Whilst I had htop running I saw what looked like a suspicious user called something like "rootkt" or something similar to that. Anyway, I had not seen it again but I then installed rkhunter and performed a scan of my system which provided the following result:
[22:04:40] System checks summary
[22:04:40] =====================
[22:04:41]
[22:04:41] File properties checks...
[22:04:41] Required commands check failed
[22:04:41] Files checked: 125
[22:04:41] Suspect files: 4
[22:04:41]
[22:04:41] Rootkit checks...
[22:04:41] Rootkits checked : 502
[22:04:41] Possible rootkits: 8
[22:04:41] Rootkit names : Sniffer component, Spam tool component
[22:04:41]
[22:04:41] Applications checks...
[22:04:41] All checks skipped
[22:04:41]
[22:04:41] The system checks took: 5 minutes and 3 seconds
[22:04:41]
[22:04:41] Info: End date is Thu 17 Oct 22:04:41 BST 2019
I'm a bit worried about the possible rootkits it claims are on my system. During the scan it checked for all known rootkits in its database and none were found.
If there are rootkits on my system, then it is more than likely they came from packages I installed from AUR, but is likely that they could have come from Artix or Arch databases?
rkhunter gives a log of what files it thinks are suspicious right? You should be able to look at those files and see if you know where they came from.
Yes.
After looking in to the suspicious files rkhunter highlighted I've already come to the conclusion that rkhunter is throwing up false positives.