rkhunter warning: real or false alarm?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

This morning, I got the following warning from rkhunter:
-----
---------------------- Start Rootkit Hunter Scan ----------------------
Warning: Network TCP port 60922 is being used by /usr/lib64/firefox/firefox. Possible rootkit: zaRwT.KiT 
         Use the 'lsof -i' or 'netstat -an' command to check this.

----------------------- End Rootkit Hunter Scan -----------------------
-----
The output of lsof -i is here:
-----
bash.1[~]: lsof -i
COMMAND    PID    USER   FD   TYPE DEVICE SIZE/OFF NODE NAME
systemd      1    root   31u  IPv4   2530      0t0  TCP *:sunrpc (LISTEN)
systemd      1    root   32u  IPv4   2536      0t0  UDP *:sunrpc
systemd      1    root   33u  IPv6   2543      0t0  TCP *:sunrpc (LISTEN)
systemd      1    root   35u  IPv6   2550      0t0  UDP *:sunrpc
rpcbind    857     rpc    4u  IPv4   2530      0t0  TCP *:sunrpc (LISTEN)
rpcbind    857     rpc    5u  IPv4   2536      0t0  UDP *:sunrpc
rpcbind    857     rpc    6u  IPv6   2543      0t0  TCP *:sunrpc (LISTEN)
rpcbind    857     rpc    7u  IPv6   2550      0t0  UDP *:sunrpc
rpcbind    857     rpc   11u  IPv6  22909      0t0  UDP *:50041
avahi-dae  890   avahi   12u  IPv4  24285      0t0  UDP *:mdns
avahi-dae  890   avahi   13u  IPv6  24286      0t0  UDP *:mdns
avahi-dae  890   avahi   14u  IPv4  24287      0t0  UDP *:57958
avahi-dae  890   avahi   15u  IPv6  24288      0t0  UDP *:39302
chronyd    917  chrony    5u  IPv4  27077      0t0  UDP localhost:323
chronyd    917  chrony    6u  IPv6  27078      0t0  UDP localhost:323
dhclient  1091    root    6u  IPv4  31071      0t0  UDP *:bootpc
cupsd     1110    root    7u  IPv4  32911      0t0  TCP *:ipp (LISTEN)
cupsd     1110    root    8u  IPv6  32912      0t0  TCP *:ipp (LISTEN)
dhclient  1168    root    5u  IPv6  29353      0t0  UDP coyote:dhcpv6-client 
dnsmasq   1285 dnsmasq    3u  IPv4  36958      0t0  UDP *:bootps
dnsmasq   1285 dnsmasq    5u  IPv4  36961      0t0  UDP coyote:domain
dnsmasq   1285 dnsmasq    6u  IPv4  36962      0t0  TCP coyote:domain (LISTEN) sendmail  2061    root    4u  IPv4  40777      0t0  TCP localhost:smtp (LISTEN) 
bash.2[~]:
-----
The output from "netstat -an" is too long to put here.  I don't know what to look for in all that. 
1. What specifically should I be looking for?
2. Is rkhunter's warning a false alarm or a real problem?

thanks,
Bill.
_______________________________________________
users mailing list -- users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to users-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/users@xxxxxxxxxxxxxxxxxxxxxxx
[Index of Archives]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [EPEL Devel]     [Fedora Magazine]     [Fedora Summer Coding]     [Fedora Laptop]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Desktop]     [Fedora Fonts]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Yosemite News]     [Gnome Users]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [Fedora Sparc]     [Libvirt Users]     [Fedora ARM]

  Powered by Linux