3 posts / 0 new
Last post
#1 Sun, 07/23/2017 - 15:04
eagleyed
eagleyed's picture

Malware?

I've noticed the following results listed below and don't know if it's malware or just a false positive from RkHunter. I did a fresh install of Centos 6 32-bit twice and still got the same results. These results were noticed after the install of Virtualmin version 5.99. Some have said when they reboot "httpd" again it goes away not for me. Rkhunter error messages "suspicious shared memory segments " and "malware" for the file. Anyone else noticed this?

     1.)  Output from command rkhunter --check --report-warnings-only ..
       Warning: The following suspicious shared memory segments have been found:
       Process: /usr/sbin/httpd    PID: 975    Owner: root


     2.)  Spinner file from /tmp directory which originated from Virtualmin installation that has been resolved by deleting it. Ran Rkhunter again
           and nothing showed up.

        Webmin version  1.851
        Usermin version     1.720
        Virtualmin version  5.99 
Sun, 07/23/2017 - 21:30
Joe
Joe's picture

Hmm...I'm not sure, as I haven't seen that behavior before. What httpd version do you have?

I've added cleanup of the /tmp files after installation for the next release; I left files in place during development, because sometimes it was useful to be able to immediately run the libraries and stuff downloaded there after the install. But, now that it's pretty stable and behaving well almost everywhere I can get rid of it after completion. I might even move the install files directory to /root, and avoid any involvement of /tmp.

You can safely delete the entirety of the /tmp/.virtualmin-xxxx directory on existing installations. It's only used during installation.

--

Check out the forum guidelines!

Wed, 07/26/2017 - 02:22
gerhard

I see the shared memory warning too since the last updates. Not sure if this isn't a case where rkhunter chaged/fixed something that causes this warning. See the release notes https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=220765

I need to look into it more closely. Whitelisting without checking the root cause sounds a bit dangerous. If you have checked it already, here is how: https://serverfault.com/questions/697865/rkhunter-suspicious-shared-memo...

Topic locked