1 |
On Wed, Feb 27, 2019 at 8:47 AM Peter Humphrey <peter@××××××××××××.uk> wrote: |
2 |
> |
3 |
> On Wednesday, 27 February 2019 12:27:59 GMT Mick wrote: |
4 |
> > |
5 |
> > Could it be these versions are now launching /run/udev.pid? Is a file /run/ |
6 |
> > udev.pid present in your system? |
7 |
> |
8 |
> Yes, I have such a text file, containing just a PID. |
9 |
> |
10 |
> > In any case, the file merely contains the PID number of |
11 |
> > /lib/systemd/systemd- udevd, rather than an ELF binary and /etc/init.d/ |
12 |
> > does not contain anything suspicious. However, with armies generating |
13 |
> > variants of every conceivable malware I don't know if it pays to be a bit |
14 |
> > paranoid about this. |
15 |
> |
16 |
> They really are out to get us... |
17 |
> |
18 |
|
19 |
If it really looks like a PID file I'd assume that this is a false |
20 |
positive. It would likely be generated by openrc and the init.d |
21 |
script. Since almost no other distros use OpenRC it isn't entirely |
22 |
surprising that a tool like rkhunter wasn't tested using it to catch |
23 |
the false positive. I'd report the issue to them. |
24 |
|
25 |
If by "they" you meant systemd I don't really see how they're actually |
26 |
involved. Well, other than indirectly by virtue of not creating this |
27 |
file and being the only config the rkhunter maintainers are probably |
28 |
using. |
29 |
|
30 |
Keep in mind that by its nature rkhunter is going to be a bit limited, |
31 |
at least when used in this way. If it supports offline scanning (ie |
32 |
from a rescue disk) then that would be pretty secure, but if it is |
33 |
running on a potentially-compromised kernel then a clever rootkit |
34 |
could evade it. Just the usual cat-and-mouse game with these sorts of |
35 |
things, but rkhunter can only see the filesystem and process tree that |
36 |
the potentially-compromised kernel lets it see. Offline scanning |
37 |
tools are always going to be superior in this regard, if you have |
38 |
known-clean (ideally read-only) boot media, and a clean firmware to |
39 |
boot it from. Really the cleanest solution would be to remove the |
40 |
hard drives and scan them on a separate machine. |
41 |
|
42 |
-- |
43 |
Rich |