rkhunter Apache2 Warning caused by phpmyadmin-Docker-Container
Brought to you by:
dogsbody,
dogsbodymark
Menu
▾
▴
#173 rkhunter Apache2 Warning caused by phpmyadmin-Docker-Container
Hi, recently we get the following reports from rkhunter:
Warning: The following processes are using suspicious files:
Command: apache2
UID: 33 PID: 11286
Pathname:
Possible Rootkit: Spam tool component
Command: apache2
UID: 33 PID: 11396
Pathname:
Possible Rootkit: Spam tool component
Command: apache2
UID: 0 PID: 26846
Pathname:
Possible Rootkit: Spam tool component
Command: apache2
UID: 33 PID: 27010
Pathname:
Possible Rootkit: Spam tool component
Command: apache2
UID: 33 PID: 27689
Pathname:
Possible Rootkit: Spam tool component
Command: apache2
UID: 33 PID: 28005
Pathname:
Possible Rootkit: Spam tool component
Command: apache2
UID: 33 PID: 28019
Pathname:
Possible Rootkit: Spam tool component
Command: apache2
UID: 33 PID: 28110
Pathname:
Possible Rootkit: Spam tool component
Command: apache2
UID: 33 PID: 28111
Pathname:
Possible Rootkit: Spam tool component
Command: apache2
UID: 33 PID: 28715
Pathname:
Possible Rootkit: Spam tool component
Command: apache2
UID: 33 PID: 28716
Pathname:
Possible Rootkit: Spam tool component
After some tests and google researches we found out that this comes from the official phpmyadmin docker image. The container can't run without apache2 running on the docker host in the foreground.
The question is how you can whitelist this false positives in rkhunter. The PID might change every start, so whitelisting PIDs is not the best solution. Apache2 as a service can't be whitelisted because it isn't running as a service on the host.
