I would take rkhunter seriously. I would note the pid and descend into /proc and run ls -lat ./exe inside the PID directory in proc and check the hash of the exe file to make sure it is genuine before writing it off as a bug. I would not write off the traffic as unrouteable because government actors and the most sophisticated criminals use NIDS to evade. You might be wrong, it can't hurt to check the hash of the binary.
Cheers, Michael Lazin .. τὸ γὰρ αὐτὸ νοεῖν ἐστίν τε καὶ εἶναι. On Thu, Sep 29, 2022 at 3:06 PM Michael D. Setzer II via Rkhunter-users < rkhunter-users@lists.sourceforge.net> wrote: > Rkhunter reports > > [04:21:27] Warning: Network TCP port 47018 is being used by > /usr/bin/boinc. > Possible rootkit: Possible Universal Rootkit (URK) component > Use the 'lsof -i' or 'netstat -an' command to check this. > > Using lsof -i get this. > > lsof -i | grep boinc > boinc 2766 msetzerii 7u IPv4 35501 0t0 TCP > localhost:xqosd > (LISTEN) > boinc 2766 msetzerii 10u IPv4 1331117 0t0 TCP > setzconote.dyndns.org:47032->einstein10.aei.uni-hannover.de:https > (CLOSE_WAIT) > boinc 2766 msetzerii 14u IPv4 1331116 0t0 TCP > setzconote.dyndns.org:47018->einstein10.aei.uni-hannover.de:https > (CLOSE_WAIT) > > The address shows router that doesn't forward this port > to machines behind it so don't think it would go > anywhere. So note sure if this is an issue, or if it would be > something with rkhunter or with boinc einstein project.. > > (Also, saw an issue in report with /usr/libexec/gawk > linking to /usr/libexec/awk which is a directory with two > files. The gawk is new from earlier this month, the files in > awk date to 7/2021?) > Fedora 35. > > # ls -l | grep awk > drwxr-xr-x. 2 root root 4096 Jun 6 16:36 awk > lrwxrwxrwx. 1 root root 3 Sep 18 01:19 gawk -> awk > # ls -l awk > total 32 > -rwxr-xr-x. 1 root root 15944 Jul 22 2021 grcat > -rwxr-xr-x. 1 root root 15928 Jul 22 2021 pwcat > > +------------------------------------------------------------+ > Michael D. Setzer II - Computer Science Instructor > (Retired) > mailto:mi...@guam.net > mailto:msetze...@gmail.com > Guam - Where America's Day Begins > G4L Disk Imaging Project maintainer > http://sourceforge.net/projects/g4l/ > +------------------------------------------------------------+ > > > > > > _______________________________________________ > Rkhunter-users mailing list > Rkhunter-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/rkhunter-users >
_______________________________________________ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users
