RKHunter reported processes that are using deleted files or are listening on the network

Question

I ran Rootkit Hunter 1.4.0 on a Debian Wheezy server and I am confused by the output.

I enabled every tests using the following piece of configuration:

ENABLE_TESTS="all"
DISABLE_TESTS="none"

The output is the following:

Warning: The following processes are using deleted files:
  Process: /usr/sbin/mysqld    PID: 2036    File: /tmp/ibi1WkYB
  Process: /usr/sbin/cron    PID: 7468    File: /tmp/tmpf73tnoh
  Process: /bin/dash    PID: 7469    File: /tmp/tmpf73tnoh
  Process: /bin/run-parts    PID: 7470    File: /tmp/tmpf73tnoh
  Process: /var/virtualenvs/project_foo/bin/python    PID: 28542    File: /tmp/wgunicorn-cIAtc2
  Process: /var/virtualenvs/project_foo/bin/python    PID: 28547    File: /tmp/wgunicorn-cIAtc2
  Process: /var/virtualenvs/project_foo/bin/python    PID: 28548    File: /tmp/wgunicorn-cIAtc2
  Process: /var/virtualenvs/project_foo/bin/python    PID: 28549    File: /tmp/wgunicorn-cIAtc2
Warning: Process '/sbin/dhclient' (PID 1328) is listening on the network.

Most of them must be false positive, but I would like to understand what is happening behind these false positive and fix those who aren't false positives. This report did not appear from nowhere, I had these lines since the very first run of RKHunter.

About the deleted files

RKHunter runs on a daily basis through a cron, which explains why /usr/sbin/cron, /bin/run-parts (and maybe /bin/dash too?) show up here.

However, I don't understand why:

1) All these deleted files are used by processes. Does this report means that each of these processes is trying to use a file that has been deleted, or that it has used at some point a file that existed at the time but got deleted afterwards? I reckon if the answer is the first option, it might be a problem. Can / Should it be fixed?

2) 4 processes of the same program are using the same deleted file. Even if the use of the deleted file is a false positive, is there something in this report that indicates that these 4 processes are an error (instead of having just one)? I understand that this might be completely app-specific and that there might be no answer from the report here, but I am just trying to understand why they are here. For information, they refer to a web application that is running in only once throughout the server (which is mono-threaded and mono-core).

About the listening process

I indeed have DHCP running on this server (out-of-the-box, I haven't tweaked it nor know much details about DHCP).

3) Is it normal that RKHunter reports a warning about it? If it is a false positive, is there an obvious reason why no other processes listening to the network are reported here (like sshd, ...)?

Of course, I will try to provide as much information as possible if needed, feel free to ask in case I forgot to bring specific helpful data.

It is very common for a program to open a file then delete it on Unix systems. I would disable this check. — sciurus, Apr 24 '14 at 00:21

score 3 · Answer 1 · answered Apr 24 '14 at 00:25

Firstly, these are not "false-positives". rkhunter is reporting facts; it is not applying any interpretation to those facts.

Does this report means that each of these processes is trying to use a file that has been deleted, or that it has used at some point a file that existed at the time but got deleted afterwards?

The report is showing you processes that had a file open at the time it was deleted. You need to determine if that is legitimate/acceptable behaviour for those processes.

...is there something in this report that indicates that these 4 processes are an error (instead of having just one)?

What do you think the error is? There are 4 separate processes (as shown by the different PID numbers) so that is what rkhunter is reporting.

Is it normal that RKHunter reports a warning about it?

rkhunter come with a generic configuration; there is no way for it to know that you expect dhcpd to be running on that particular machine -- you have to do some configuration. Section 6 of the rkhunter FAQ details how to whitelist a process/daemon/etc

score 1 · Answer 2 · answered Jul 11 '21 at 17:26

1

As far as I can tell, it is normal for programs on Unix-like systems to open a file and then delete it. You can disable that check (DISABLE_TESTS=deleted_files) in /etc/rkhunter.conf or /etc/rkhunter.conf.local.

Also as far as I can tell, it is normal for dhclient to be listening on the network. And /sbin/ is the usual location for that program. So I would whitelist dhclient too. (ALLOWPROCLISTEN=/sbin/dhclient)

answered Jul 11 '21 at 17:26

Stephen G Tuggy

111
3

1

See, for example, https://askubuntu.com/questions/258658/eth0-packet-sniffer-sbin-dhclient – Stephen G Tuggy Jul 11 '21 at 17:32

RKHunter reported processes that are using deleted files or are listening on the network

About the deleted files

About the listening process

2 Answers2