Activity for Rootkit Hunter

Anton Avramov posted a comment on ticket #190

Anton Avramov — Wed, 08 Oct 2025 15:59:39 -0000

It's actually a security issue since someone can add PermitRootLogin in /etc/ssh/sshd_config and then override it in /etc/ssh/sshd_config.d/ later on.

created ticket #47

Fri, 29 Aug 2025 21:27:27 -0000

Fixed egrep usage, new modern grep usage

CaPaCuL created ticket #191

CaPaCuL — Wed, 25 Jun 2025 22:38:12 -0000

systemd-journald and some warnings

Justin F. Hallett created ticket #190

Justin F. Hallett — Mon, 23 Dec 2024 18:31:56 -0000

ALLOW_SSH_ROOT_USER only looks in main sshd_config, add sshd_config.d

Martin posted a comment on ticket #74

Martin — Thu, 17 Oct 2024 02:24:25 -0000

I'm happy to contribute to this as well. I don't think unspawn will respawn.

Martin created ticket #76

Martin — Wed, 16 Oct 2024 11:25:33 -0000

Rkhunter project handover

Christophe PEREZ created ticket #189

Christophe PEREZ — Mon, 23 Sep 2024 03:23:43 -0000

daily output error

Christophe PEREZ posted a comment on ticket #169

Christophe PEREZ — Thu, 15 Aug 2024 22:53:22 -0000

Thanks !

sai-mike posted a comment on ticket #169

sai-mike — Thu, 15 Aug 2024 20:42:28 -0000

Go to the Code tab. Make sure you are in the develop branch. In the banner at the top it will say: Tree [866f69] develop / next to that will be a link to 'Download Snapshot'. Click that. This will give you a .zip file to download. Download it to a directory and unzip. Change to the directory and run ./installer.sh Follow the rest of the installation instructions in the README file.

Christophe PEREZ posted a comment on ticket #169

Christophe PEREZ — Thu, 15 Aug 2024 19:47:50 -0000

Where is that development version please ?

William Garber created ticket #75

William Garber — Mon, 29 Jul 2024 17:13:00 -0000

small bug with fix; gives error message about grep

Abhilash Mandula posted a comment on ticket #31

Abhilash Mandula — Sat, 13 Jul 2024 03:51:11 -0000

I discovered a script that the hacker is executing using a cron job. Can we integrate this script into the rkhunter toolkit check?

Abhilash Mandula modified a comment on ticket #31

Abhilash Mandula — Sat, 13 Jul 2024 03:50:55 -0000

Abhilash Mandula posted a comment on ticket #31

Abhilash Mandula — Fri, 12 Jul 2024 04:25:12 -0000

I found a script which the hacker is running using a cron job. Is it possible to include this script as well in rkhunter toolkit check?

Lionel Debroux posted a comment on ticket #188

Lionel Debroux — Sat, 04 May 2024 22:40:47 -0000

There's a drawback to memoizing the output of strings, though: DoS upon huge rcfiles... Here's another take on optimizing the possible_rkt_strings check, which no longer memoizes anything. I split the work between a fast path which tries to find all strings at once in every rcfile, and a slow path if the first check returns at least one match. Core i7-6700 HQ (SMP, SMT disabled), 32 GB DDR4-2133, Debian sid amd64, cache hot: before: \time rkhunter_ --cronjob --report-warnings-only --enable possible_rkt_strings...

Lionel Debroux created ticket #188

Lionel Debroux — Mon, 29 Apr 2024 18:32:02 -0000

Redundant operations: possible rootkit strings check

Lionel Debroux posted a comment on ticket #186

Lionel Debroux — Mon, 29 Apr 2024 18:04:14 -0000

New version: the warnings-only mode works better.

Lionel Debroux posted a comment on ticket #186

Lionel Debroux — Sun, 28 Apr 2024 19:07:01 -0000

I gave my idea a go, stopping at the point where the /var/log/rkhunter.log file created by rkhunter -c --sk does not contain relevant changes anymore, when LANGUAGE=en. On two computers ~15 years apart, both equipped with SATA SSDs, my changes seem to yield a significant speedup, without significant adverse effect on memory consumption. Core i7-6700 HQ (SMP, SMT disabled), 32 GB DDR4-2133, Debian sid amd64, cache hot (second run): before: 211.88user 153.26system 4:47.00elapsed 127%CPU (0avgtext+0avgdata...

