bash: /var/log/rkhunter.log: 权限被拒绝（作为 root - Linux Mint 18.3）

Question

我认为我的 Linux 笔记本电脑被黑了，原因有以下三个：

1. 每当我将文件保存到 Home 文件夹中时，这些文件都不会出现——甚至不会出现在我计算机上的其他文件夹中。

2. 我的主文件夹中出现了一个陌生的 .txt 文件。看到后，我没有打开它。我立即怀疑我的笔记本电脑可能被黑了。

3. 检查我的防火墙状态时，结果发现它处于非活动状态。

Thus, I have taken the following steps:

1. I backed-up all of my recent files using two USB Sticks that aren't as important as other USB Sticks which I own - so in case those USB Sticks get infected with the potential malware, it wouldn't infect my other backed-up important files.

2. I've used ClamTK in order to scan the aforementioned suspicious file - but apparently, for some reason, it hasn't detected any threats.

3. I've used chkrootkit for another scan. This is the output (up until that point, nothing seemed to have been infected):

   Searching for suspicious files and dirs, it may take a while... The following suspicious files and directories were found:  
   /usr/lib/python2.7/dist-packages/PyQt4/uic/widget-plugins/.noinit /usr/lib/debug/.build-id /lib/modules/4.13.0-39-generic/vdso/.build-id /lib/modules/4.13.0-37-generic/vdso/.build-id /lib/modules/4.10.0-38-generic/vdso/.build-id /lib/modules/4.13.0-36-generic/vdso/.build-id /lib/modules/4.13.0-32-generic/vdso/.build-id /lib/modules/4.13.0-38-generic/vdso/.build-id
   /usr/lib/debug/.build-id /lib/modules/4.13.0-39-generic/vdso/.build-id /lib/modules/4.13.0-37-generic/vdso/.build-id /lib/modules/4.10.0-38-generic/vdso/.build-id /lib/modules/4.13.0-36-generic/vdso/.build-id /lib/modules/4.13.0-32-generic/vdso/.build-id /lib/modules/4.13.0-38-generic/vdso/.build-id
   

   And also:

   Searching for Linux/Ebury - Operation Windigo ssh...        Possible Linux/Ebury - Operation Windigo installetd
   

4. I was trying - twice - to scan my laptop with F-PROT, with fpscan, using Ultimate Boot CD. But when I tried getting into the PartedMagic section of the disc in order to use the tool, it just wouldn't work. Twice. So I was not able to use it whatsoever.

5. When typing sudo freshclam, I got the following output:

   ERROR: /var/log/clamav/freshclam.log is locked by another process
   ERROR: Problem with internal logger (UpdateLogFile = /var/log/clamav/freshclam.log).
   

6. Then, I scanned the computer using rkhunter. These are the warnings I got:

     /usr/bin/lwp-request                                     [ Warning ]
   
     Performing filesystem checks
       Checking /dev for suspicious file types                  [ Warning ]
       Checking for hidden files and directories                [ Warning ]
   

   And this is the summary:

   System checks summary
   =====================
   
   File properties checks...
       Files checked: 143
       Suspect files: 1
   
   Rootkit checks...
       Rootkits checked : 365
       Possible rootkits: 0
   
   Applications checks...
       All checks skipped
   
   The system checks took: 1 minute and 10 seconds
   
   All results have been written to the log file: /var/log/rkhunter.log
   
   One or more warnings have been found while checking the system.
   Please check the log file (/var/log/rkhunter.log)
   

So, after all that - I do not have access to the rkhunter log file as root:

n-even@neven-Lenovo-ideapad-310-14ISK ~ $ sudo su
neven-Lenovo-ideapad-310-14ISK n-even # /var/log/rkhunter.log
bash: /var/log/rkhunter.log: Permission denied

What should I be doing now?

Help much appreciated! Thanks a lot.

Answer 1

Based on the details in your question, your system is clean.

1. You're making backups. OK.

2. clamav comes up clean. That's fine, too.

3. Based on your output of chkrootkit, your system is clean. Those files listed as suspicious are benign. The Ebury/Windigo detection is a false positive: https://github.com/Magentron/chkrootkit/issues/1

4. Some of the live discs you tried didn't work. That's OK.

5. There might already be an updater running as a daemon.

6. You're trying to execute the log file. View it in a pager instead, like less /var/log/rkhunter.log.

From a logical standpoint, chkrootkit and rkhunter aren't of much use if they are used to scan the same system they execute on since they are not realtime scanners thus any decently packaged rootkit would have sabatoged the scanners before they are run. Also, both have heuristics that result in plenty of false positives.

保存的文件没有出现很少是系统受损的迹象。如果不知道您提到的“可疑”.txt 文件的内容，就无法得出任何结论。DEADJOE 是由 JOE 文本编辑器创建的备份文件。Linux Mint 中的防火墙默认是禁用的。

编辑：添加了关于 DEADJOE 文件的信息。

Answer 2

neven-Lenovo-ideapad-310-14ISK n-even # /var/log/rkhunter.log
bash: /var/log/rkhunter.log: Permission denied

You are trying to execute a log file. Of course that fails; the +x bit is probably not set for it.

You want to read the log file, not execute it. Try sudo less /var/log/rkhunter.log.