After upgrading to keyutils-1.6.1-1.fc33.x86_64 rkunher issues these warnings: ---------------------- Start Rootkit Hunter Scan ---------------------- Warning: Checking for possible rootkit files and directories [ Warning ] Found file '/lib64/libkeyutils.so.1.9'. Possible rootkit: Sniffer component Found file '/usr/lib64/libkeyutils.so.1.9'. Possible rootkit: Sniffer component Warning: The following processes are using suspicious files: Command: gssproxy UID: 0 PID: 2739681 Pathname: /usr/lib64/libkeyutils.so.1.9 Possible Rootkit: Spam tool component Command: gssproxy UID: 2739682 PID: 2739681 Pathname: 24432 Possible Rootkit: Spam tool component Command: gssproxy UID: 2739683 PID: 2739681 Pathname: 24432 Possible Rootkit: Spam tool component Command: gssproxy UID: 2739684 PID: 2739681 Pathname: 24432 Possible Rootkit: Spam tool component Command: gssproxy UID: 2739685 PID: 2739681 Pathname: 24432 Possible Rootkit: Spam tool component Command: gssproxy UID: 2739686 PID: 2739681 Pathname: 24432 Possible Rootkit: Spam tool component Command: gssproxy UID: 2783187 PID: 2783186 Pathname: 306249 Possible Rootkit: Spam tool component Command: gssproxy UID: 2783188 PID: 2783186 Pathname: 306249 Possible Rootkit: Spam tool component Command: gssproxy UID: 2783189 PID: 2783186 Pathname: 306249 Possible Rootkit: Spam tool component Command: gssproxy UID: 2783190 PID: 2783186 Pathname: 306249 Possible Rootkit: Spam tool component Command: gssproxy UID: 2783191 PID: 2783186 Pathname: 306249 Possible Rootkit: Spam tool component Command: gssproxy UID: 80596172 PID: 2783186 Pathname: Possible Rootkit: Spam tool component Command: idled UID: 76 PID: 2722422 Pathname: /usr/lib64/libkeyutils.so.1.9 Possible Rootkit: Spam tool component Command: imapd UID: 76 PID: 2722423 Pathname: /usr/lib64/libkeyutils.so.1.9 Possible Rootkit: Spam tool component Command: imapd UID: 76 PID: 2722424 Pathname: /usr/lib64/libkeyutils.so.1.9 Possible Rootkit: Spam tool component Command: imapd UID: 76 PID: 2722570 Pathname: /usr/lib64/libkeyutils.so.1.9 Possible Rootkit: Spam tool component Command: imapd UID: 76 PID: 2785910 Pathname: /usr/lib64/libkeyutils.so.1.9 Possible Rootkit: Spam tool component Command: imapd UID: 76 PID: 2790381 Pathname: /usr/lib64/libkeyutils.so.1.9 Possible Rootkit: Spam tool component Command: imapd UID: 76 PID: 2790836 Pathname: /usr/lib64/libkeyutils.so.1.9 Possible Rootkit: Spam tool component Command: imapd UID: 76 PID: 2791634 Pathname: /usr/lib64/libkeyutils.so.1.9 Possible Rootkit: Spam tool component Command: imapd UID: 76 PID: 2791636 Pathname: /usr/lib64/libkeyutils.so.1.9 Possible Rootkit: Spam tool component Command: imapd UID: 76 PID: 2791956 Pathname: /usr/lib64/libkeyutils.so.1.9 Possible Rootkit: Spam tool component Command: imapd UID: 76 PID: 2791963 Pathname: /usr/lib64/libkeyutils.so.1.9 Possible Rootkit: Spam tool component Command: imapd UID: 76 PID: 2792027 Pathname: /usr/lib64/libkeyutils.so.1.9 Possible Rootkit: Spam tool component Command: imapd UID: 76 PID: 2792028 Pathname: /usr/lib64/libkeyutils.so.1.9 Possible Rootkit: Spam tool component Command: kamailio UID: 985 PID: 2730800 Pathname: /usr/lib64/libkeyutils.so.1.9 Possible Rootkit: Spam tool component Command: kamailio UID: 985 PID: 2730815 Pathname: /usr/lib64/libkeyutils.so.1.9 Possible Rootkit: Spam tool component Command: kamailio UID: 985 PID: 2730816 Pathname: /usr/lib64/libkeyutils.so.1.9 Possible Rootkit: Spam tool component Command: kamailio UID: 985 PID: 2730818 Pathname: /usr/lib64/libkeyutils.so.1.9 