This morning, I got the following warning from rkhunter: ----- ---------------------- Start Rootkit Hunter Scan ---------------------- Warning: Network TCP port 60922 is being used by /usr/lib64/firefox/firefox. Possible rootkit: zaRwT.KiT Use the 'lsof -i' or 'netstat -an' command to check this.
----------------------- End Rootkit Hunter Scan ----------------------- ----- The output of lsof -i is here: ----- bash.1[~]: lsof -i COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME systemd 1 root 31u IPv4 2530 0t0 TCP *:sunrpc (LISTEN) systemd 1 root 32u IPv4 2536 0t0 UDP *:sunrpc systemd 1 root 33u IPv6 2543 0t0 TCP *:sunrpc (LISTEN) systemd 1 root 35u IPv6 2550 0t0 UDP *:sunrpc rpcbind 857 rpc 4u IPv4 2530 0t0 TCP *:sunrpc (LISTEN) rpcbind 857 rpc 5u IPv4 2536 0t0 UDP *:sunrpc rpcbind 857 rpc 6u IPv6 2543 0t0 TCP *:sunrpc (LISTEN) rpcbind 857 rpc 7u IPv6 2550 0t0 UDP *:sunrpc rpcbind 857 rpc 11u IPv6 22909 0t0 UDP *:50041 avahi-dae 890 avahi 12u IPv4 24285 0t0 UDP *:mdns avahi-dae 890 avahi 13u IPv6 24286 0t0 UDP *:mdns avahi-dae 890 avahi 14u IPv4 24287 0t0 UDP *:57958 avahi-dae 890 avahi 15u IPv6 24288 0t0 UDP *:39302 chronyd 917 chrony 5u IPv4 27077 0t0 UDP localhost:323 chronyd 917 chrony 6u IPv6 27078 0t0 UDP localhost:323 dhclient 1091 root 6u IPv4 31071 0t0 UDP *:bootpc cupsd 1110 root 7u IPv4 32911 0t0 TCP *:ipp (LISTEN) cupsd 1110 root 8u IPv6 32912 0t0 TCP *:ipp (LISTEN) dhclient 1168 root 5u IPv6 29353 0t0 UDP coyote:dhcpv6-client dnsmasq 1285 dnsmasq 3u IPv4 36958 0t0 UDP *:bootps dnsmasq 1285 dnsmasq 5u IPv4 36961 0t0 UDP coyote:domain dnsmasq 1285 dnsmasq 6u IPv4 36962 0t0 TCP coyote:domain (LISTEN) sendmail 2061 root 4u IPv4 40777 0t0 TCP localhost:smtp (LISTEN) bash.2[~]: ----- The output from "netstat -an" is too long to put here. I don't know what to look for in all that. 1. What specifically should I be looking for? 2. Is rkhunter's warning a false alarm or a real problem?
thanks, Bill.
On 09.01.20 18:50, home user wrote:
This morning, I got the following warning from rkhunter:
---------------------- Start Rootkit Hunter Scan ---------------------- Warning: Network TCP port 60922 is being used by /usr/lib64/firefox/firefox. Possible rootkit: zaRwT.KiT Use the 'lsof -i' or 'netstat -an' command to check this.
...
The output from "netstat -an" is too long to put here. I don't know what to look for in all that.
- What specifically should I be looking for?
- Is rkhunter's warning a false alarm or a real problem?
netstat -taupen | grep 60922
to 1.:
where the "rootkit" - connects to, - what it does, - if it survives a reboot, - what google says about zaRwT.KiT, - ...
- what "rpm -Vv firefox" says - if it happens after an "sudo dnf reinstall firefox" - ...
On 09.01.20 19:18, sixpack13 wrote:
On 09.01.20 18:50, home user wrote:
This morning, I got the following warning from rkhunter:
..
update: ======
after an run of rkhunter --check on my box (with an open firefox) and an
grep zaRwT.KiT /var/log/rkhunter/rkhunter.log
=>
[19:30:42] Checking for zaRwT.KiT Rootkit... [19:30:43] zaRwT.KiT Rootkit [ Not found ]
(responding to sixpack13's first post)
netstat -taupen | grep 60922
-bash.1[~]: netstat -taupen | grep 60922 -bash.2[~]:
where the "rootkit"
- connects to,
- what it does,
- if it survives a reboot,
- what google says about zaRwT.KiT,
I used 3 different search engines (including google), a few different searches, and waded through many pages of hits. No information about the rootkit itself. Many hits (including this thread!) of people asking about the rkhunter warning. Seems that maybe firefox just happened to be launched at the same time rkhunter was checking port 60922, suggesting a false alarm. No clue as to what zaRwT.KiT is, what is does, or what it connects to. No hint of it after rebooting.
- what "rpm -Vv firefox" says
Too long to put here, but I saw nothing that looked suspicious.
- if it happens after an "sudo dnf reinstall firefox"
No warnings from rkhunter.
thanks, Bill.
(adding to my original post) More information that I didn't think of before, but now comes to mind as relevant... Here is the sequence of things I did this morning:
1. I powered up at about 8am this morning. 2. An automated rkhunter scan ran at about 8:15am. 3. I launched firefox as a common user at about the same time. 4. At about 10am, I logged out as a common user (I had already quit firefox some 30 minutes earlier) and logged in as root. 5. I did a manual rkhunter scan; no warnings. 6. I did my weekly patches. 7. I re-booted. 8. I ran another manual rkhunter scan; no warnings not related to the patching. 9. I did a manual rkhunter --propupd to take care of the patch-replated warnings. 10. I ran another manual rkhunter scan; no warnings. 11. I checked root e-mail (using mailx), and found from rkhunter the message containing the warning that I put in the original post.
This does seem to answer one of sixpack13's questions:
- if it survives a reboot,
The rkhunter warning of concern did not recur after the re-boot.
I did a bunch of internet searching regarding zaRwT.KiT; nothing that seems to me to be useful so far. I'll do more and reply to sixpack13 when done.
On 2020-01-10 01:50, home user wrote:
2. Is rkhunter's warning a false alarm or a real problem?
It is a known false positive. Port 60922 is an upper port and can be used randomly by processes. firefox just happened to be using it at the time of the check.
(at 6:21pm 2020-01-09, Ed said)
It is a known false positive. Port 60922 is an upper port and can be used randomly by processes. firefox just happened to be using it at the time of the check.
I am still curious about what zaRwT.KiT is/does.
But based on Ed's answer, I'm tagging this "CLOSED".
Thank-you Ed and sixpack13. Bill.
-
Ed Greshko -
home user -
sixpack13