib64/libkeyutils.so.1.9
           Possible Rootkit: Spam tool component
         Command: kamailio
           UID: 985    PID: 2730824
           Pathname: /usr/lib64/libkeyutils.so.1.9
           Possible Rootkit: Spam tool component
         Command: kamailio
           UID: 985    PID: 2730827
           Pathname: /usr/lib64/libkeyutils.so.1.9
           Possible Rootkit: Spam tool component
         Command: kamailio
           UID: 985    PID: 2730830
           Pathname: /usr/lib64/libkeyutils.so.1.9
           Possible Rootkit: Spam tool component
         Command: kamailio
           UID: 985    PID: 2730834
           Pathname: /usr/lib64/libkeyutils.so.1.9
           Possible Rootkit: Spam tool component
         Command: kamailio
           UID: 985    PID: 2730838
           Pathname: /usr/lib64/libkeyutils.so.1.9
           Possible Rootkit: Spam tool component
         Command: kamailio
           UID: 985    PID: 2730842
           Pathname: /usr/lib64/libkeyutils.so.1.9
           Possible Rootkit: Spam tool component
         Command: kamailio
           UID: 985    PID: 2730845
           Pathname: /usr/lib64/libkeyutils.so.1.9
           Possible Rootkit: Spam tool component
         Command: kamailio
           UID: 985    PID: 2730848
           Pathname: /usr/lib64/libkeyutils.so.1.9
           Possible Rootkit: Spam tool component
         Command: kamailio
           UID: 985    PID: 2730854
           Pathname: /usr/lib64/libkeyutils.so.1.9
           Possible Rootkit: Spam tool component
         Command: kamailio
           UID: 985    PID: 2730857
           Pathname: /usr/lib64/libkeyutils.so.1.9
           Possible Rootkit: Spam tool component
         Command: kamailio
           UID: 985    PID: 2730859
           Pathname: /usr/lib64/libkeyutils.so.1.9
           Possible Rootkit: Spam tool component
         Command: kamailio
           UID: 985    PID: 2730861
           Pathname: /usr/lib64/libkeyutils.so.1.9
           Possible Rootkit: Spam tool component
         Command: kamailio
           UID: 985    PID: 2730864
           Pathname: /usr/lib64/libkeyutils.so.1.9
           Possible Rootkit: Spam tool component
         Command: kamailio
           UID: 985    PID: 2730867
           Pathname: /usr/lib64/libkeyutils.so.1.9
           Possible Rootkit: Spam tool component
         Command: kamailio
           UID: 985    PID: 2730870
           Pathname: /usr/lib64/libkeyutils.so.1.9
           Possible Rootkit: Spam tool component
         Command: kamailio
           UID: 985    PID: 2730874
           Pathname: /usr/lib64/libkeyutils.so.1.9
           Possible Rootkit: Spam tool component
         Command: kamailio
           UID: 985    PID: 2730877
           Pathname: /usr/lib64/libkeyutils.so.1.9
           Possible Rootkit: Spam tool component
         Command: lmtpd
           UID: 76    PID: 2792043
           Pathname: /usr/lib64/libkeyutils.so.1.9
           Possible Rootkit: Spam tool component
         Command: lsof
           UID: 0    PID: 2909737
           Pathname: /usr/lib64/libkeyutils.so.1.9
           Possible Rootkit: Spam tool component
         Command: lsof
           UID: 0    PID: 2909741
           Pathname: /usr/lib64/libkeyutils.so.1.9
           Possible Rootkit: Spam tool component
         Command: master
           UID: 76    PID: 2722414
           Pathname: /usr/lib64/libkeyutils.so.1.9
           Possible Rootkit: Spam tool component
         Command: pickup
           UID: 89    PID: 2790784
           Pathname: /usr/lib64/libkeyutils.so.1.9
           Possible Rootkit: Spam tool component
         Command: rpc.mountd
           UID: 0    PID: 2739746
           Pathname: /usr/lib64/libkeyutils.so.1.9
           Possible Rootkit: Spam tool component
         Command: rtpengine
           UID: 2707718    PID: 2707716
           Pathname: 24432
           Possible Rootkit: Spam tool component
         Command: rtpengine
           UID: 2707719    PID: 2707716
           Pathname: 24432
           Possible Rootkit: Spam tool component
         Command: rtpengine
           UID: 2707720    PID: 2707716
           Pathname: 24432
           Possible Rootkit: Spam tool component
         Command: rtpengine
           UID: 2707721    PID: 2707716
           Pathname: 24432
           Possible Rootkit: Spam tool component
         Command: rtpengine
           UID: 2707722    PID: 2707716
           Pathname: 24432
           Possible Rootkit: Spam tool component
         Command: rtpengine
           UID: 2707723    PID: 2707716
           Pathname: 24432
           Possible Rootkit: Spam tool component
         Command: rtpengine
           UID: 2707724    PID: 2707716
           Pathname: 24432
           Possible Rootkit: Spam tool component
         Command: rtpengine
           UID: 2707725    PID: 2707716
           Pathname: 24432
           Possible Rootkit: Spam tool component
