[Rkhunter-users] false positive

Tue, 05 Jul 2022 11:26:09 -0700 

Hello rkhunter team!

I'd like to report a false positive while using firejail. 

This may help users using similar configurations who run into this problem rule 
out a false positive. I'm using a debian based distro (Parrot OS) running the 
latest rkhunter and firejail. 

firejail version 0.9.64.4

    This needs the hardened ping profile. (ping-hardened.inc.profile 
ping.profile), and symlinks up (sudo firecfg).
    Run rkhunter -c -sk
    Rootkit checks...
    Rootkits checked : 477
    Possible rootkits: 7
    Rootkit names : Ping Rootkit or other backdoor
    Warning: Checking for possible rootkit strings [ Warning ]
    Found string '/bin/bash' in file '/usr/local/bin/ping'. Possible rootkit: 
Ping Rootkit or other backdoor

After reviewing the problem and checking multiple other computers with the same 
config and unrelated to my setup, I was able to rule it out as a false positive.
I reviewed another computer which is also a personal laptop running Parrot OS. 
The same possible rootkit appeared. I did much research and couldn't find a bug 
anywhere or information on the rootkit directly. After purging firejail and 
reinstalling profiles and the software itself the warning was gone (as the 
symlinks were gone)

I used a friend's system who is unrelated to my network and who I seldom share 
any information with. He also uses Parrot OS as a desktop distro (no ports with 
services facing the web directly).
He had firejail installed, same version (0.9.64.4), and he also had the ping 
hardened profile included in /etc/firejail but had not run sudo firecfg after 
installing the software a few months back. He ran rkhunter -c -sk and the 
following came out:
Rootkit checks...
Rootkits checked : 477
Possible rootkits: 6 (all of which are confirmed false positives)

I also wrote firejail devs about the issue: 
https://github.com/netblue30/firejail/issues/5236 where further details may be 
seen. They also ruled it out as a false positive. 
I hope this helps other users who run into this issue find answers on the 
issue. There are some false positives arising from firejail which are nothing 
to worry about. 

thank you all!




--

Attachment: pgpPzD0n46Vww.pgp
Description: OpenPGP digital signature

_______________________________________________
Rkhunter-users mailing list
Rkhunter-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/rkhunter-users






















					Reply via email to