Posts Tagged ‘rkhunter’

rkhunter and pacman on arch

Tuesday, May 31st, 2011

I read a notice, or a post, somewhere the other week, and it planted a seed in my head, so today I installed chkrootkit and rkhunter.

chkrootkit revealed nothing of interest, while rkhunter did find potential problems.

At first I found it rather unsettling. rkhunter pointed at specific files which it obviously didn’t think should be there.

On my desktop that was /usr/lib/libtty.a which could be a part of a rootkit named “fuck `it“. Cleverly putting that grave accent in the name of the rootkit, the original authors have effectively made it impossible to search for (at least using Google).

Resisting the urge to panic and do something rash (like formatting the system) I instead booted up my netbook as well, installing rkhunter and executing it there as well.

The two installs are almost identical, and if anything, the netbook, at times operating outside my own network, should run a higher risk of getting infected with stuff (or so my reasoning goes anyway).

The report on my netbook came back with other things, mostly sshd configuration stuff, but sshd is never running on the netbook (I edited the config options anyway as they were reasonable and would protect the system if the ssh daemon was ever started on the netbook), an entry in /etc/rc.local (which I know I put there), and a hidden compressed man-page which rkhunter had reported on the desktop as well.

Back to libtty.a. the good news was that I could list it, it wasn’t hiding, well the file was one amonst a plethora of files in /usr/lib/ but having pinpointed it, it didn’t try to hide from me.

So my next thought was: “It must have come from somewhere.”

There are few things I have installed from source, so the most obvious place to look was towards packages installed from AUR.

Which means that I could ask pacman which package this file belonged to.

pacman -Qo /usr/lib/libtty.a revealed that the package it came from was termrec, a packaged I had installed because I at one time or another had an idea.

termrec is used to record and replay a terminal session, but I never got around to trying it out.

It is entirely possible that the behaviour of termrec is close enough to that of a malware to be identified as such, but once I realized the connection I was a lot calmer.

Then again, I haven’t used termrec, and have no reason to keep it around, so I uninstalled it, and with it, /usr/lib/libtty.a disappeared as well, so I don’t believe there ever was a threat.

As for the hidden, compressed man-page, it turned out to belong to krb5, so I am pretty sure that is harmless as well.

All in all, it was a pretty nice experience, especially the fact that I was mindful enough to keep cool :)

:wq