Hi,
I have a few questions which are all kind of related to each other anyway. There are regarding rkhunter, chckrootkit, clamav and if I have too many unnecessary"rkhunter Applications checks" security tools installed.
So, lately I was experimenting with installing software from flatpak and snap. However, I’m not sure how trust worthy these are from malware. Anyway, I since did a few scans. But I have done a lot of searching on how to fix this myself so far.
As for rkhunter I’ve finally got a complete green output with no warnings. Prior to this I did what I think I was supposed to do which is:
1 install unhide
2 sudo rkhunter --update
3 sudo rkhunter --propupd
4 sudo rkhunter --checkall
Note: after doing propupd 177 files were searched but only 135 found. I’m guessing this is ok right?
However, I still don’t understand what “rkhunter Applications checks skipped” means, nor do I know how to enable to rkhunter to scan applications. I also still don’t know how to configure rkhunter to automatically scan the system or if it’s even needed for fedora workstation 32?
The chkrootkit results that I am having difficulty understating are as follows:
“Searching for suspicious files and dirs, it may take a while…
/usr/lib/.libnettle.so.7.hmac /usr/lib/modules/5.6.19-300.fc32.x86_64/.vmlinuz.hmac /usr/lib/modules/5.6.6-300.fc32.x86_64/.vmlinuz.hmac /usr/lib/.libgnutls.so.30.28.0.hmac /usr/lib/.libssl.so.1.1.1g.hmac /usr/lib/.libgmp.so.10.hmac /usr/lib/.libnettle.so.7.0.hmac /usr/lib/.build-id /usr/lib/.libhogweed.so.5.hmac /usr/lib/.libcrypto.so.1.1.1g.hmac /usr/lib/.libgmp.so.10.3.2.hmac /usr/lib/.libgnutls.so.30.hmac /usr/lib/.libcrypto.so.1.1.hmac /usr/lib/.libgcrypt.so.20.hmac /usr/lib/.libssl.so.1.1.hmac /usr/lib/.libhogweed.so.5.0.hmac /usr/lib/debug/usr/.dwz /usr/lib/debug/.dwz
/usr/lib/.build-id /usr/lib/debug/.dwz”
Are these telling me these files are suspicious and need investigation? Do you also think the same?
More results from chkrootkit are as follows:
Searching for Linux/Ebury - Operation Windigo ssh… not tested
Checking `sniffer’… enp6s0: PF_PACKET(/usr/sbin/NetworkManager)
wlp5s0: PF_PACKET(/usr/sbin/NetworkManager, /usr/sbin/wpa_supplicant)
virbr0: PF_PACKET(/usr/sbin/NetworkManager)
docker0: not promisc and no PF_PACKET sockets
tun0: not promisc and no PF_PACKET socketsChecking
z2'... chklastlog: nothing deleted Checking
chkutmp’… The tty of the following user process(es) were not found
in /var/run/utmp !
