[Rkhunter-users] Potential rootkit warning, regarding systemd...

[ksa1]

Hello,

I've got a Linux Server (openSUSE 15.2) that suddenly showed a suspicious warning during the night after a timed rkhunter scan (cron job), the days before it was quite.

There was no update on the machine before, no reboot or something like that...

 

RKHunter shows a warning about 'systemd' as a possible rootkit, can anybody help me with that?

Any hints how I could verify what that means?

Is there a known false positive relating to that message or something like that?

 

 

Running Rootkit Hunter version 1.4.6 (updated):

 

...

[04:06:33] Info: Starting test name 'malware'
[04:06:33] Performing malware checks
[04:06:33]
[04:06:33] Info: Test 'deleted_files' disabled at users request.
[04:06:33]
[04:06:33] Info: Starting test name 'running_procs'
[04:06:50]   Checking running processes for suspicious files [ Warning ]
[04:06:50] Warning: The following processes are using suspicious files:
[04:06:50]          Command: systemd
[04:06:50]            UID: 0    PID: 1
[04:06:50]            Pathname:
[04:06:50]            Possible Rootkit: Unknown rootkit
[04:06:50]
[04:06:50] Info: Test 'hidden_procs' disabled at users request.
[04:06:50]
[04:06:50] Info: Test 'suspscan' disabled at users request.
[04:06:50]
[04:06:50] Info: Starting test name 'login_backdoors'
[04:06:50]     Checking for '/bin/.login'                    [ Not found ]
[04:06:50]     Checking for '/sbin/.login'                   [ Not found ]
[04:06:50]   Checking for login backdoors                    [ None found ]
...

 

Thanks for any help!

 

Bye

Kristof S.

 

 

 

_______________________________________________
Rkhunter-users mailing list
Rkhunter-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/rkhunter-users