Christophe PEREZ created ticket #187

Christophe PEREZ — Wed, 24 Apr 2024 14:38:02 -0000

project dead

Lionel Debroux created ticket #186

Lionel Debroux — Sun, 21 Apr 2024 20:41:03 -0000

Redundant operations: parsing of the external translations file ?

David Waring created ticket #185

David Waring — Sun, 17 Mar 2024 19:00:15 -0000

ALLOW_SSH_PROT_V1 check should skip on OpenSSH 7.6 or later

Dogsbody posted a comment on ticket #74

Dogsbody — Tue, 05 Dec 2023 09:15:16 -0000

I would be honoured to carry on the great work. Please add me as an administrator and share anything required. Thank you.

John Horne posted a comment on ticket #74

John Horne — Mon, 04 Dec 2023 18:50:55 -0000

If you want to become the project owner, then let me know and I'll add you as an administrator and provide various passwords.

mildred ratched created ticket #184

mildred ratched — Sun, 03 Dec 2023 18:36:39 -0000

no matter what i try, there are 2 files i'm unsuccesful to exclude from rkhunter

Dogsbody posted a comment on ticket #74

Dogsbody — Fri, 01 Dec 2023 09:22:05 -0000

How can I help? I realise you don't know me from Adam :-) I'd be happy to have a chat (e-mail, public, private, phone, zoom) if you like I could pull a group of interested individuals together and make a plan together or I guess you could just hand over the keys ¯_(ツ)_/¯ I personally do not want to shake anything up. The rkhunter project is good & strong, it just needs a few tweaks for more modern operating systems and perhaps the docs a lick of paint. I've just had a look and according to my posts...

John Horne posted a comment on ticket #74

John Horne — Fri, 01 Dec 2023 02:11:13 -0000

The rkhunter project needs a new owner. I cannot do it. I haven't heard from unspawn in 10 years or more, so it needs someone else.

Dogsbody posted a comment on ticket #74

Dogsbody — Thu, 30 Nov 2023 21:17:49 -0000

Hi John, I have just posted in the Rkhunter-users mailing list as I tend to hang out there more than here :-) I would be very interested in helping keep rkhunter going. We still use rkhunter as part of our suite of protection on around 150 servers and run https://rkhmirror.dogsbody.com/ for the times that sourceforge goes down. I'd be very happy to help support it's transition, even if just to keep things ticking over as new distributions are released :-) How can we (all) make this happen? Thank...

Adrian posted a comment on ticket #183

Adrian — Wed, 23 Aug 2023 23:57:21 -0000

This make sense to some degree, of course you cannot test the tool on all the distros, but at the same time it might be better to either improve the detection so we don't see so many false positives (and forget our small distribution, even on straight Debian as long as I remember this tool always gave a lot of false positives), or provide a bit more detailed info about the warning: what it means, why it shows up and what to check. Also, it's a bit weird if there's let's say a virus scanner that reports...

John Horne posted a comment on ticket #183

John Horne — Wed, 23 Aug 2023 21:37:18 -0000

If you are providing rkhunter as a package for your distro, then modify the rkhunter config file you distribute to whitelist the relevant rootkit files. If you are not providing it as a package, but users are complaining, then tell them to whitelist the files.

Adrian created ticket #183

Adrian — Wed, 23 Aug 2023 20:02:20 -0000

false positives on MX Linux

John Horne posted a comment on ticket #74

John Horne — Thu, 10 Aug 2023 12:12:23 -0000

The development version 1.4.7 has been updated since 2018, but not released as a new version (1.4.8). I have no plans to do that as I can no longer support RKH any more. Version 1.4.7 does seem stable though, so should be usable in production. Are you asking to take over the rkhunter project on sourceforge? If so, then I can provide you with some passwords required, and add you as an administrator. (As far as I remember all I need do then is remove myself as an admin, and you are then the project...

