Chkrootkit and RKhunter possible false positives?

Joined
Nov 10, 2024
Messages
5
Reaction score
0
Credits
76
Hi! super-new-to-linux user here! Upgraded due to some longstanding security issues.
I've had a few issues running ubuntu since installation which need troubleshooting, one of them however is checking for rootkits.

ive run both chkrootkit and rkhunter and im not fully understanding what exactly im looking at when i look at the warning flags. a few of these file directories ive seen in other forums where it was stated that chkrootkit needs to know what package manager the user was running (still figuring out what that is other than of course...a program....which manages....packages???). other file directories i havent found at all.


Screenshot from 2024-11-10 19-13-14.png


the chkrootkit "suspicious files and dirs" list seems to get longer with each thing i download to my computer so ive been assuming it's got to do with that.
then there's "packet sniffer"/ifpromisc :


Screenshot from 2024-11-10 19-12-20.png


rkhunter's warnings start with usr/bin/lwp-request, which several other forums have said seems like a false positive- I'm curious as to what this file is and why it throws a warning.

Screenshot from 2024-11-10 19-29-25.png



Other warning is SSH root access being allowed. I configured my firewall to allow connectivity to certain SSH ports so i could play a specific game intended for teaching SSH? (its not port 22.) i dont know if this is referring specifically to that or if i should be tighter with my firewall security when im not actively playing bash wargames?
and finally the last warning is for hidden files and directories, which... i wouldnt know the first thing about what to check out or what my concerns should be there.

Screenshot from 2024-11-10 19-29-00.png


i guess the main question is 1) how concerned should i really be? and 2) how do i get rid of warnings for items that aren't a threat?
 
Last edited:


G'day noob-buntu_orangeJoe, Welcome to Linux.org


First....turn on your firewall if it isn't already enabled.
FOLLOW THIS

Second, uninstall both chkrootkit and rkhunter
where did you install them from?...tell us that....it could likely determine the easiest way to get rid of them.

Read the following:
An extremely short summary of the best security practice in Linux Mint is this:
  • Use good passwords.
  • Install updates as soon as they become available.
  • Only install software from the official software sources of Linux Mint and Ubuntu.
  • Don't install antivirus (yes, really!).
  • Don't install Windows emulators like Wine.
  • Enable the firewall.
- Above all: use your common sense.


a. Antivirus is useless
A virus or rootkit can't install itself in Linux unless you let it. In order to install itself on your computer, a virus or rootkit needs your password. And that it doesn't have.

Or in case it's malware ( a script) that can execute itself in your home directory without password: you'll have to make it executable first. Any script that you download, is not executable: you have to set the executable bit of the script yourself, by hand.

THEN:

The permission-based structure in Linux prevents regular users from performing administrative actions because each app needs authorization by the superuser (root) before it’s executed. This barrier makes it difficult for any virus to sneak into the system and make disasters.

Without being a root, you won’t be able to run/install new programs on Linux. Only the superuser has the privilege to access all files in the system.

Linux does not process executables without explicit permission as this is not a separate and independent process. So you’ll have to chmod +x a file before running it.

On Linux, it is harder for the virus to get system-level access. This is because the root account owns system-related files. Therefore, if infected, viruses can be easily removed as they can only affect the user account where they were installed and do not affect the root account.

In other words, the Linux architecture makes it almost impossible for a virus to do anything. This is one of the main reasons we still don’t need antivirus software on Linux.

Also...a GOOD read


Ok, you have now been edumucated,,....Carry on.

ENJOY your Linux/Ubuntu etc....that's what it's for....to Enjoy.
 
G'day noob-buntu_orangeJoe, Welcome to Linux.org


First....turn on your firewall if it isn't already enabled.
FOLLOW THIS

Second, uninstall both chkrootkit and rkhunter
where did you install them from?...tell us that....it could likely determine the easiest way to get rid of them.

Read the following:
An extremely short summary of the best security practice in Linux Mint is this:
  • Use good passwords.
  • Install updates as soon as they become available.
  • Only install software from the official software sources of Linux Mint and Ubuntu.
  • Don't install antivirus (yes, really!).
  • Don't install Windows emulators like Wine.
  • Enable the firewall.
- Above all: use your common sense.


a. Antivirus is useless
A virus or rootkit can't install itself in Linux unless you let it. In order to install itself on your computer, a virus or rootkit needs your password. And that it doesn't have.

