Fedora Linux Support Community & Resources Center
Old 5th July 2017, 08:25 AM
SteveT Offline
Registered User
Join Date: Feb 2007
Location: UK
Posts: 108
rkhunter - ZaRwt.KiT

I have been running rkhunter for a while now and all's been fine.
This morning I have rkhunter reporting:

...Warning: Network TCP port 60922 is being used by /usr/lib/firefox/firefox. Possible rootkit: zaRwT.KiT
Use the 'lsof -i' or 'netstat -an' command to check this....

I have run the lsof and netstat -an, but to be honest I'm not sure what I am looking for!
The lsof (run as sudo) shows firefox entries of:
firefox 2865 xxxxxx 59u IPv4 430275 0t0 TCP E6540:44482->lhr35s03-in-f14.1e100.net:https (ESTABLISHED)
firefox 2865 xxxxxx 70u IPv4 126728 0t0 TCP E6540:60172->e1.ycpi.vip.amb.yahoo.com:https (ESTABLISHED)
firefox 2865 xxxxxx 72u IPv4 429788 0t0 TCP E6540:40924->a23-44-102-186.deploy.static.akamaitechnologies.com:http (ESTABLISHED)
firefox 2865 xxxxxx 75u IPv4 401725 0t0 TCP E6540:51866->a23-44-102-186.deploy.static.akamaitechnologies.com:https (ESTABLISHED)
firefox 2865 xxxxxx 144u IPv4 96547 0t0 TCP E6540:41706->185-19-40-106.rdns.rtap.net:https (ESTABLISHED)

netstat -an does not appear to show anything specific for firefox or for port 60922.

Is this report from rkhunter a report of a serious threat?
Reply With Quote
Old 13th August 2017, 07:34 PM
tryfedoraa Online
Registered User
Join Date: May 2017
Location: www
Posts: 126
Re: rkhunter - ZaRwt.KiT

Have you had any repeat alerts, if it was a one-off I would imagine it was just firefox (or addon) connecting to port 60922, the same time rkhunter was running.
Reply With Quote
Old 14th August 2017, 02:38 PM
SteveT Offline
Registered User
Join Date: Feb 2007
Location: UK
Posts: 108
Re: rkhunter - ZaRwt.KiT

It persisted for a few days and then stopped and I haven't had it since - whether that's good or bad I don't know!
Reply With Quote

rkhunter , zarwt.kit , zarwtkit

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
rkhunter lauwers Using Fedora 2 6th January 2009 02:06 PM
Yum update rkhunter 'Could not find update match for rkhunter' open4biz Security and Privacy 7 11th October 2007 02:42 AM
rkHunter aids Using Fedora 14 24th February 2007 12:41 AM
rkhunter says Bad jim Servers & Networking 6 6th May 2005 04:39 PM

Current GMT-time: 02:12 (Tuesday, 17-10-2017)

TopSubscribe to XML RSS for all Threads in all ForumsFedoraForumDotOrg Archive

All trademarks, and forum posts in this site are property of their respective owner(s).
FedoraForum.org is privately owned and is not directly sponsored by the Fedora Project or Red Hat, Inc.

Privacy Policy | Term of Use | Posting Guidelines | Archive | Contact Us | Founding Members

Powered by vBulletin® Copyright ©2000 - 2012, vBulletin Solutions, Inc.

FedoraForum is Powered by RedHat