         Command: rtpengine
           UID: 2707726    PID: 2707716
           Pathname: 24432
           Possible Rootkit: Spam tool component
         Command: rtpengine
           UID: 2707727    PID: 2707716
           Pathname: 24432
           Possible Rootkit: Spam tool component
         Command: rtpengine
           UID: 2707728    PID: 2707716
           Pathname: 24432
           Possible Rootkit: Spam tool component
         Command: rtpengine
           UID: 2707729    PID: 2707716
           Pathname: 24432
           Possible Rootkit: Spam tool component
         Command: rtpengine
           UID: 2707730    PID: 2707716
           Pathname: 24432
           Possible Rootkit: Spam tool component
         Command: rtpengine
           UID: 2707731    PID: 2707716
           Pathname: 24432
           Possible Rootkit: Spam tool component
         Command: rtpengine
           UID: 2707732    PID: 2707716
           Pathname: 24432
           Possible Rootkit: Spam tool component
         Command: rtpengine
           UID: 2707733    PID: 2707716
           Pathname: 24432
           Possible Rootkit: Spam tool component
         Command: rtpengine
           UID: 2707734    PID: 2707716
           Pathname: 24432
           Possible Rootkit: Spam tool component
         Command: rtpengine
           UID: 2707735    PID: 2707716
           Pathname: 24432
           Possible Rootkit: Spam tool component
         Command: rtpengine
           UID: 2707736    PID: 2707716
           Pathname: 24432
           Possible Rootkit: Spam tool component
         Command: rtpengine
           UID: 2707737    PID: 2707716
           Pathname: 24432
           Possible Rootkit: Spam tool component
         Command: rtpengine
           UID: 2707738    PID: 2707716
           Pathname: 24432
           Possible Rootkit: Spam tool component
         Command: rtpengine
           UID: 2707739    PID: 2707716
           Pathname: 24432
           Possible Rootkit: Spam tool component
         Command: rtpengine
           UID: 2707740    PID: 2707716
           Pathname: 24432
           Possible Rootkit: Spam tool component
         Command: rtpengine
           UID: 2707741    PID: 2707716
           Pathname: 24432
           Possible Rootkit: Spam tool component
         Command: rtpengine
           UID: 2707742    PID: 2707716
           Pathname: 24432
           Possible Rootkit: Spam tool component
         Command: rtpengine
           UID: 2707743    PID: 2707716
           Pathname: 24432
           Possible Rootkit: Spam tool component
         Command: rtpengine
           UID: 2707744    PID: 2707716
           Pathname: 24432
           Possible Rootkit: Spam tool component
         Command: rtpengine
           UID: 2707745    PID: 2707716
           Pathname: 24432
           Possible Rootkit: Spam tool component
         Command: rtpengine
           UID: 2707746    PID: 2707716
           Pathname: 24432
           Possible Rootkit: Spam tool component
         Command: rtpengine
           UID: 2707747    PID: 2707716
           Pathname: 24432
           Possible Rootkit: Spam tool component
         Command: rtpengine
           UID: 2707748    PID: 2707716
           Pathname: 24432
           Possible Rootkit: Spam tool component
         Command: rtpengine
           UID: 2707749    PID: 2707716
           Pathname: 24432
           Possible Rootkit: Spam tool component
         Command: rtpengine
           UID: 2707750    PID: 2707716
           Pathname: 24432
           Possible Rootkit: Spam tool component
         Command: rtpengine
           UID: 2707751    PID: 2707716
           Pathname: 24432
           Possible Rootkit: Spam tool component
         Command: rtpengine
           UID: 2707752    PID: 2707716
           Pathname: 24432
           Possible Rootkit: Spam tool component
         Command: rtpengine
           UID: 2707753    PID: 2707716
           Pathname: 24432
           Possible Rootkit: Spam tool component
         Command: rtpengine
           UID: 2707754    PID: 2707716
           Pathname: 24432
           Possible Rootkit: Spam tool component
         Command: rtpengine
           UID: 2707755    PID: 2707716
           Pathname: 24432
           Possible Rootkit: Spam tool component
         Command: rtpengine
           UID: 2707756    PID: 2707716
           Pathname: 24432
           Possible Rootkit: Spam tool component
         Command: rtpengine
           UID: 2707757    PID: 2707716
           Pathname: 24432
           Possible Rootkit: Spam tool component
         Command: rtpengine
           UID: 2707758    PID: 2707716
           Pathname: 24432
           Possible Rootkit: Spam tool component
         Command: rtpengine
           UID: 2707759    PID: 2707716
           Pathname: 24432
           Possible Rootkit: Spam tool component
         Command: rtpengine
