Rkhunter 展示了 5 个 rootkit
System checks summary
File properties checks...
Files checked: 149
Suspect files: 0
Rootkit checks...
Rootkits checked : 480
Possible rootkits: 5
Applications checks...
All checks skipped
Info: Starting test name 'ipc_shared_mem'
[11:13:02] Info: The minimum shared memory segment size to be checked (in bytes): 1048576 (1,0MB)
[11:13:02] Checking for suspicious (large) shared memory segments [ Warning ]
[11:13:02] Warning: The following suspicious (large) shared memory segments have been found:
[11:13:02] Process: /usr/bin/mousepad PID: 1533 Owner: abigael Size: 4,0MB (configured size allowed: 1,0MB)
[11:13:02] Process: /usr/lib/policykit-1-gnome/polkit-gnome-authentication-agent-1 PID: 1159 Owner: abigael Size: 4,0MB (configured size allowed: 1,0MB)
[11:13:02] Process: /usr/lib/firefox/firefox PID: 29723 Owner: abigael Size: 2,4MB (configured size allowed: 1,0MB)
[11:13:02] Process: /usr/lib/firefox/firefox PID: 29723 Owner: abigael Size: 2,4MB (configured size allowed: 1,0MB)
[11:13:02] Process: /usr/bin/xfce4-terminal PID: 30209 Owner: abigael Size: 4,0MB (configured size allowed: 1,0MB)
是否为假阳性?
答案1
信息:要检查的最小共享内存段大小(以字节为单位):1048576(1,0MB)
和
允许配置大小:1,0MB
是任意的。谁决定允许 1Mb?在我看来,他们只是在猜测。
可以将大内存段列入白名单,/etc/rkhunter.conf这样您就可以根据需要隐藏此消息;对我来说,这也表明他们知道这是误报。为什么需要将其列入白名单?这等于承认他们无法证明存在 rootkit。
我认为 firefox 和 xfce4-terminal 都需要超过 1Mb。其他两个……不知道它们是否需要 4Mb。4Mb 不是很多,所以也许吧。
我会认为 rkhunter 告诉你的任何事情都是假阳性,除非你能用其他来源的证据来推翻它。始终使用两个检测器并匹配它们的结果。如果两者都声称存在相同的问题,我就会开始担心。