Scan hdd with rkhunter from live usb

Question

I have older ASUS notebook with Debian 11 installation. If I run OS and especially when plug in network wire, then I got performance issues. I did advances memory test with Memtest86+, without any errors.

Then I created kali-linux live usb to perform some health checks. If I run

┌──(kali㉿kali)-[~]
└─$ sudo rkhunter -c 

or:

sudo mkdir /mnt/temp
sudo mount /dev/sda1 /mnt/temp
┌──(kali㉿kali)-[/mnt/temp]
└─$ sudo rkhunter -c

I got the summary:

System checks summary
=====================

File properties checks...
    Files checked: 145
    Suspect files: 117

Rootkit checks...
    Rootkits checked : 497
    Possible rootkits: 6

Applications checks...
    All checks skipped

The system checks took: 11 minutes and 43 seconds

All results have been written to the log file: /var/log/rkhunter.log

One or more warnings have been found while checking the system.
Please check the log file (/var/log/rkhunter.log)

Are those false positive scans? Got the same results after sudo rkhunter --propupd. Does the result belongs only to kali, how to run proper check for /dev/sda?

┌──(kali㉿kali)-[/mnt/temp]
└─$ lsblk                           
NAME   MAJ:MIN RM   SIZE RO TYPE MOUNTPOINTS
loop0    7:0    0   3.3G  1 loop /usr/lib/live/mount/rootfs/filesystem.squashfs
                                 /run/live/rootfs/filesystem.squashfs
sda      8:0    0 149.1G  0 disk 
├─sda1   8:1    0   500M  0 part /mnt/temp
├─sda2   8:2    0  53.7G  0 part 
├─sda3   8:3    0   2.1G  0 part 
└─sda4   8:4    0  19.8M  0 part 
sdb      8:16   1  14.5G  0 disk 
├─sdb1   8:17   1   3.9G  0 part /usr/lib/live/mount/medium
│                                /run/live/medium
└─sdb2   8:18   1   896K  0 part 
sr0     11:0    1  1024M  0 rom  

/var/log/rkhunter.log:

...
[09:34:48] Performing file properties checks
[09:34:48]   Checking for prerequisites                      [ OK ]
[09:35:05]   /usr/sbin/adduser                               [ Warning ]
[09:35:06] Warning: File '/usr/sbin/adduser' has the immutable-bit set.
[09:35:06] Info: Found file '/usr/sbin/adduser': it is whitelisted for the 'script replacement' check.
[09:35:06]   /usr/sbin/chroot                                [ Warning ]
[09:35:07] Warning: File '/usr/sbin/chroot' has the immutable-bit set.
[09:35:07]   /usr/sbin/cron                                  [ Warning ]
[09:35:07] Warning: File '/usr/sbin/cron' has the immutable-bit set.
[09:35:08]   /usr/sbin/depmod                                [ OK ]
[09:35:09]   /usr/sbin/fsck                                  [ Warning ]
[09:35:09] Warning: File '/usr/sbin/fsck' has the immutable-bit set.
[09:35:10]   /usr/sbin/groupadd                              [ Warning ]
[09:35:10] Warning: File '/usr/sbin/groupadd' has the immutable-bit set.
[09:35:10]   /usr/sbin/groupdel                              [ Warning ]
...
[09:43:45]   Checking for login backdoors                    [ None found ]
[09:43:45]
[09:43:45] Info: Starting test name 'sniffer_logs'
[09:43:46]     Checking for file '/usr/lib/libice.log'       [ Not found ]
[09:43:46]     Checking for file '/dev/prom/sn.l'            [ Not found ]
[09:43:46]     Checking for file '/dev/fd/.88/zxsniff.log'   [ Not found ]
[09:43:46]   Checking for sniffer log files                  [ None found ]
[09:43:46]
[09:43:46] Info: Starting test name 'tripwire'
[09:43:46]   Checking for software intrusions                [ Skipped ]
[09:43:46] Info: Check skipped - tripwire not installed
[09:43:46]
[09:43:46] Info: Starting test name 'susp_dirs'
[09:43:46]     Checking for directory '/usr/X11R6/bin/.,/copy' [ Not found ]
[09:43:46]     Checking for directory '/dev/rd/cdb'          [ Not found ]
[09:43:47]   Checking for suspicious directories             [ None found ]
[09:43:47]
[09:43:47] Info: Starting test name 'ipc_shared_mem'
[09:43:47] Info: The minimum shared memory segment size to be checked (in bytes): 1048576 (1.0MB)
[09:43:48]   Checking for suspicious (large) shared memory segments [ Warning ]
[09:43:48] Warning: The following suspicious (large) shared memory segments have been found:
[09:43:48]          Process: /usr/bin/xfce4-taskmanager    PID: 2826    Owner: kali    Size: 2.0MB (configured size allowed: 1.0MB)
[09:43:48]          Process: /usr/bin/xfdesktop    PID: 1839    Owner: kali    Size: 2.0MB (configured size allowed: 1.0MB)
[09:43:49]          Process: /usr/lib/firefox-esr/firefox-esr    PID: 2276    Owner: kali    Size: 4.2MB (configured size allowed: 1.0MB)
[09:43:49]          Process: /usr/lib/firefox-esr/firefox-esr    PID: 2276    Owner: kali    Size: 4.2MB (configured size allowed: 1.0MB)
[09:43:49]          Process: /usr/bin/thunar    PID: 1834    Owner: kali    Size: 16MB (configured size allowed: 1.0MB)
[09:43:49]          Process: /usr/bin/xfwm4    PID: 1777    Owner: kali    Size: 2.0MB (configured size allowed: 1.0MB)
[09:43:49]
[09:43:49] Info: Starting test name 'trojans'
[09:43:49] Performing trojan specific checks
[09:43:49]   Checking for enabled inetd services             [ Skipped ]
[09:43:49] Info: Check skipped - file '/etc/inetd.conf' does not exist.
[09:43:49]   Checking for enabled xinetd services            [ Skipped ]
[09:43:49] Info: Check skipped - file '/etc/xinetd.conf' does not exist.
[09:43:50]   Checking for Apache backdoor                    [ Not found ]
[09:43:50]
...

Answer 1

In the running instance of Kali, there are processes with suspicious (large) shared memory segments. Whether or not they are false positives does not say anything about your Debian 11 installation. Shared memory is always runtime, the instance that you are running. If you want to do this test on the Debian, you must run the Debian.

In practice: you've scanned your Debian for rootkits as best as you can from the Kali. If you are convinced that your performance problem comes from some rootkit, you should install rkhunter on the Debian.

To be honest, in case of performance problems, I would first look at tools as vmstat, iostat and top. If it is really network generated, look at name resolution. /etc/resolv.conv etc. I've seen perfectly working systems become painfully slow just because the DNS configuration went wrong.