KenUnix created ticket #74

KenUnix — Mon, 07 Aug 2023 23:50:58 -0000

Updates to rkhunter 1.4.6

KenUnix posted a comment on a blog post

KenUnix — Mon, 07 Aug 2023 23:48:46 -0000

Is it safe to assume that rkhunter is a dead project sine it has not been updated sine 2018? If it is dead is it possible to get the source code to update it? Thanks

Andrew Ruthven posted a comment on ticket #151

Andrew Ruthven — Tue, 13 Jun 2023 10:27:29 -0000

rkhunter on the develop branch uses sshd -T to list the configuration settings, including whatever is set in files within sshd_config.d .

Matthew M. Ogilvie posted a comment on ticket #151

Matthew M. Ogilvie — Sun, 04 Jun 2023 17:08:30 -0000

7) More recent versions of sshd support an "Include" directive that allows moving customizations into separate file(s) in a separate directory (likely "sshd_config.d"), which can be useful to preserve those customizations if system updates want to update the main sshd_config file. I don't think rkhunter understands such includes at all - it only considers the main sshd_config file. 8) (maybe OK) I think current versions of sshd have a default "PermitRootLogin prohibit-password", which would probably...

Matthew M. Ogilvie posted a comment on ticket #176

Matthew M. Ogilvie — Fri, 03 Feb 2023 20:57:39 -0000

Here is the the same thing formatted as an easier to use and more robust unidiff patch and isolated from any distribution-specific patches. It should be easier to combine this with other distribution-specific patches/etc. (For example, on Gentoo, this patch could be applied by simply depositing it at /etc/portage/patches/app-forensics/rkhunter-1.4.6-r1/rkhunter-GNUgrep3.8.patch and re-emerging rkhunter, until a newer version incorporates something like it directly.) I don't know enough about the...

DKragen posted a comment on ticket #182

DKragen — Tue, 31 Jan 2023 23:06:44 -0000

Regarding the various unhide options, ignore my comments above. Found that unhide is a separate program. Installing it rid the log of all the missed tests. Looks like the only remaining problem is the missing quote at line 18833

Christophe PEREZ posted a comment on ticket #181

Christophe PEREZ — Tue, 31 Jan 2023 22:35:10 -0000

You're right. I didn't find this bug. Tried the patch with success. Thanks !

DKragen posted a comment on ticket #182

DKragen — Tue, 31 Jan 2023 22:14:46 -0000

Similarly, unhide-linux and unhide commands couldn't be found for hidden processes test, per the log

DKragen posted a comment on ticket #182

DKragen — Tue, 31 Jan 2023 22:12:31 -0000

In log found that rkhunter couldn't find the unhide-tcp command, shortly after starting to look for hidden ports. Suspect that may be related to the failure to investigate for hidden ports...

GGGG posted a comment on ticket #181

GGGG — Tue, 31 Jan 2023 22:00:56 -0000

you should have a look a #176 An unofficial patch is provided. As long as i can say still not merged

DKragen posted a comment on ticket #182

DKragen — Tue, 31 Jan 2023 21:52:41 -0000

rkhunter v. 1.4.6

DKragen created ticket #182

DKragen — Tue, 31 Jan 2023 21:49:18 -0000

fresh reinstall but still flagging code problem with incomplete quote

Christophe PEREZ created ticket #181

Christophe PEREZ — Tue, 31 Jan 2023 20:34:06 -0000

grep warnings

Giorgos posted a comment on ticket #179

Giorgos — Thu, 05 Jan 2023 16:51:43 -0000

THANKS Tom!!! ;-) I had the MIRRORS_MODE -> 2, so I changed it -> 0 and now works!!! :-) (Though I don't understand why didn't work at the 1st place, since I don't have any local mirrors). HAPPY NEW YEAR everyone!!! :-)

Tom Hendrikx posted a comment on ticket #179

Tom Hendrikx — Thu, 05 Jan 2023 13:40:12 -0000

I just solved this issue with ubuntu, I guess the same problem exists on debian. The problem is a combination of issues: The default WEB_CMD in rkhunter.conf is set to '/bin/false' you need to change it to your liking, and the primary example for that in the comments is to replace it with 'curl'. Now you can do --versioncheck, but you'll get 'Download failed'. The logfile (/var/log/rkhunter.log) tells you: "Info: The mirrors file has no required mirrors in it: /var/lib/rkhunter/db/mirrors.dat" The...

