On 30 Sep 2022 at 13:41, John Dodson wrote:
Subject: Re: [Rkhunter-users] Question on fixing an
issue just saw in
rkhunter log
From: John Dodson <jwadod...@gmail.com>
To: mi...@guam.net,
Rkhunter-users@lists.sourceforge.net
Date sent: Fri, 30 Sep 2022 13:41:18 +1000
> Hi Michael,
> Although it could be a "positive"...
>
> BOINC https://boinc.berkeley.edu
> The BOINC (Berkeley Open Infrastructure for Network Computing) software
> platform is used for volunteer computing or grid computing creation.
>
> I would have to assume that you (or the "supervisor"/root of the machine)
> chose to install & run boinc, to allow your idle cpu to be used for the above
> "voluntary" work.
>
> If you didn't & don't want it, it's relatively easy to give the command,
>
> dnf remove boinc*
>
> Of course that might remove some dependencies you are actually using so read
> & understand what dnf is about to do before you agree with the removal.
> It might also have been installed as part of a "group" of packages you are
> using.
>
> Cheers
>
> John (Sydney - where the sun rises slightly earlier than Guam allowing
> for seasonal variation ;-)
>
Yes, Running Boinc on 5 linux machines at home. Was
doing the original Seti@home before. Usually look at the
rkhunter reports, but don't recall seeing this warning
before, so perhaps it was some change in either boinc or
einstein project. Perhaps will post on eintein page.
Thanks again.
> On Fri, 2022-09-30 at 05:00 +1000, Michael D. Setzer II via Rkhunter-users
> wrote:
> > Rkhunter reports
> >
> > [04:21:27] Warning: Network TCP port 47018 is being used by /usr/bin/boinc.
> > Possible rootkit: Possible Universal Rootkit (URK) component
> > Use the 'lsof -i' or 'netstat -an' command to check this.
> >
> > Using lsof -i get this.
> >
> > lsof -i | grep boinc
> > boinc 2766 msetzerii 7u IPv4 35501 0t0 TCP
> > localhost:xqosd
> > (LISTEN)
> > boinc 2766 msetzerii 10u IPv4 1331117 0t0 TCP
> > setzconote.dyndns.org:47032->einstein10.aei.uni-hannover.de:https
> > (CLOSE_WAIT)
> > boinc 2766 msetzerii 14u IPv4 1331116 0t0 TCP
> > setzconote.dyndns.org:47018->einstein10.aei.uni-hannover.de:https
> > (CLOSE_WAIT)
> >
> > The address shows router that doesn't forward this port
> > to machines behind it so don't think it would go
> > anywhere. So note sure if this is an issue, or if it would be
> > something with rkhunter or with boinc einstein project..
> >
> > (Also, saw an issue in report with /usr/libexec/gawk
> > linking to /usr/libexec/awk which is a directory with two
> > files. The gawk is new from earlier this month, the files in
> > awk date to 7/2021?)
> > Fedora 35.
> >
> > # ls -l | grep awk
> > drwxr-xr-x. 2 root root 4096 Jun 6 16:36 awk
> > lrwxrwxrwx. 1 root root 3 Sep 18 01:19 gawk -> awk
> > # ls -l awk
> > total 32
> > -rwxr-xr-x. 1 root root 15944 Jul 22 2021 grcat
> > -rwxr-xr-x. 1 root root 15928 Jul 22 2021 pwcat
> >
> > +------------------------------------------------------------+
> > Michael D. Setzer II - Computer Science Instructor
> > (Retired)
> > mailto:mi...@guam.net
> > mailto:msetze...@gmail.com
> > Guam - Where America's Day Begins
> > G4L Disk Imaging Project maintainer
> > http://sourceforge.net/projects/g4l/
> > +------------------------------------------------------------+
> >
> >
> >
> >
> >
> > _______________________________________________
> > Rkhunter-users mailing list
> > Rkhunter-users@lists.sourceforge.net
> > https://lists.sourceforge.net/lists/listinfo/rkhunter-users
>
+------------------------------------------------------------+
Michael D. Setzer II - Computer Science Instructor
(Retired)
mailto:mi...@guam.net
mailto:msetze...@gmail.com
Guam - Where America's Day Begins
G4L Disk Imaging Project maintainer
http://sourceforge.net/projects/g4l/
+------------------------------------------------------------+
_______________________________________________
Rkhunter-users mailing list
Rkhunter-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/rkhunter-users