Or in case it's malware ( a script) that can execute itself in your home directory without password: you'll have to make it executable first. Any script that you download, is not executable: you have to set the executable bit of the script yourself, by hand.

THEN:

The permission-based structure in Linux prevents regular users from performing administrative actions because each app needs authorization by the superuser (root) before it’s executed. This barrier makes it difficult for any virus to sneak into the system and make disasters.

Without being a root, you won’t be able to run/install new programs on Linux. Only the superuser has the privilege to access all files in the system.

Linux does not process executables without explicit permission as this is not a separate and independent process. So you’ll have to chmod +x a file before running it.

On Linux, it is harder for the virus to get system-level access. This is because the root account owns system-related files. Therefore, if infected, viruses can be easily removed as they can only affect the user account where they were installed and do not affect the root account.

In other words, the Linux architecture makes it almost impossible for a virus to do anything. This is one of the main reasons we still don’t need antivirus software on Linux.

Also...a GOOD read


Ok, you have now been edumucated,,....Carry on.

ENJOY your Linux/Ubuntu etc....that's what it's for....to Enjoy.
all good advice, all advice ive generally followed for the most part. however im curious- are chkrootkit and rkhunter actively HARMFUL? Ive skipped alot of antivirus even in windows simply because theyve never really done anything (plus i remember back in the early 2000s when mcafee all but bricked my computer) but are these actively a security risk for any reason?

edit: also just for clarification- lets say allegedly i installed wine... and then later deleted it cause that was a bad idea. is it possible to run windows as like a temporary os from an external drive the way people often do with tails? if so would that keep infected file programs from touching or interfering with anything on the linux distro?
 
Last edited:
First of all the last update of RKHunter was about 4 years ago. There was some activity in rkhunter a few months ago, but that did not pan out. The things just went quite. chkrootkit release has become slower about once a year.

So if you are looking at both of them to keep your system infection free, well they would just offer some protection.

If you are looking at RKHunter logs and its flags, then you can do a few things to make those flags go away. For example in your case SSH it seems is not configured correctly. In an ideal world SSH should not be used to connect remotely using root.

About the suspicious files found, they are fail2ban and numpy packages of python. If you do not use fail2ban on your machine you can get rid of the python3 packages related to fail2ban. If you not use numpy packages with python then you can remove those packages too. Look at your package manager like Synaptic or equivalent for this purpose.

I would recommend that you use lynis and other tools for audit purposes. And not depend only on rkhunter.
 
edit: also just for clarification- lets say allegedly i installed wine... and then later deleted it cause that was a bad idea. is it possible to run windows as like a temporary os from an external drive the way people often do with tails? if so would that keep infected file programs from touching or interfering with anything on the linux distro?
The simplest way to run windows is probably in a virtual machine.

I have noticed a number of people have had trouble with windows messing up the grub in Linux....but that is when they are dual booting.....not in a virtual machine. It is not a huge problem.

Running windows from an external drive. I have zero experience of that, but I am equally sure someone here will know.

Read the links I gave you carefully....spend the time......Windows malware etc cannot infect Linux
The guy who wrote that information is among the worlds best....he does not talk bs....he deals in Facts.

I know you feel "naked" without an AV etc I felt the same for a while,,,,approx 10 years ago.....but have not had an AV on my Linux Mint.

Clam av and etc etc are basically useless.....they slow the system down and find nothing but false positives.

Your best defense is to practise safe browsing....use your common sense. It is all too easy to get drawn down the rabbit holes, and if that happens, you may as well stay with windows.

Windows users generally live in fear....fear of the next trojan/virus/malware etc etc.....screwball move from msoft etc

Welcome to freedom.

ps....when you eventually get organised it would be a really good idea to get to know Timeshift.
It takes snapshots on a schedule set by you....saves them to an external drive (in case of main drive failure) and it works. Beautifully
Also a backup plan would be good....saved to the same external.