DKragen posted a comment on ticket #179

DKragen — Sun, 01 Jan 2023 23:35:51 -0000

The rkhunter page (https://rkhunter.sourceforge.net/1.4.6/mirrors.dat)is down: "An error has been encountered in accessing this page. Server: rkhunter.sourceforge.net URL path: /1.4.6/mirrors.dat Error notes: NONE Error type: 404 Request method: GET Request query string: NONE Time: 2023-01-01 23:01:10 UTC (1672614070) Reporting this problem: The problem you have encountered is with a project web site hosted by SourceForge.net. This issue should be reported to the SourceForge.net-hosted project (not...

kiran nettimi posted a comment on ticket #180

kiran nettimi — Tue, 22 Nov 2022 06:07:30 -0000

Can anyone take a look into this please

kiran nettimi created ticket #180

kiran nettimi — Fri, 18 Nov 2022 11:27:51 -0000

"rkhunter --propupd" command execution got hung

Nong Hoang Tu created ticket #52

Nong Hoang Tu — Sat, 12 Nov 2022 05:03:58 -0000

An alternative way to detect diamorphine rootkit

sbourdette posted a comment on ticket #169

sbourdette — Thu, 10 Nov 2022 09:26:20 -0000

Do you know when it would be available in distribution repository like ubuntu ?

John Horne committed [866f69]

John Horne — Mon, 24 Oct 2022 16:16:52 -0000

Removed redundant comment.

John Horne committed [980239]

John Horne — Mon, 24 Oct 2022 15:27:48 -0000

Correct regex used with grep/egrep/sed commands. Also correct msg when link hash changed, it it the target that changed not the link itself.

Giorgos created ticket #179

Giorgos — Thu, 20 Oct 2022 12:22:12 -0000

Update failed.

John Horne committed [140b0f]

John Horne — Wed, 19 Oct 2022 14:48:32 -0000

Renamed the '--versioncheck' option to '--version-check'. Old name still recognized.

John Horne committed [138f02]

John Horne — Wed, 19 Oct 2022 14:35:41 -0000

Cater for grep 3.8 reporting about stray escape characters in regex.

John Horne committed [9ab9c3]

John Horne — Tue, 18 Oct 2022 16:24:13 -0000

Forgot to set the default for ALLOW_SSH_PROT_V1 to 2.

John Horne committed [3626c5]

John Horne — Tue, 18 Oct 2022 15:38:54 -0000

Carry out the check for 'grep -a' on all O/S's now.

John Horne committed [e25e2a]

John Horne — Tue, 18 Oct 2022 13:04:01 -0000

Removed egrep as a required command, also changed occurrences of egrep to 'grep -E'.

John Horne committed [2b0dd4]

John Horne — Sun, 16 Oct 2022 18:53:40 -0000

Reorganized part of the 'filesystem' check so that whitelisted entries are ignored before further testing on them.

Paul Menchini posted a comment on ticket #175

Paul Menchini — Fri, 14 Oct 2022 23:18:52 -0000

I added it, which suppressed the error. But, not sure if that is the proper action. __ I'm phoning this in. Please excuse brevity, autocorrect mishaps, typos and the like. No electrons were harmed in the composition or transmission of this email. On Fri, Oct 14, 2022, 11:48 Justin Pasher jpasher@users.sourceforge.net wrote: Does /etc/rkhunter.conf contain this line? Mine does. SCRIPTWHITELIST=/usr/bin/which.debianutils I see that Ubuntu 20.04 does not have it, but 22.04 does. Maybe your conf file...

Justin Pasher posted a comment on ticket #178

Justin Pasher — Fri, 14 Oct 2022 19:37:35 -0000

I tried running "rkhunter --enable filesystem" using the latest snapshot on Ubuntu 22.04, and I am not seeing the grep warning anymore (it did still give me the suspicious files in /dev warning, as expected for a default config). Looking at the log file, I do see this line, so it looks like it switched shells properly. [14:19:35] Info: Environment shell is /bin/bash; rkhunter is using bash [14:19:35] Info: Unknown shell changed from /usr/bin/dash to bash Somewhat interesting is the log entry for...

