When I do an rkhunter --check it shows me that I have possible rootkits:
/usr/bin/rkhunter: 14795: [: /usr/lib/firefox/firefox: unexpected operator
/usr/bin/rkhunter: 14795: [: /usr/lib/firefox/firefox: unexpected operator
/usr/bin/rkhunter: 14795: [: /usr/bin/konsole: unexpected operator
Checking for suspicious (large) shared memory segments [ Warning ]
/var/log/rkhunter.log show me this:
Warning: The following suspicious (large) shared memory segments have been found: [21:17:06] Process: /usr/lib/firefox/firefox (deleted) PID: 9750 Owner: louie Size: 4,0MB (configured size allowed: 1,0MB) [21:17:07] Process: /usr/lib/firefox/firefox (deleted) PID: 9750 Owner: louie Size: 4,0MB (configured size allowed: 1,0MB) [21:17:07] Process: /usr/bin/konsole (deleted) PID: 11415 Owner: louie Size: 1,7MB (configured size allowed: 1,0MB)
The alternative chkrootkit only shows me an infection: "tcpd" which I have read in several places is a false positive.
Can rkhunter also show false positives?
Sure, on a first run,
rkhuntershows a lot of false positives and firefox is one of the commonly known. It can be ignored in the/etc/rkhunter.conffile by uncommenting the already shown exampleThere are some other known false positives around, but I couldn't find any explanation how to find out, if a process is known to use large memories.
I hope I will get an answer here soon: https://security.stackexchange.com/questions/220302/find-out-if-a-process-is-allowed-to-use-shared-memory-segments
see also: https://serverfault.com/a/937301/128892