! RUID PID TTY CMD
! 132661 pts/0 bash
! root 587872 pts/0 sudo vi /var/log/rkhunter/rkhunter.log
! root 587874 pts/0 vi /var/log/rkhunter/rkhunter.log
! root 777395 pts/0 sudo chkrootkit
! root 777404 pts/0 /usr/bin/sh /usr/lib64/chkrootkit-0.53/chkrootkit
! root 778473 pts/0 ./chkutmp
! root 778474 pts/0 ps ax -o tty,pid,ruser,args
chkutmp: nothing deleted
As for clamav on my original scan I got mostly PUAs that I think were just false positives. Most of them pointed toward libreoffice for some reason. The things I am concerned about though are:
“PUA.Win.Packer.Ep-7
/var/lib/flatpak/runtime/org.gnome.Platform/x86_64/3.36/930f9c19f08e26038002e5680af7e88c72fe1f47ed77fef7ed468dec8b9b1b70/files/lib/python3.7/distutils/command/wininst-14.0.exe PUA.Win.Downloader.Aiis-6803892-0
/var/lib/flatpak/runtime/org.gnome.Platform/x86_64/3.36/930f9c19f08e26038002e5680af7e88c72fe1f47ed77fef7ed468dec8b9b1b70/files/lib/python3.7/distutils/command/wininst-14.0-amd64.exe PUA.Win.Downloader.Aiis-6803892-0
/var/lib/flatpak/runtime/org.gnome.Platform/x86_64/3.36/930f9c19f08e26038002e5680af7e88c72fe1f47ed77fef7ed468dec8b9b1b70/files/libexec/installed-tests/gdk-pixbuf/test-images/gif-test-suite/max-width.gif BC.Gif.Exploit.Agent-1425366.Agent
/usr/lib64/libreoffice/share/basic/Tools/ModuleControls.xba PUA.Doc.Tool.LibreOfficeMacro-2
/var/lib/flatpak/runtime/org.kde.Platform/x86_64/5.14/b2c33a73a8090ae9ab4a9802f9a26c6016b96f4e593ba577cb58483c85fa1345/files/lib/python3.7/distutils/command/wininst-14.0.exe PUA.Win.Downloader.Aiis-6803892-0
/var/lib/flatpak/runtime/org.kde.Platform/x86_64/5.14/b2c33a73a8090ae9ab4a9802f9a26c6016b96f4e593ba577cb58483c85fa1345/files/lib/python3.7/distutils/command/wininst-14.0-amd64.exe PUA.Win.Downloader.Aiis-6803892-0
/var/lib/flatpak/runtime/org.freedesktop.Platform/x86_64/19.08/9011ed46d93a986d66bf912812b652819d0d971d537d78a116191181172358ce/files/lib/python3.7/distutils/command/wininst-14.0.exe PUA.Win.Downloader.Aiis-6803892-0
/var/lib/flatpak/runtime/org.freedesktop.Platform/x86_64/19.08/9011ed46d93a986d66bf912812b652819d0d971d537d78a116191181172358ce/files/lib/python3.7/distutils/command/wininst-14.0-amd64.exe PUA.Win.Downloader.Aiis-6803892-0
/var/lib/flatpak/repo/objects/34/32b76db9f3df9ffb126a55624df56417c367c47d95e3f619585af51e448144.file BC.Gif.Exploit.Agent-1425366.Agent
/var/lib/flatpak/repo/objects/ea/c67d85fe0972a7405731aeba1844969e4c612a1193e9516647c08935aa705d.file PUA.Win.Downloader.Aiis-6803892-0
/var/lib/flatpak/repo/objects/96/bbf715573281f8d39ba5ad456703c015cb0246ab5b10d0f8746c9f969c7e62.filePUA.Win.Downloader.Aiis-6803892-0
/home/………/.cache/mozilla/firefox/ly0d3e8l.default-release/cache2/entries/B7AFBDB7B26A7E06B513AE11B271DFCC01A6C7DB PUA.Win.Exploit.CVE_2012_1461-1
/home/………cache/mozilla/firefox/ly0d3e8l.default-release/cache2/entries/7FCCEE9CA1BCBF44399497E5B92BE1B7C758F095 PUA.Win.Trojan.Generic-6888382-0
/home/………………/.cache/mozilla/firefox/ly0d3e8l.default-release/cache2/entries/D691AF378FCF876B38B9FE3A6FD3544961F54FAB PUA.Win.Exploit.CVE_2012_1461-1 “
For now I quarantined the ones that were not PUAs. Since then I’ve done another fresh scan with clamav and got no threats detect at the time of writing. However, any of you able to confirm the above is fine?
Finally, is it really necessary to have the all the following installed on my fedora 32 workstation system:
• Sysstat
• Tripwire
• chkrootkit
• rkhunter
• clamAV
• puppett
• firejail
• lynis
Any help with this is much appreciated. Thanks.