Hi there! 
After I have upgraded to 1.25 on my Asus Tinker Board, rkhunter gives me these warnings:
Warning: The following processes are using suspicious files:
Command: vaultwarden
UID: 0 PID: 31582
Pathname:
Possible Rootkit: Spam tool component
Command: vaultwarden
UID: 1176 PID: 31582
Pathname: 1132001
Possible Rootkit: Spam tool component
Command: vaultwarden
UID: 13169 PID: 31582
Pathname: 1132001
Possible Rootkit: Spam tool component
Command: vaultwarden
UID: 15766 PID: 31582
Pathname: 1132001
Possible Rootkit: Spam tool component
Command: vaultwarden
UID: 17364 PID: 31582
Pathname: 1132001
Possible Rootkit: Spam tool component
Command: vaultwarden
UID: 27171 PID: 31582
Pathname: 1132001
Possible Rootkit: Spam tool component
Command: vaultwarden
UID: 31586 PID: 31582
Pathname: 1132001
Possible Rootkit: Spam tool component
Command: vaultwarden
UID: 31587 PID: 31582
Pathname: 1132001
Possible Rootkit: Spam tool component
Command: vaultwarden
UID: 31588 PID: 31582
Pathname: 1132001
Possible Rootkit: Spam tool component
Command: vaultwarden
UID: 31589 PID: 31582
Pathname: 1132001
Possible Rootkit: Spam tool component
Command: vaultwarden
UID: 31594 PID: 31582
Pathname: 1132001
Possible Rootkit: Spam tool component
Command: vaultwarden
UID: 31596 PID: 31582
Pathname: 1132001
Possible Rootkit: Spam tool component
Command: vaultwarden
UID: 31597 PID: 31582
Pathname: 1132001
Possible Rootkit: Spam tool component
Command: vaultwarden
UID: 31598 PID: 31582
Pathname: 1132001
Possible Rootkit: Spam tool component
Command: vaultwarden
UID: 32295 PID: 31582
Pathname: 1132001
Possible Rootkit: Spam tool component
Command: vaultwarden
UID: 32525 PID: 31582
Pathname: 1132001
Possible Rootkit: Spam tool component
Can somebody verify this? Is it a false positive?
Thanks in advance.
I’m not sure why this is getting triggered. Do you have any more information then the above output? Maybe some verbose output?
If I understand the man page of rkhunter correctly, verbose logging is the default. The snipet in my first post was from the email notification, while this one is from /var/log/rkhunter.log, but I’m afraid it doesn’t contain really more information:
[06:27:11] Info: Starting test name 'running_procs'
[06:27:14] Checking running processes for suspicious files [ Warning ]
[06:27:14] Warning: The following processes are using suspicious files:
[06:27:14] Command: vaultwarden
[06:27:14] UID: 0 PID: 31582
[06:27:14] Pathname:
[06:27:14] Possible Rootkit: Spam tool component
[06:27:14] Command: vaultwarden
[06:27:14] UID: 1176 PID: 31582
[06:27:14] Pathname: 1132001
[06:27:14] Possible Rootkit: Spam tool component
[06:27:14] Command: vaultwarden
[06:27:14] UID: 13169 PID: 31582
[06:27:14] Pathname: 1132001
[06:27:14] Possible Rootkit: Spam tool component
[06:27:14] Command: vaultwarden
[06:27:14] UID: 15766 PID: 31582
[06:27:14] Pathname: 1132001
[06:27:14] Possible Rootkit: Spam tool component
[06:27:14] Command: vaultwarden
[06:27:14] UID: 17364 PID: 31582
[06:27:14] Pathname: 1132001
[06:27:14] Possible Rootkit: Spam tool component
[06:27:14] Command: vaultwarden
[06:27:14] UID: 27171 PID: 31582
[06:27:14] Pathname: 1132001
[06:27:14] Possible Rootkit: Spam tool component
[06:27:15] Command: vaultwarden
[06:27:15] UID: 31586 PID: 31582
[06:27:15] Pathname: 1132001
[06:27:15] Possible Rootkit: Spam tool component
[06:27:15] Command: vaultwarden
[06:27:15] UID: 31587 PID: 31582
[06:27:15] Pathname: 1132001
[06:27:15] Possible Rootkit: Spam tool component
[06:27:15] Command: vaultwarden
[06:27:15] UID: 31588 PID: 31582
[06:27:15] Pathname: 1132001
[06:27:15] Possible Rootkit: Spam tool component
[06:27:15] Command: vaultwarden
[06:27:15] UID: 31589 PID: 31582
[06:27:15] Pathname: 1132001
[06:27:15] Possible Rootkit: Spam tool component
[06:27:15] Command: vaultwarden
[06:27:15] UID: 31594 PID: 31582
[06:27:15] Pathname: 1132001
[06:27:15] Possible Rootkit: Spam tool component
[06:27:15] Command: vaultwarden
[06:27:15] UID: 31596 PID: 31582
[06:27:15] Pathname: 1132001
[06:27:15] Possible Rootkit: Spam tool component
[06:27:15] Command: vaultwarden
[06:27:15] UID: 31597 PID: 31582
[06:27:15] Pathname: 1132001
[06:27:15] Possible Rootkit: Spam tool component
[06:27:15] Command: vaultwarden
[06:27:15] UID: 31598 PID: 31582
[06:27:15] Pathname: 1132001
[06:27:15] Possible Rootkit: Spam tool component
[06:27:16] Command: vaultwarden
[06:27:16] UID: 32295 PID: 31582
[06:27:16] Pathname: 1132001
[06:27:16] Possible Rootkit: Spam tool component
[06:27:16] Command: vaultwarden
[06:27:16] UID: 32525 PID: 31582
[06:27:16] Pathname: 1132001
[06:27:16] Possible Rootkit: Spam tool component
Not sure why it reports it like that. When i run rkhunter it didn’t find Vaultwarden for me.
Strange. Just to try if it makes a difference, I’ve stopped the vaultwarden docker container, pruned the docker system and all volumes and recreated the container. Unfortunately I get still the same rkhunter warnings. 
I guess for the time being I need to find out how to whitelist vaultwarden for rkhunter.
I have not found a way to whitelist running processes, but disabling the test “running_procs” in /etc/rkhunter.conf made the false positive warnings go away. I did this by simply adding “running_procs” to the DISABLED_TESTS option:
ENABLE_TESTS=ALL
DISABLE_TESTS=suspscan hidden_ports hidden_procs deleted_files packet_cap_apps apps running_procs
Maybe it helps someone. 
What i found is that rkhunter uses checksums, and if that checksum changes it reports it to be an issue. So, updating Vaultwarden will of course change that checksum.
I have various other docker containers running on that system. And I have updated those and Vaultwarden multiple times before without getting any rkhunter false positives. It only happened once I’ve updated Vaultwarden to 1.25.