Hello and thanks for reading. I installed rkhunter, updated it and ran it. It gave me this:
[17:28:20] Checking running processes for suspicious files [ Warning ] [17:28:20] Warning: The following processes are using suspicious files: [17:28:20] Command: xl [17:28:20] UID: 0 PID: 514 [17:28:20] Pathname: /usr/sbin/xl [17:28:20] Possible Rootkit: Dica-Kit Rootkit [17:28:20] Command: xl [17:28:20] UID: 515 PID: 514 [17:28:21] Pathname: 432688 [17:28:21] Possible Rootkit: Dica-Kit Rootkit [17:28:21] Can't find anything about this -rootkit- and qubes on the net, no false positives and such. I uploaded the file, xl, to virustotal and all results where green, so no antivirus program found anything wrong with this file. "The following processes are using suspicious files", is there a way to find these suspicious files? The only file that I found that xl uses is xldevd.pid and there is a logfile /var/log/xen/xldevd.log but the log file is empty. The rkhunter log gives me this: [17:23:27] Scanning for string /var/run/...dica/clean [ OK ] [17:23:27] Scanning for string /var/run/...dica/dxr [ OK ] [17:23:27] Scanning for string /var/run/...dica/read [ OK ] [17:23:27] Scanning for string /var/run/...dica/write [ OK ] [17:23:27] Scanning for string /var/run/...dica/lf [ OK ] [17:23:27] Scanning for string /var/run/...dica/xl [ OK ] [17:23:27] Scanning for string /var/run/...dica/xdr [ OK ] [17:23:28] Scanning for string /var/run/...dica/psg [ OK ] [17:23:28] Scanning for string /var/run/...dica/secure [ OK ] [17:23:28] Scanning for string /var/run/...dica/rdx [ OK ] [17:23:28] Scanning for string /var/run/...dica/va [ OK ] [17:23:28] Scanning for string /var/run/...dica/cl.sh [ OK ] [17:23:28] Scanning for string /var/run/...dica/last.log [ OK ] So, if anyone could install rkhunter on their fedora 24 template and see if you get the same results, that would be very helpful. :) Has my qubes been compromised? -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/8d890712-3780-4c34-adc1-f4cdccdc7844%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