Possible Rootkit: Spam tool component Command: kamailio UID: 985 PID: 2730820 Pathname: /usr/lib64/libkeyutils.so.1.9 Possible Rootkit: Spam tool component Command: kamailio UID: 985 PID: 2730822 Pathname: /usr/lib64/libkeyutils.so.1.9 Possible Rootkit: Spam tool component Command: kamailio UID: 985 PID: 2730824 Pathname: /usr/lib64/libkeyutils.so.1.9 Possible Rootkit: Spam tool component Command: kamailio UID: 985 PID: 2730827 Pathname: /usr/lib64/libkeyutils.so.1.9 Possible Rootkit: Spam tool component Command: kamailio UID: 985 PID: 2730830 Pathname: /usr/lib64/libkeyutils.so.1.9 Possible Rootkit: Spam tool component Command: kamailio UID: 985 PID: 2730834 Pathname: /usr/lib64/libkeyutils.so.1.9 Possible Rootkit: Spam tool component Command: kamailio UID: 985 PID: 2730838 Pathname: /usr/lib64/libkeyutils.so.1.9 Possible Rootkit: Spam tool component Command: kamailio UID: 985 PID: 2730842 Pathname: /usr/lib64/libkeyutils.so.1.9 Possible Rootkit: Spam tool component Command: kamailio UID: 985 PID: 2730845 Pathname: /usr/lib64/libkeyutils.so.1.9 Possible Rootkit: Spam tool component Command: kamailio UID: 985 PID: 2730848 Pathname: /usr/lib64/libkeyutils.so.1.9 Possible Rootkit: Spam tool component Command: kamailio UID: 985 PID: 2730854 Pathname: /usr/lib64/libkeyutils.so.1.9 Possible Rootkit: Spam tool component Command: kamailio UID: 985 PID: 2730857 Pathname: /usr/lib64/libkeyutils.so.1.9 Possible Rootkit: Spam tool component Command: kamailio UID: 985 PID: 2730859 Pathname: /usr/lib64/libkeyutils.so.1.9 Possible Rootkit: Spam tool component Command: kamailio UID: 985 PID: 2730861 Pathname: /usr/lib64/libkeyutils.so.1.9 Possible Rootkit: Spam tool component Command: kamailio UID: 985 PID: 2730864 Pathname: /usr/lib64/libkeyutils.so.1.9 Possible Rootkit: Spam tool component Command: kamailio UID: 985 PID: 2730867 Pathname: /usr/lib64/libkeyutils.so.1.9 Possible Rootkit: Spam tool component Command: kamailio UID: 985 PID: 2730870 Pathname: /usr/lib64/libkeyutils.so.1.9 Possible Rootkit: Spam tool component Command: kamailio UID: 985 PID: 2730874 Pathname: /usr/lib64/libkeyutils.so.1.9 Possible Rootkit: Spam tool component Command: kamailio UID: 985 PID: 2730877 Pathname: /usr/lib64/libkeyutils.so.1.9 Possible Rootkit: Spam tool component Command: lmtpd UID: 76 PID: 2792043 Pathname: /usr/lib64/libkeyutils.so.1.9 Possible Rootkit: Spam tool component Command: lsof UID: 0 PID: 2909737 Pathname: /usr/lib64/libkeyutils.so.1.9 Possible Rootkit: Spam tool component Command: lsof UID: 0 PID: 2909741 Pathname: /usr/lib64/libkeyutils.so.1.9 Possible Rootkit: Spam tool component Command: master UID: 76 PID: 2722414 Pathname: /usr/lib64/libkeyutils.so.1.9 Possible Rootkit: Spam tool component Command: pickup UID: 89 PID: 2790784 Pathname: /usr/lib64/libkeyutils.so.1.9 Possible Rootkit: Spam tool component Command: rpc.mountd UID: 0 PID: 2739746 Pathname: /usr/lib64/libkeyutils.so.1.9 Possible Rootkit: Spam tool component Command: rtpengine UID: 2707718 PID: 2707716 Pathname: 24432 Possible Rootkit: Spam tool component Command: rtpengine UID: 2707719 PID: 2707716 Pathname: 24432 Possible Rootkit: Spam tool component Command: rtpengine UID: 2707720 PID: 2707716 Pathname: 24432 Possible Rootkit: Spam tool component Command: rtpengine UID: 2707721 PID: 2707716 Pathname: 24432 Possible Rootkit: Spam tool component Command: rtpengine UID: 2707722 PID: 2707716 Pathname: 24432 Possible Rootkit: Spam tool component Command: rtpengine UID: 2707723 PID: 2707716 Pathname: 24432 Possible Rootkit: Spam tool