On 28.11.2017 15:16, Brian wrote: > On Tue 28 Nov 2017 at 14:04:58 +0500, Alexander V. Makartsev wrote: > >> IMHO "ignore it and purge" is a terrible advice for anything. It is >> better to understand the logic behind those triggers, even if they are >> indeed false positive in this case. > The advice was not intended to be generalised for all software. It was > given in a particular context for a software which has an extensive > track record for producing output which is of no consequence. I would > be very, very surprised if Gene Heskett had obtained firefox-esr from > an untrusted source. Yet another reason for not giving any credence to > what it reported. That could be nothing to do with firefox-esr. Just because some package was installed last doesn't always means it will be the source of the problem. Anyway, creating software that will reliably detect something meant to be undetectable like rootkit, while evading rootkit's protection measures against well-known anti-rootkit software is impossible. When I read that log Gene posted and seen "6667 port" I was like "Holy shit this is serious", but then I looked up for "portsentry" and realized it is FP. "rkhunter" had every right to panic and it's user's fault to not know about how "portsentry" works. (IF this is legit "portsentry" not something that just has its name) >> "rkhunter" has panicked and rightfully so because it found a working >> process with suspicious ports in listening state. As it explained these >> ports were known for usage by malware, ex. 6667 could be used for >> IRC-bot which is used for remote control of the malware. >> The name of process was "portsentry" and as stated in its package >> description is used for portscan detection, so it must have opened ports >> to "see" if there any portscans of known ports going. >> Did you installed "portsentry", or should you trust "portsentry" to open >> ports like this, are another questions. >> >> I don't use "rkhunter", but there is probably some mechanism to >> whitelist, so it won't trigger on the same things (xinetd) every time. > I am all in favour of finding causes for software behaviour but make > an exception for rkhunter. Discovering that xinitrd is running is no > great achievement. Labelling it as suspicious and the source of a > possible rootkit comes close to generating FUD and inducing panic > in less experienced users. > That said, it is better to know at least something and investigate, than just saying "meh its another FP" and uninstall the software. "rkhunter" has served it's purpose at least to urge "less experienced users" to do a research and learn.
-- With kindest regards, Alexander. ⢀⣴⠾⠻⢶⣦⠀ ⣾⠁⢠⠒⠀⣿⡁ Debian - The universal operating system ⢿⡄⠘⠷⠚⠋⠀ https://www.debian.org ⠈⠳⣄⠀⠀⠀⠀