You can also get used to installing every update. No exceptions.
 
but are these actively a security risk for any reason?

Here's why they are:

Furthermore, antivirus (AV) software sometimes even actively endangers your system: Because AV has by definition high permissions on the system and because it's often inadequately protected against hacking.... This makes AV software an ideal target for hackers.

The above is taken from here: https://easylinuxtipsproject.blogspot.com/p/security.html

Read the whole page to get the whole story. The whole website is a good read.
 
I actually scan user directories with ClamAV every day. I scan the root file system and other stuff at least once a week. It's actually ok to use anti-virus software. You certainly need a firewall. The setuid to root programs are one of the biggest threats on a Linux system. One or more of them can be exploited to gain privilege escalation. I use ACLs to limit access to anything with setuid or setgid to a specific group and only local admin users are allowed to be in that group. Use non-privileged users whenever possible, or at least when you believe you are doing something that involves some level of risk.

Signed,

Matthew Campbell
 
all good advice, all advice ive generally followed for the most part. however im curious- are chkrootkit and rkhunter actively HARMFUL? Ive skipped alot of antivirus even in windows simply because theyve never really done anything (plus i remember back in the early 2000s when mcafee all but bricked my computer) but are these actively a security risk for any reason?

edit: also just for clarification- lets say allegedly i installed wine... and then later deleted it cause that was a bad idea. is it possible to run windows as like a temporary os from an external drive the way people often do with tails? if so would that keep infected file programs from touching or interfering with anything on the linux distro?
One of safest ways to run Windows on linux is in a virtual machine where it can be safely isolated from the host linux installation.

It's worth considering some circumstances in which both antivirus and rootkit software are useful on a linux machine.

In the case of a linux installation that actually downloads documents and/or files from an MS machine, which may then be passed on to other machines, those files may be vulnerable to carrying malicious software from machine to machine. In that case, it's useful for a user to have a means of checking each downloaded file so they don't inadvertently pass on malware to other users who may be at risk of passing it on further. Document and file sharing online is very common so the risks are potentially not insubstantial if one is involved with MS documents and files on a linux machine.

It's possible in such cases to check the files that come from a more risky environment with a command such as: clamscan, which is from the clamav package. The virus checker doesn't have to be run persistently on the machine, and take up memory uselessly checking any and all files. For a few files, it's a simple manual matter to check a file with the command. If there are a great number of files worth checking, then a script can be written to automate the checks of files. The clamscan command can write the results to a log file, still without the whole virus checker running it's full default operation on the machine. In other words, the means to do selective virus checking is available if one has the need to do it in an economical way.

On the matter of rootkits, usually one looks to using rootkit searching software after they think a machine has been compromised. If suspicions are aroused by seemingly inexplicable events on the machine associated with root processes, one might install rootkit software to see if it can discover any malicious operations.

Normally, a user who only downloads software from the distro's repositories has minimal exposure to root attacks. Repo software is verified and verifiable if there are doubts. Each major distro has info on how to verify packages if one wishes to do that, but in general it's unnecessary. The greater issue for root attacks comes through web servers about which there's a lot of information on line, some of which is contradictory, but if one is not running a web server, then risk is very slight. I'll leave web server issues for those who use them.

Major vulnerabilities to linux systems have come through lower level problems with cpu exploits like spectre and meltdown. One can check whether the current kernel has mitigations against these sorts of vulnerabilities by inspecting the output in a terminal of the last 20 or so lines of the command: lscpu, for example:
Code:
$ lscpu
<snip>
NUMA node(s):                         1
NUMA node0 CPU(s):                    0-19
Vulnerability Gather data sampling:   Not affected
Vulnerability Itlb multihit:          Not affected
Vulnerability L1tf:                   Not affected
Vulnerability Mds:                    Not affected
Vulnerability Meltdown:               Not affected
Vulnerability Mmio stale data:        Not affected
Vulnerability Reg file data sampling: Mitigation; Clear Register File
Vulnerability Retbleed:               Not affected
Vulnerability Spec rstack overflow:   Not affected
Vulnerability Spec store bypass:      Mitigation; Speculative Store Bypass disabled via prctl
Vulnerability Spectre v1:             Mitigation; usercopy/swapgs barriers and __user pointer sanitization
Vulnerability Spectre v2:             Mitigation; Enhanced / Automatic IBRS; IBPB conditional; RSB filling; PBRSB-eIBRS SW sequence; BHI BHI_DIS_S
Vulnerability Srbds:                  Not affected
Vulnerability Tsx async abort:        Not affected
It's clear from this output that the kernel is protected from the various exploits listed.
 