component Command: rtpengine UID: 2707724 PID: 2707716 Pathname: 24432 Possible Rootkit: Spam tool component Command: rtpengine UID: 2707725 PID: 2707716 Pathname: 24432 Possible Rootkit: Spam tool component Command: rtpengine UID: 2707726 PID: 2707716 Pathname: 24432 Possible Rootkit: Spam tool component Command: rtpengine UID: 2707727 PID: 2707716 Pathname: 24432 Possible Rootkit: Spam tool component Command: rtpengine UID: 2707728 PID: 2707716 Pathname: 24432 Possible Rootkit: Spam tool component Command: rtpengine UID: 2707729 PID: 2707716 Pathname: 24432 Possible Rootkit: Spam tool component Command: rtpengine UID: 2707730 PID: 2707716 Pathname: 24432 Possible Rootkit: Spam tool component Command: rtpengine UID: 2707731 PID: 2707716 Pathname: 24432 Possible Rootkit: Spam tool component Command: rtpengine UID: 2707732 PID: 2707716 Pathname: 24432 Possible Rootkit: Spam tool component Command: rtpengine UID: 2707733 PID: 2707716 Pathname: 24432 Possible Rootkit: Spam tool component Command: rtpengine UID: 2707734 PID: 2707716 Pathname: 24432 Possible Rootkit: Spam tool component Command: rtpengine UID: 2707735 PID: 2707716 Pathname: 24432 Possible Rootkit: Spam tool component Command: rtpengine UID: 2707736 PID: 2707716 Pathname: 24432 Possible Rootkit: Spam tool component Command: rtpengine UID: 2707737 PID: 2707716 Pathname: 24432 Possible Rootkit: Spam tool component Command: rtpengine UID: 2707738 PID: 2707716 Pathname: 24432 Possible Rootkit: Spam tool component Command: rtpengine UID: 2707739 PID: 2707716 Pathname: 24432 Possible Rootkit: Spam tool component Command: rtpengine UID: 2707740 PID: 2707716 Pathname: 24432 Possible Rootkit: Spam tool component Command: rtpengine UID: 2707741 PID: 2707716 Pathname: 24432 Possible Rootkit: Spam tool component Command: rtpengine UID: 2707742 PID: 2707716 Pathname: 24432 Possible Rootkit: Spam tool component Command: rtpengine UID: 2707743 PID: 2707716 Pathname: 24432 Possible Rootkit: Spam tool component Command: rtpengine UID: 2707744 PID: 2707716 Pathname: 24432 Possible Rootkit: Spam tool component Command: rtpengine UID: 2707745 PID: 2707716 Pathname: 24432 Possible Rootkit: Spam tool component Command: rtpengine UID: 2707746 PID: 2707716 Pathname: 24432 Possible Rootkit: Spam tool component Command: rtpengine UID: 2707747 PID: 2707716 Pathname: 24432 Possible Rootkit: Spam tool component Command: rtpengine UID: 2707748 PID: 2707716 Pathname: 24432 Possible Rootkit: Spam tool component Command: rtpengine UID: 2707749 PID: 2707716 Pathname: 24432 Possible Rootkit: Spam tool component Command: rtpengine UID: 2707750 PID: 2707716 Pathname: 24432 Possible Rootkit: Spam tool component Command: rtpengine UID: 2707751 PID: 2707716 Pathname: 24432 Possible Rootkit: Spam tool component Command: rtpengine UID: 2707752 PID: 2707716 Pathname: 24432 Possible Rootkit: Spam tool component Command: rtpengine UID: 2707753 PID: 2707716 Pathname: 24432 Possible Rootkit: Spam tool component Command: rtpengine UID: 2707754 PID: 2707716 Pathname: 24432 Possible Rootkit: Spam tool component Command: rtpengine UID: 2707755 PID: 2707716 Pathname: 24432 Possible Rootkit: Spam tool component Command: rtpengine UID: 2707756 PID: 2707716 Pathname: 24432 Possible Rootkit: Spam tool component Command: rtpengine UID: 2707757 PID: 2707716 Pathname: 24432 Possible Rootkit: Spam tool component Command: rtpengine UID: 2707758 PID: 2707716 Pathname: 24432 Possible Rootkit: Spam tool component Command: rtpengine UID: 2707759 PID: 2707716 Pathname: 24432 Possible Rootkit: