这些是 Linux 上 rkhunter 日志中的误报吗?

tag-icon tag-icon xfce manjaro rootkit
这些是 Linux 上 rkhunter 日志中的误报吗?

我正在运行带有 xfce 的 Manjaro Linux,我在 Google 上搜索了如何使用该程序并运行这些命令来检查 rootkit。

sudo rkhunter --update
sudo rkhunter --propupd
sudo rkhunter --check

但我不确定它给出的警告是否是误报。我特别担心第 321、1729 和 1841 行的警告。 pastebin 上的日志文件

答案1

218. [23:29:36]   /usr/bin/egrep                                  [ Warning ]
219. [23:29:36] Warning: The command '/usr/bin/egrep' has been replaced by a script: /usr/bin/egrep: POSIX shell script, ASCII text executable

221. [23:29:36]   /usr/bin/fgrep                                  [ Warning ]
222. [23:29:36] Warning: The command '/usr/bin/fgrep' has been replaced by a script: /usr/bin/fgrep: POSIX shell script, ASCII text executable

243. [23:29:38]   /usr/bin/ldd                                    [ Warning ]
244. [23:29:38] Warning: The command '/usr/bin/ldd' has been replaced by a script: /usr/bin/ldd: Bourne-Again shell script, ASCII text executable

误报;ldd一直是 Glibc 系统上的 shell 脚本,并且egrep/fgrep一直是带有 GNU grep 的 shell 脚本。

321. [23:29:49]   /usr/bin/vendor_perl/GET                        [ Warning ]
322. [23:29:49] Warning: The command '/usr/bin/vendor_perl/GET' has been replaced by a script: /usr/bin/vendor_perl/GET: Perl script text executable

假阳性;一切目录中vendor_perl有一个 Perl 脚本。这实际上就是此目录的用途 - 它包含作为 Perl CPAN 包一部分的 CLI 脚本。

1727. [23:30:42] Info: Starting test name 'ipc_shared_mem'
1728. [23:30:42] Info: The minimum shared memory segment size to be checked (in bytes): 1048576 (1.0MB)
1729. [23:30:42]   Checking for suspicious (large) shared memory segments [ Warning ]
1730. [23:30:42] Warning: The following suspicious (large) shared memory segments have been found:
1731. [23:30:42]          Process: /usr/bin/xfce4-terminal    PID: 85027    Owner: user    Size: 1.0MB (configured size allowed: 1.0MB)

很可能是误报;PulseAudio 曾经创建过一些相当大的 SysV SHM 段。请查看lsipc -sipcs获取更多提示。

1840. [23:30:51] Warning: Hidden file found: /etc/.updated: ASCII text

误报;它是一些 systemd 组件使用的“标志文件”,用于检查系统更新后是否需要重建某些缓存。该文件的内容包含解释。

1841. [23:30:51] Warning: Hidden file found: /usr/share/man/man5/.k5login.5.gz: gzip compressed data, max compression, from Unix, original size modulo 2^32 19
1842. [23:30:51] Warning: Hidden file found: /usr/share/man/man5/.k5identity.5.gz: gzip compressed data, max compression, from Unix, original size modulo 2^32 22

误报;这些只是手册页man .k5login(针对~/.k5login文件)和man .k5identity(针对~/.k5identity文件)。您可以使用zless <path>或阅读它们man <path>

相关内容