John Horne posted a comment on ticket #178

John Horne — Fri, 14 Oct 2022 16:46:12 -0000

Ah! Oh sorry, I thought the problem came from the grep command used in the 'file' pipeline. Okay, so it's the 'echo' command used later on with grep. Could you try the development version (1.4.7) of RKH? One of the first changes was to detect the shell better, and switch to bash if possible. I suspect the problem will then disappear. You can obtain the development version from: https://sourceforge.net/p/rkhunter/rkh_code/ci/develop/tree/ Click on the 'Download snapshot' towards the top-right. Unzip...

Justin Pasher posted a comment on ticket #175

Justin Pasher — Fri, 14 Oct 2022 15:48:38 -0000

Does /etc/rkhunter.conf contain this line? Mine does. SCRIPTWHITELIST=/usr/bin/which.debianutils I see that Ubuntu 20.04 does not have it, but 22.04 does. Maybe your conf file wasn't merged with upstream changes? I see this changelog entry: rkhunter (1.4.6-10) unstable; urgency=medium * Add /usr/bin/which.debianutils to SCRIPTWHITELIST. * Bump Standards-Version up to 4.6.0. -- Francois Marier Sun, 22 Aug 2021 11:14:44 -0700

Justin Pasher posted a comment on ticket #178

Justin Pasher — Fri, 14 Oct 2022 15:36:07 -0000

The command you provided works fine without warnings (it even works fine without the tr). Keep in mind that it's the 'echo' command in dash that is causing the escape sequences to be converted to their actual ASCII characters. If you chain together the 'file' and 'grep' commands, I wouldn't expect any warnings about binary files to display, since 'file' produces "clean" output. However, rkhunter captures the results in FTYPE, then echoes it out to grep because of the special case for MACOSX. If I...

John Horne posted a comment on ticket #178

John Horne — Fri, 14 Oct 2022 01:10:27 -0000

Thanks for that, and all the testing. Would you try the following please: file testfile | tr '[:cntrl:]' ' ' | grep abc I just want to see if the 030 (control-X) is the problem, so changing it to a space then makes grep work. (The second part of the 'tr' command is a single space in quotes, but it may not display too well above.) Using Fedora 36 and your testfile, rkhunter/grep showed no problem. It gave a warning about the file, but no grep problem. The file command shows it as a Matlab file. Using...

John Horne modified ticket #178

John Horne — Fri, 14 Oct 2022 01:10:27 -0000

rkhunter generates "bogus" grep warnings

John Horne posted a comment on ticket #178

John Horne — Fri, 14 Oct 2022 01:09:57 -0000

Justin Pasher posted a comment on ticket #178

Justin Pasher — Thu, 13 Oct 2022 23:37:26 -0000

Okay, I did a little more testing and narrowed down when it's happening, and it's a bash vs dash echo thing (Ubuntu uses dash for /bin/sh). The 'file' command is actually returning regular backslash-escaped text. I was able to create a test file that triggers the false detection that you can use (it should be 22 bytes). $ echo -ne '\x0\x0\x0\x0\xd0\xd0\xd0\xd0\x6\x0\x0\x0\x0\x0\x0\x0\x10\x0\x0\x0\xca\x18' >testfile $ file testfile testfile: Matlab v4 mat-file (little endian) \312\030, numeric, rows...

John Horne posted a comment on ticket #178

John Horne — Thu, 13 Oct 2022 13:55:09 -0000

Okay, I'm having trouble replicating this. The output from the 'file' command you ran on the command-line should be the same as received by rkhunter. It shouldn't contain any binary/control characters unless the '-r' option is used. So likewise if you run 'file | grep abc' then the 'grep' command should not be seeing anything causing it to think it is binary input. Could you run 'rkhunter --enable filesystem --debug'. This should create a file named '/tmp/rkhunter...'. Could...

John Horne posted a comment on ticket #178

John Horne — Thu, 13 Oct 2022 10:13:11 -0000

From the CHANGELOG for version 1.4.0: Ensure that the ALLOWDEVFILE, ALLOWHIDDENFILE and ALLOWHIDDENDIR options re-evaluate their whitelisting lists to ensure that any wildcard entries are the most recent. (A time window previously existed which meant that the list was processed, but new files could be created before the test was run. As such they were reported as false-positive warnings, when they should have been whitelisted.) The whitelisting was previously only done before the test, but, as said...

Robert J Dinse posted a comment on ticket #174

Robert J Dinse — Thu, 13 Oct 2022 09:58:33 -0000

Ah thank you. Now have 1.4.7 and it appears to be fixed. Thank you very much.