Spam tool component Command: rtpengine UID: 2707760 PID: 2707716 Pathname: 24432 Possible Rootkit: Spam tool component Command: rtpengine UID: 2707761 PID: 2707716 Pathname: 24432 Possible Rootkit: Spam tool component Command: rtpengine UID: 2707762 PID: 2707716 Pathname: 24432 Possible Rootkit: Spam tool component Command: rtpengine UID: 2707763 PID: 2707716 Pathname: 24432 Possible Rootkit: Spam tool component Command: rtpengine UID: 2707764 PID: 2707716 Pathname: 24432 Possible Rootkit: Spam tool component Command: rtpengine UID: 2707765 PID: 2707716 Pathname: 24432 Possible Rootkit: Spam tool component Command: rtpengine UID: 981 PID: 2707716 Pathname: /usr/lib64/libkeyutils.so.1.9 Possible Rootkit: Spam tool component Command: rtpengine-recor UID: 2707768 PID: 2707766 Pathname: 24432 Possible Rootkit: Spam tool component Command: rtpengine-recor UID: 2707769 PID: 2707766 Pathname: 24432 Possible Rootkit: Spam tool component Command: rtpengine-recor UID: 2707770 PID: 2707766 Pathname: 24432 Possible Rootkit: Spam tool component Command: rtpengine-recor UID: 2707771 PID: 2707766 Pathname: 24432 Possible Rootkit: Spam tool component Command: rtpengine-recor UID: 2707772 PID: 2707766 Pathname: 24432 Possible Rootkit: Spam tool component Command: rtpengine-recor UID: 2707773 PID: 2707766 Pathname: 24432 Possible Rootkit: Spam tool component Command: rtpengine-recor UID: 2707774 PID: 2707766 Pathname: 24432 Possible Rootkit: Spam tool component Command: rtpengine-recor UID: 2707775 PID: 2707766 Pathname: 24432 Possible Rootkit: Spam tool component Command: rtpengine-recor UID: 981 PID: 2707766 Pathname: /usr/lib64/libkeyutils.so.1.9 Possible Rootkit: Spam tool component Command: squatter UID: 76 PID: 2722417 Pathname: /usr/lib64/libkeyutils.so.1.9 Possible Rootkit: Spam tool component
Did you run 'rkhunter --propupd' after you applied/installed that package? You must do that when you change the contents of any system files...
Keving, I did do that. It reoccurs with each run. I see something similar here: https://bugs.archlinux.org/task/63369
Confirmed here on this F33 box as well. I also always run rkhunter --propupd when system files have changed. There is another BZ on this against keyutils https://bugzilla.redhat.com/show_bug.cgi?id=1913512
*** Bug 1913512 has been marked as a duplicate of this bug. ***
FEDORA-2021-611f32a469 has been pushed to the Fedora 34 stable repository. If problem still persists, please make note of it in this bug report.
FEDORA-2021-024739ab64 has been submitted as an update to Fedora 32. https://bodhi.fedoraproject.org/updates/FEDORA-2021-024739ab64
FEDORA-2021-9c40a9907e has been submitted as an update to Fedora 33. https://bodhi.fedoraproject.org/updates/FEDORA-2021-9c40a9907e
FEDORA-2021-024739ab64 has been pushed to the Fedora 32 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2021-024739ab64` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2021-024739ab64 See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
FEDORA-2021-9c40a9907e has been pushed to the Fedora 33 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2021-9c40a9907e` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2021-9c40a9907e See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
FEDORA-2021-9c40a9907e has been pushed to the Fedora 33 stable repository. If problem still persists, please make note of it in this bug report.
FEDORA-2021-024739ab64 has been pushed to the Fedora 32 stable repository. If problem still persists, please make note of it in this bug report.