Web lists-archives.com

Re: [rkhunter] coyote.coyote.den - Daily report

On Tue 28 Nov 2017 at 16:38:24 +0500, Alexander V. Makartsev wrote:

> On 28.11.2017 15:16, Brian wrote:
> > On Tue 28 Nov 2017 at 14:04:58 +0500, Alexander V. Makartsev wrote:
> >
> >> IMHO "ignore it and purge" is a terrible advice for anything. It is
> >> better to understand the logic behind those triggers, even if they are
> >> indeed false positive in this case.
> > The advice was not intended to be generalised for all software. It was
> > given in a particular context for a software which has an extensive
> > track record for producing output which is of no consequence. I would
> > be very, very surprised if Gene Heskett had obtained firefox-esr from
> > an untrusted source. Yet another reason for not giving any credence to
> > what it reported.
> That could be nothing to do with firefox-esr. Just because some package
> was installed last doesn't always means it will be the source of the
> problem.
> Anyway, creating software that will reliably detect something meant to
> be undetectable like rootkit, while evading rootkit's protection
> measures against well-known anti-rootkit software is impossible.
> When I read that log Gene posted and seen "6667 port" I was like "Holy
> shit this is serious", but then I looked up for "portsentry" and
> realized it is FP.
> "rkhunter" had every right to panic and it's user's fault to not know
> about how "portsentry" works. (IF this is legit "portsentry" not
> something that just has its name)
> >> "rkhunter" has panicked and rightfully so because it found a working
> >> process with suspicious ports in listening state. As it explained these
> >> ports were known for usage by malware, ex. 6667 could be used for
> >> IRC-bot which is used for remote control of the malware.
> >> The name of process was "portsentry" and as stated in its package
> >> description is used for portscan detection, so it must have opened ports
> >> to "see" if there any portscans of known ports going.
> >> Did you installed "portsentry", or should you trust "portsentry" to open
> >> ports like this, are another questions.
> >>
> >> I don't use "rkhunter", but there is probably some mechanism to
> >> whitelist, so it won't trigger on the same things (xinetd) every time.
> > I am all in favour of finding causes for software behaviour but make
> > an exception for rkhunter. Discovering that xinitrd is running is no
> > great achievement. Labelling it as suspicious and the source of a
> > possible rootkit comes close to generating FUD and inducing panic
> > in less experienced users.
> >
> That said, it is better to know at least something and investigate, than
> just saying "meh its another FP" and uninstall the software.
> "rkhunter" has served it's purpose at least to urge "less experienced
> users" to do a research and learn.

Two decent arguments. All it needs now is for somene to come forward and
recount how rkhunter's objective (Rootkit Hunter scans systems for known
and unknown rootkits, backdoors, sniffers and exploits) has resulted in
a positve outcome of benefit to the security of the machine.