Rkhunter in kvm to check for rootkits

marj · October 5, 2025, 7:45pm

I often use rkhunter to just to make sure nothing unusual is going on with my system.

I am getting some unexpected results when using rkhunter in whonix kvm:

/usr/bin/systemctl [ OK ]
/usr/bin/gawk [ OK ]
/usr/bin/curl.anondist [ Warning ]
/usr/bin/lwp-request [ Warning ]
/usr/bin/bsd-mailx [ OK ]
/usr/bin/dash [ OK ]
/usr/bin/x86_64-linux-gnu-size [ OK ]
/usr/bin/ssh.anondist [ Warning ]
/usr/bin/x86_64-linux-gnu-strings [ OK ]
/usr/bin/wget.anondist [ Warning ]
/usr/bin/which.debianutils [ OK ]
/usr/lib/systemd/systemd [ OK ]

Also I got errors about suspicious shared memory segments:

Warning: The following suspicious (large) shared memory segments have been found:
[19:27:59] Process: /home/user/.tb/tor-browser/Browser/firefox.real PID: 211432 Owner: user Size: 5.3MB (configured size allowed: 1.0MB)
[19:27:59] Process: /home/user/.tb/tor-browser/Browser/firefox.real PID: 211432 Owner: user Size: 5.3MB (configured size allowed: 1.0MB)
[19:27:59] Process: /usr/bin/xfdesktop PID: 1607 Owner: user Size: 64MB (configured size allowed: 1.0MB)
[19:27:59] Process: /usr/bin/xfce4-terminal PID: 2685 Owner: user Size: 1.0MB (configured size allowed: 1.0MB)

This happens even after sudo rkhunter –propupd

I also do not know how to check what version of whonix I am running and am not sure if sudo apt update && sudo apt upgrade -y and sudo apt dist-upgrade will always get me to the latest version.

Patrick · October 5, 2025, 8:28pm

What you’re looking to attempt is probably a system audit. In that case, see this wiki page:

Also related:

Specifucally chapter Detecting Malware Infections

This one you can easily investigate by opening the file in a text editor.

It’s part of uwt
source code file uwt/usr/bin/curl.anondist at master · Whonix/uwt · GitHub.
Note: git master version is ahead of the stable release. Bookworm based version: uwt/usr/bin/curl.anondist at bookworm · Whonix/uwt · GitHub
The context is Stream Isolation.

Similar to above.

Discussed many times on the internet.

See: Version Numbers

No. All information here:

Note:

marj · October 5, 2025, 9:08pm

[workstation user ~]% systemcheck --verbose --function show_versions
[INFO] [systemcheck] Whonix build version: 17.2.8.5

[INFO] [systemcheck] whonix-workstation-packages-dependencies-cli: 25.1-1
[INFO] [systemcheck] derivative_major_release_version /etc/whonix_version: 17

Thanks Patrick!

Wait why does it say 17.2.8.5 when the download version is 17.4.4.6? I did the sudo apt upgrade and dist-upgrade stuff.

Patrick · October 6, 2025, 3:42pm

Documented here: