Am 20.08.19 um 10:00 schrieb Filipe Laíns via arch-general: > On Tue, 2019-08-20 at 08:33 +0200, Oliver Jaksch via arch-general wrote: >> I let rkhunter running around once a week. There were nothing since many >> months. But today it's report complains about */lib64/libkeyutils.so.1.9* and >> therefore other tools they're (seems to be) using this SO. >> ... > No, those libraries are used for key manipulation, that's why rkhunter > thinks that they might be sniffer. > In this particular case the filename was apparently used by a rootkit in 2013 and it was blacklisted. Now the legitimate owner of the libkeyutils filenames has reached the blacklisted version number. I don't know which of the two possibilities it is in your case. https://bugs.archlinux.org/task/63369 https://www.webhostingtalk.com/showthread.php?t=1235797
