I let rkhunter running around once a week. There were nothing since many
months. But today it's report complains about */lib64/libkeyutils.so.1.9* and
therefore other tools they're (seems to be) using this SO.
The SO matches the one from 'core/keyutils 1.6.1-1' in size and hash.
I've uploaded the SO to some "we scan it all" AV sites, but none of them found
anything.
Should I/we be worried? Anything else I can do? Or is this a false alarm and
the warnings are somewhat okay because of the package's nature ("Linux Key
Management Utilities")?
> Warning: Checking for possible rootkit files and directories [ Warning ]
> Found file '/lib/libkeyutils.so.1.9'. Possible rootkit: Sniffer component
> Found file '/lib64/libkeyutils.so.1.9'. Possible rootkit: Sniffer component
> Found file '/usr/lib/libkeyutils.so.1.9'. Possible rootkit: Sniffer
component
> Found file '/usr/lib64/libkeyutils.so.1.9'. Possible
> rootkit: Sniffer component
>
> Warning: The following processes are using suspicious files:
> Command: (sd-pam)
> UID: 1001 PID: 944
> Pathname:
> Possible Rootkit: Spam tool component
> Command: NetworkManager
> UID: 0 PID: 381
> Pathname:
> Possible Rootkit: Spam tool component
> Command: NetworkManager
> UID: 385 PID: 381
> Pathname: 3166425
> Possible Rootkit: Spam tool component
> Command: NetworkManager
> UID: 387 PID: 381
> Pathname: 3166425
> Possible Rootkit: Spam tool component
> Command: Xorg
> UID: 0 PID: 512
> Pathname:
> Possible Rootkit: Spam tool component
> [...]