John Horne posted a comment on ticket #174

John Horne — Thu, 13 Oct 2022 09:42:20 -0000

Yes, that just clones the master branch which is version 1.4.6. You need to click on the 'download snapshot' button to get the latest development version.

Robert J Dinse posted a comment on ticket #174

Robert J Dinse — Thu, 13 Oct 2022 01:08:36 -0000

Ok, the version I have is 1.4.6 which is same version number as what I was running but I obtained it via: git clone https://git.code.sf.net/p/rkhunter/rkh_code rkhunter-rkh_code, I got this off the website you provided, it had: HTTPS Access: git clone https://git.code.sf.net/p/rkhunter/rkh_code rkhunter-rkh_code So that is what I did and the version I have installed is definitely from that as I wiped the previous and verified that it was all gone with locate.

John Horne posted a comment on ticket #174

John Horne — Thu, 13 Oct 2022 00:54:49 -0000

You can't be running the right version. The development version does not contain 'libkeyutils.so.1.9' or 'Spam tool component' anywhere in its code. Run 'rkhunter -V' to see what version you have.

Robert J Dinse posted a comment on ticket #174

Robert J Dinse — Thu, 13 Oct 2022 00:06:17 -0000

I obtained the development release from the from the git server referenced in the above URL and I still get the following errors: [16:57:22] Checking running processes for suspicious files [ Warning ] [16:57:22] Warning: The following processes are using suspicious files: [16:57:22] Command: cron [16:57:22] UID: 0 PID: 3612284 [16:57:22] Pathname: /usr/lib/x86_64-linux-gnu/libkeyutils.so.1.9 [16:57:22] Possible Rootkit: Spam tool component [16:57:22] Command: dbus-daemon [16:57:22] UID: 105 PID:...

John Horne committed [1e502b]

John Horne — Wed, 12 Oct 2022 23:57:44 -0000

Add comments about order of config file processing into man page.

John Horne committed [3deeb2]

John Horne — Wed, 12 Oct 2022 22:45:12 -0000

If rkhunter.d has no config files, then this should not give an error.

John Horne committed [8d1baf]

John Horne — Wed, 12 Oct 2022 17:50:57 -0000

Added (very) minor tests for BPFDoor, Syslogk, Symbiote, OrBit, Lightning Framework, HiddenWasp and the Bitspin and Shikitega malware.

John Horne committed [0ceb4a]

John Horne — Wed, 12 Oct 2022 15:25:06 -0000

Added v minor check for syslogk malware

John Horne posted a comment on ticket #174

John Horne — Wed, 12 Oct 2022 15:00:25 -0000

The development release can be found at: https://sourceforge.net/p/rkhunter/rkh_code/ci/develop/tree/ Then click on the 'download snapshot' to the top-right. Unzip the downloaded zip file, and run the installer.

John Horne committed [0a61e1]

John Horne — Tue, 11 Oct 2022 23:51:53 -0000

Corrected output from IPC memory segments check.

John Horne committed [2699b0]

John Horne — Tue, 11 Oct 2022 15:47:29 -0000

Added v minor check for BPFDoor malware.

John Horne committed [2b7a20]

John Horne — Tue, 11 Oct 2022 15:29:24 -0000

Changed default value of ALLOW_SSH_PROT_V1 option to 2.

John Horne committed [efb203]

John Horne — Tue, 11 Oct 2022 15:05:52 -0000

Improved the previous SSH commit: caters for config file sub-directory, and adds the 'With key' test result.

Robert J Dinse posted a comment on ticket #174

Robert J Dinse — Sun, 09 Oct 2022 21:46:02 -0000

Where can I pick up the development release? ---------------------------------------_- Eskimo North Linux Friendly Internet Access, Shell Accounts, and Hosting. Knowledgeable human assistance, not telephone trees or script readers. See our web site: http://www.eskimo.com/ (206) 812-0051 or (800) 246-6874. On Sun, 9 Oct 2022, John Horne wrote: Date: Sun, 09 Oct 2022 21:25:24 -0000 From: John Horne jhorne@users.sourceforge.net Reply-To: "[rkhunter:bugs] " 174@bugs.rkhunter.p.re.sourceforge.net To:...

