| 1 |
On Wed, Feb 27, 2019 at 8:47 AM Peter Humphrey <peter@××××××××××××.uk> wrote: |
| 2 |
> |
| 3 |
> On Wednesday, 27 February 2019 12:27:59 GMT Mick wrote: |
| 4 |
> > |
| 5 |
> > Could it be these versions are now launching /run/udev.pid? Is a file /run/ |
| 6 |
> > udev.pid present in your system? |
| 7 |
> |
| 8 |
> Yes, I have such a text file, containing just a PID. |
| 9 |
> |
| 10 |
> > In any case, the file merely contains the PID number of |
| 11 |
> > /lib/systemd/systemd- udevd, rather than an ELF binary and /etc/init.d/ |
| 12 |
> > does not contain anything suspicious. However, with armies generating |
| 13 |
> > variants of every conceivable malware I don't know if it pays to be a bit |
| 14 |
> > paranoid about this. |
| 15 |
> |
| 16 |
> They really are out to get us... |
| 17 |
> |
| 18 |
|
| 19 |
If it really looks like a PID file I'd assume that this is a false |
| 20 |
positive. It would likely be generated by openrc and the init.d |
| 21 |
script. Since almost no other distros use OpenRC it isn't entirely |
| 22 |
surprising that a tool like rkhunter wasn't tested using it to catch |
| 23 |
the false positive. I'd report the issue to them. |
| 24 |
|
| 25 |
If by "they" you meant systemd I don't really see how they're actually |
| 26 |
involved. Well, other than indirectly by virtue of not creating this |
| 27 |
file and being the only config the rkhunter maintainers are probably |
| 28 |
using. |
| 29 |
|
| 30 |
Keep in mind that by its nature rkhunter is going to be a bit limited, |
| 31 |
at least when used in this way. If it supports offline scanning (ie |
| 32 |
from a rescue disk) then that would be pretty secure, but if it is |
| 33 |
running on a potentially-compromised kernel then a clever rootkit |
| 34 |
could evade it. Just the usual cat-and-mouse game with these sorts of |
| 35 |
things, but rkhunter can only see the filesystem and process tree that |
| 36 |
the potentially-compromised kernel lets it see. Offline scanning |
| 37 |
tools are always going to be superior in this regard, if you have |
| 38 |
known-clean (ideally read-only) boot media, and a clean firmware to |
| 39 |
boot it from. Really the cleanest solution would be to remove the |
| 40 |
hard drives and scan them on a separate machine. |
| 41 |
|
| 42 |
-- |
| 43 |
Rich |
Archives