hello i install rkhunter for first time and when i run rkhunter -c in result it came with 6 possible rootkit i wonder if these rootkits have are dangerous and if are how to remove them. ps: my pc has dual boot linux and windows
if it is necessary to upload the full logfile tell me.
[18:08:13] Info: Starting test name 'trojans'
[18:08:13] Performing trojan specific checks
[18:08:13] Checking for enabled inetd services [ Skipped ]
[18:08:13] Info: Check skipped - file '/etc/inetd.conf' does not exist.
[18:08:13] Checking for enabled xinetd services [ Skipped ]
[18:08:13] Info: Check skipped - file '/etc/xinetd.conf' does not exist.
[18:08:13] Checking for Apache backdoor [ Skipped ]
[18:08:13] Info: Check skipped - no Apache module or configuration directories found.
[18:08:13]
[18:08:13] Info: Starting test name 'os_specific'
[18:08:13] Performing Linux specific checks
[18:08:13] Checking loaded kernel modules [ OK ]
[18:08:13] Checking kernel module names [ OK ]
[18:12:48]
[18:12:51] Checking for promiscuous interfaces [ None found ]
[18:12:51]
[18:12:51] Info: Test 'packet_cap_apps' disabled at users request.
[18:12:51]
[18:12:51] Info: Starting test name 'local_host'
[18:12:51] Checking the local host...
[18:12:51]
[18:12:51] Info: Starting test name 'startup_files'
[18:12:51] Performing system boot checks
[18:12:51] Checking for local host name [ Found ]
[18:12:51]
[18:12:51] Info: Starting test name 'startup_malware'
[18:12:51] Checking for system startup files [ Found ]
[18:12:54] Checking system startup files for malware [ None found ]
[18:12:54]
[18:12:54] Info: Starting test name 'group_accounts'
[18:12:54] Performing group and account checks
[18:12:54] Checking for passwd file [ Found ]
[18:12:54] Info: Found password file: /etc/passwd
[18:12:54] Checking for root equivalent (UID 0) accounts [ None found ]
[18:12:54] Info: Found shadow file: /etc/shadow
[18:12:54] Checking for passwordless accounts [ None found ]
[18:12:54]
[18:12:54] Info: Starting test name 'passwd_changes'
[18:12:54] Checking for passwd file changes [ None found ]
[18:12:54]
[18:12:54] Info: Starting test name 'group_changes'
[18:12:54] Checking for group file changes [ None found ]
[18:12:54] Checking root account shell history files [ OK ]
[18:12:54]
[18:12:54] Info: Starting test name 'system_configs'
[18:12:54] Performing system configuration file checks
[18:12:54]
[18:12:54] Info: Starting test name 'system_configs_ssh'
[18:12:54] Checking for an SSH configuration file [ Not found ]
[18:12:54]
[18:12:54] Info: Starting test name 'system_configs_syslog'
[18:12:54] Checking for a running system logging daemon [ Found ]
[18:12:54] Info: A running 'rsyslog' daemon has been found.
[18:12:54] Info: A running 'systemd-journald' daemon has been found.
[18:12:54] Info: Found an rsyslog configuration file: /etc/rsyslog.conf
[18:12:54] Info: Found a systemd configuration file: /etc/systemd/journald.conf
[18:12:54] Checking for a system logging configuration file [ Found ]
[18:12:54] Checking if syslog remote logging is allowed [ Not allowed ]
[18:12:54]
[18:12:54] Info: Starting test name 'filesystem'
[18:12:54] Performing filesystem checks
[18:12:54] Info: SCAN_MODE_DEV set to 'THOROUGH'
[18:12:58] Checking /dev for suspicious file types [ Warning ]
[18:12:58] Warning: Suspicious file types found in /dev:
[18:12:58] /dev/shm/sem.CiscoAcNamedEventOpenDNS: data
[18:12:58] /dev/shm/sem.CiscoAcNamedEventNVM: data
[18:12:58] /dev/shm/sem.CiscoAcMemoryLock: data
[18:12:58] /dev/shm/tmp: data
[18:12:58] /dev/shm/PostgreSQL.1878213102: data
[18:12:58] Checking for hidden files and directories [ Warning ]
[18:12:58] Warning: Hidden directory found: /etc/.java
[18:12:58] Checking for missing log files [ Skipped ]
[18:12:58] Info: No missing log file names configured.
[18:12:58] Checking for empty log files [ Skipped ]
[18:12:58] Info: No empty log file names configured.
[18:13:20] Info: Test 'apps' disabled at users request.
[18:13:20] System checks summary
[18:13:20] =====================
[18:13:20] File properties checks...
[18:13:20] Files checked: 145
[18:13:20] Suspect files: 1
[18:13:20] Rootkit checks...
[18:13:20] Rootkits checked : 480
[18:13:20] Possible rootkits: 7
[18:13:20] Applications checks...
[18:13:20] All checks skipped 1 1 Answer
That probably aren't rootkits, just unrecognized files by rkhunter, false positives. To be on the safe side, you can remove what you don't use.
In the case of the cisco files:
/dev/shm/sem.CiscoAcNamedEventOpenDNS: data
/dev/shm/sem.CiscoAcNamedEventNVM: data
/dev/shm/sem.CiscoAcMemoryLock: data
seems to be the files used by a previous cisco anyconnect install.
Check if you have any instance running, e.g.:
ps -ef|grep vpnYou can probably see a process running like:
root 5968 1 0 ago14 ? 00:00:00 /opt/cisco/anyconnect/bin/vpnagentdIt can be uninstalled by running:
/opt/cisco/vpn/bin/vpn_uninstall.sh
/opt/cisco/anyconnect/bin/vpn_uninstall.sh
/opt/cisco/anyconnect/bin/anyconnect_uninstall.sh