On Tue, 2019-08-20 at 10:15 +0200, ProgAndy wrote: > Am 20.08.19 um 10:00 schrieb Filipe Laíns via arch-general: > > On Tue, 2019-08-20 at 08:33 +0200, Oliver Jaksch via arch-general > > wrote: > > > I let rkhunter running around once a week. There were nothing > > > since many > > > months. But today it's report complains about > > > */lib64/libkeyutils.so.1.9* and > > > therefore other tools they're (seems to be) using this SO. > > > > ... > > No, those libraries are used for key manipulation, that's why > > rkhunter > > thinks that they might be sniffer. > > > In this particular case the filename was apparently used by a rootkit > in > 2013 and it was blacklisted. Now the legitimate owner of the > libkeyutils filenames has reached the blacklisted version number. I > don't know which of the two possibilities it is in your case. > > https://bugs.archlinux.org/task/63369 > https://www.webhostingtalk.com/showthread.php?t=1235797 The sources are pulled from [1] and signed by David Howells (Redhat) so I am pretty inclined to trust them. I did not, however, inspect the sources myself so I can give any guarantees. [1] https://git.kernel.org/pub/scm/linux/kernel/git/dhowells/keyutils.git Thanks, Filipe Laíns 3DCE 51D6 0930 EBA4 7858 BA41 46F6 33CB B0EB 4BF2
Attachment:
signature.asc
Description: This is a digitally signed message part