I respectfully disagree (and so do a lot of others). :)
And why do you believe that it's "wrong" to use AV software in Linux? Just be prepared for some false positives once in a while. I really don't think it's wrong to be careful or vigilant. It's important not to embrace a false sense of security. Linux is not immune to malware.

Signed,

Matthew Campbell
 
That would be this link:


The info in that link is provided by a man with an extended period of experience.
 
The link in my first post here is why.
Some of the information in that article appears to be a little inaccurate. Privilege escalation doesn't always require knowing a user's password. A local attacker may still seek root access without your password. If you are concerned you could browse the web using a non-privileged account without sudo access. I see nothing wrong with letting ClamAV have a look around. I have never seen anything that says ClamAV will attempt to "run" everything it scans. There is a possible danger though. It's called a zip bomb. ClamAV can be told to scan or not scan archives and can be told to limit how far it goes with that. It is always a good idea to make sure that any software in use is properly configured. An AV scanner can only look for what it knows. And yes, it may yield false positives. A negative result does not automatically mean a system is safe. There is never any such thing as perfect safety. It just means the scanner didn't find any known threats. It is necessary for the system administrator to use a well rounded approach, along with a little sense, when attempting to maintain a secure system. I really don't believe a system is "more safe" just because ClamAV doesn't scan a file that contains malware. The malware needs to be found and removed. You could try to harden ClamAV by running it as another user, other than root, and give it the necessary capabilities to do its job. Or you could allow individual users to run ClamAV on their own in their own space, if that's allowed. There was a bug in clamd that was patched a while back that caused clamd to allow privilege escalation. So yes, running any software could cause a problem, but so can not running it. Ignorance is never an acceptable security policy. People can only do the best they can.

Signed,

Matthew Campbell
 
I agree with @Trenix25. There is no harm in expecting a AV solution on a Linux box. There is no downside for using AV solutions on a Linux box. Most of the points about Linux being more secure are not borne out by reality.

Firstly the dictum, do not download files from unknown sources. This is hokus pokus. There have been multiple instances where known repositories have been breached and infected with malware and viruses.

The second dictum do not open attachments from unknown people. Well what if the person whom you know and trust, already has an infection. Or his communication mediums have been compromised. We interact with many both for work and pleasure. We cannot mandate nor validate that all of those have top notch and strong security. Nor can we say with any confidence that their devices are free of infection.

The third dictum, Linux is inherently more secure. That is also not borne out the massive CVE entries for Linux. The way Linux kernel is written and compiled, i.e. monolithic in its nature, had led to multiple known and unknown vulnerabilities like memory hijacking or root escalation running wild. Hell till a few years ago even user unprivileged containers were not written properly and led to many distros to disable them by default. Well guess what Firefox, one of the most popular browsers Linux, uses containers. Any module can be loaded by kernel unless it is disabled by sysctl kernel parameters. There have been viruses/malware/rootkits written specifically for Linux.

The fourth dictum, do not visit websites or do not surf onto dangerous corners. This is also dubious to say the least. When we google something we are presented with a list of links. Nowhere in the links is it given that the link is safe. We do not know whether at a particular instance of time the website is compromised or not. The website may not have been compromised on Monday but on Tuesday and we may end up visiting the website on Tuesday.

Most importantly, many of the people who use Linux are not experts. They just want to use Linux desktop for their work. They do not want to spend time and effort on configuring Linux. That is where a proper security suite or AV comes in. For the average Joe a AV offers a level of security which is unbeatable.
 
I agree with @Trenix25. There is no harm in expecting a AV solution on a Linux box. There is no downside for using AV solutions on a Linux box.
Yes there are downsides. Crowdstrike Outage, do I need to say more?

And some other anti-virus problems.
 
Last edited:

Members online


Top