           UID: 2707760    PID: 2707716
           Pathname: 24432
           Possible Rootkit: Spam tool component
         Command: rtpengine
           UID: 2707761    PID: 2707716
           Pathname: 24432
           Possible Rootkit: Spam tool component
         Command: rtpengine
           UID: 2707762    PID: 2707716
           Pathname: 24432
           Possible Rootkit: Spam tool component
         Command: rtpengine
           UID: 2707763    PID: 2707716
           Pathname: 24432
           Possible Rootkit: Spam tool component
         Command: rtpengine
           UID: 2707764    PID: 2707716
           Pathname: 24432
           Possible Rootkit: Spam tool component
         Command: rtpengine
           UID: 2707765    PID: 2707716
           Pathname: 24432
           Possible Rootkit: Spam tool component
         Command: rtpengine
           UID: 981    PID: 2707716
           Pathname: /usr/lib64/libkeyutils.so.1.9
           Possible Rootkit: Spam tool component
         Command: rtpengine-recor
           UID: 2707768    PID: 2707766
           Pathname: 24432
           Possible Rootkit: Spam tool component
         Command: rtpengine-recor
           UID: 2707769    PID: 2707766
           Pathname: 24432
           Possible Rootkit: Spam tool component
         Command: rtpengine-recor
           UID: 2707770    PID: 2707766
           Pathname: 24432
           Possible Rootkit: Spam tool component
         Command: rtpengine-recor
           UID: 2707771    PID: 2707766
           Pathname: 24432
           Possible Rootkit: Spam tool component
         Command: rtpengine-recor
           UID: 2707772    PID: 2707766
           Pathname: 24432
           Possible Rootkit: Spam tool component
         Command: rtpengine-recor
           UID: 2707773    PID: 2707766
           Pathname: 24432
           Possible Rootkit: Spam tool component
         Command: rtpengine-recor
           UID: 2707774    PID: 2707766
           Pathname: 24432
           Possible Rootkit: Spam tool component
         Command: rtpengine-recor
           UID: 2707775    PID: 2707766
           Pathname: 24432
           Possible Rootkit: Spam tool component
         Command: rtpengine-recor
           UID: 981    PID: 2707766
           Pathname: /usr/lib64/libkeyutils.so.1.9
           Possible Rootkit: Spam tool component
         Command: squatter
           UID: 76    PID: 2722417
           Pathname: /usr/lib64/libkeyutils.so.1.9
           Possible Rootkit: Spam tool component
Comment 1 Kevin Fenzi 2021-01-11 01:04:12 UTC 
Did you run 'rkhunter --propupd' after you applied/installed that package?

You must do that when you change the contents of any system files...
Comment 2 Anthony Messina 2021-01-11 05:35:38 UTC 
Keving, I did do that.  It reoccurs with each run.  I see something similar here: https://bugs.archlinux.org/task/63369
Comment 3 Colin J Thomson 2021-01-11 12:54:16 UTC 
Confirmed here on this F33 box as well. 
I also always run rkhunter --propupd when system files have changed.

There is another BZ on this against keyutils https://bugzilla.redhat.com/show_bug.cgi?id=1913512
Comment 4 Kevin Fenzi 2021-01-15 20:54:21 UTC 
*** Bug 1913512 has been marked as a duplicate of this bug. ***
Comment 5 Fedora Update System 2021-01-16 19:13:39 UTC 
FEDORA-2021-611f32a469 has been pushed to the Fedora 34 stable repository.
If problem still persists, please make note of it in this bug report.
Comment 6 Fedora Update System 2021-01-16 19:36:30 UTC 
FEDORA-2021-024739ab64 has been submitted as an update to Fedora 32. https://bodhi.fedoraproject.org/updates/FEDORA-2021-024739ab64
Comment 7 Fedora Update System 2021-01-16 19:36:33 UTC 
FEDORA-2021-9c40a9907e has been submitted as an update to Fedora 33. https://bodhi.fedoraproject.org/updates/FEDORA-2021-9c40a9907e
Comment 8 Fedora Update System 2021-01-17 01:42:52 UTC 
FEDORA-2021-024739ab64 has been pushed to the Fedora 32 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2021-024739ab64`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2021-024739ab64

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
Comment 9 Fedora Update System 2021-01-17 02:07:00 UTC 
FEDORA-2021-9c40a9907e has been pushed to the Fedora 33 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2021-9c40a9907e`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2021-9c40a9907e

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
Comment 10 Fedora Update System 2021-01-23 01:30:39 UTC 
FEDORA-2021-9c40a9907e has been pushed to the Fedora 33 stable repository.
If problem still persists, please make note of it in this bug report.
Comment 11 Fedora Update System 2021-01-25 01:15:40 UTC 
FEDORA-2021-024739ab64 has been pushed to the Fedora 32 stable repository.
If problem still persists, please make note of it in this bug report.
Note You need to log in before you can comment on or make changes to this bug.