John Horne posted a comment on ticket #174

John Horne — Sun, 09 Oct 2022 21:25:23 -0000

The output shown is from the 'running_procs' test, not suspscan. If you run something like: grep 'Disabled tests' /var/log/rkhunter.log then it will show you which tests are disabled. The issue with the libkeyutils library, and whitelisting failing (as can be seen by the pathname being a number) are known about and fixed in the development version of rkhunter.

Robert J Dinse posted a comment on ticket #174

Robert J Dinse — Sun, 09 Oct 2022 03:43:32 -0000

I have: DISABLE_TESTS=suspscan, and yet: [20:37:04] Warning: The following processes are using suspicious files: [20:37:04] Command: dbus-daemon [20:37:04] UID: 105 PID: 816 [20:37:04] Pathname: /usr/lib/x86_64-linux-gnu/libkeyutils.so.1.9 [20:37:04] Possible Rootkit: Spam tool component [20:37:04] Command: in.ftpd [20:37:04] UID: 14 PID: 1011422 [20:37:04] Pathname: /usr/lib/x86_64-linux-gnu/libkeyutils.so.1.9 [20:37:04] Possible Rootkit: Spam tool component [20:37:04] Command: in.ftpd [20:37:04]...

Justin Pasher created ticket #178

Justin Pasher — Fri, 07 Oct 2022 22:54:02 -0000

rkhunter generates "bogus" grep warnings

John Horne posted a comment on ticket #174

John Horne — Fri, 30 Sep 2022 19:48:13 -0000

Suspscan is part of the 'malware' test which you have enabled (looking at the above). You haven't said what your DISABLE_TESTS setting is. John.

John Horne posted a comment on ticket #169

John Horne — Fri, 30 Sep 2022 19:42:45 -0000

Fixed in the development version.

John Horne modified ticket #169

John Horne — Fri, 30 Sep 2022 19:42:45 -0000

Changes to sshd config files. Creates bug.

John Horne committed [f6816f]

John Horne — Fri, 30 Sep 2022 14:45:31 -0000

Add in use of sshd -T for SSH options check.

Matthias Fenner created ticket #177

Matthias Fenner — Wed, 21 Sep 2022 06:41:21 -0000

suspscan.dat outdated

Pantelis Panayiotou posted a comment on ticket #176

Pantelis Panayiotou — Mon, 12 Sep 2022 15:15:13 -0000

OK, I think I've done it. The attached should contain all of GGGG's fixes, and be identical to stock 1.4.6 otherwise. It appears to work fine, for me at least. Let's hope the developers will find it useful, and manage to issue an official patch for this bug as soon as possible.

GGGG modified a comment on ticket #176

GGGG — Mon, 12 Sep 2022 14:34:32 -0000

Well this patch was part of my distro. As you pointed out, it is related to systemd-journal. So, it should be reverted from mine to get something which should better work on other distros. Regards

GGGG posted a comment on ticket #176

GGGG — Mon, 12 Sep 2022 14:32:11 -0000

Well those patches were part of my distro. Included all from the rpm packages. As you pointed out, the relevant one is related to systemd-journal. So those patches should be reverted from mine to get something which should better work on other distros. Regards

Pantelis Panayiotou modified a comment on ticket #176

Pantelis Panayiotou — Mon, 12 Sep 2022 12:32:15 -0000

Hi GGGG, The offending code seems to be this block at line 17529: RKHTMPVAR=`${PS_CMD} ${PS_ARGS} | grep -E 'systemd-journald( |$)' | grep -v 'grep'` if [ -n "${RKHTMPVAR}" ]; then SYSTEMD_JOURNAL_SEEN=1 display --to SCREEN+LOG --type PLAIN --result FOUND --color GREEN --log-indent 2 --screen-indent 4 SYSTEM_CONFIGS_SYSLOG_SYSTEMD_JOURNAL else display --to SCREEN+LOG --type PLAIN --result NOT_FOUND --color GREEN --log-indent 2 --screen-indent 4 SYSTEM_CONFIGS_SYSLOG_SYSTEMD_JOURNAL fi Removing the...

Pantelis Panayiotou modified a comment on ticket #176

Pantelis Panayiotou — Mon, 12 Sep 2022 12:30:43 -0000