Results 1 to 8 of 8

Thread: Rootkit Scan- Says INFECTED!

  1. #1

    Default Rootkit Scan- Says INFECTED!

    hi,
    i saw the followed the tutorial from 9 Best practices to secure your Linux Desktop & Server | Including installation & Configuration | Unixmen and got this result:
    ROOTDIR is `/'
    Checking `amd'... not found
    Checking `basename'... not infected
    Checking `biff'... not found
    Checking `chfn'... not infected
    Checking `chsh'... not infected
    Checking `cron'... not infected
    Checking `crontab'... not infected
    Checking `date'... not infected
    Checking `du'... not infected
    Checking `dirname'... not infected
    Checking `echo'... not infected
    Checking `egrep'... not infected
    Checking `env'... not infected
    Checking `find'... not infected
    Checking `fingerd'... not found
    Checking `gpm'... not infected
    Checking `grep'... not infected
    Checking `hdparm'... not infected
    Checking `su'... not infected
    Checking `ifconfig'... not infected
    Checking `inetd'... not tested
    Checking `inetdconf'... not found
    Checking `identd'... not found
    Checking `init'... not infected
    Checking `killall'... not infected
    Checking `ldsopreload'... can't exec ./strings-static, not tested
    Checking `login'... not infected
    Checking `ls'... not infected
    Checking `lsof'... not infected
    Checking `mail'... not infected
    Checking `mingetty'... not infected
    Checking `netstat'... not infected
    Checking `named'... not found
    Checking `passwd'... not infected
    Checking `pidof'... not infected
    Checking `pop2'... not found
    Checking `pop3'... not found
    Checking `ps'... not infected
    Checking `pstree'... not infected
    Checking `rpcinfo'... not infected
    Checking `rlogind'... not found
    Checking `rshd'... not found
    Checking `slogin'... not infected
    Checking `sendmail'... not infected
    Checking `sshd'... not infected
    Checking `syslogd'... not tested
    Checking `tar'... not infected
    Checking `tcpd'... not infected
    Checking `tcpdump'... not infected
    Checking `top'... not infected
    Checking `telnetd'... not found
    Checking `timed'... not found
    Checking `traceroute'... not infected
    Checking `vdir'... not infected
    Checking `w'... not infected
    Checking `write'... not infected
    Checking `aliens'... no suspect files
    Searching for sniffer's logs, it may take a while... nothing found
    Searching for HiDrootkit's default dir... nothing found
    Searching for t0rn's default files and dirs... nothing found
    Searching for t0rn's v8 defaults... nothing found
    Searching for Lion Worm default files and dirs... nothing found
    Searching for RSHA's default files and dir... nothing found
    Searching for RH-Sharpe's default files... nothing found
    Searching for Ambient's rootkit (ark) default files and dirs... nothing found
    Searching for suspicious files and dirs, it may take a while...
    /usr/lib/perl5/5.14.2/i586-linux-thread-multi/.packlist

    Searching for LPD Worm files and dirs... nothing found
    Searching for Ramen Worm files and dirs... nothing found
    Searching for Maniac files and dirs... nothing found
    Searching for RK17 files and dirs... nothing found
    Searching for Ducoci rootkit... nothing found
    Searching for Adore Worm... nothing found
    Searching for ShitC Worm... nothing found
    Searching for Omega Worm... nothing found
    Searching for Sadmind/IIS Worm... nothing found
    Searching for MonKit... nothing found
    Searching for Showtee... nothing found
    Searching for OpticKit... nothing found
    Searching for T.R.K... nothing found
    Searching for Mithra... nothing found
    Searching for LOC rootkit... nothing found
    Searching for Romanian rootkit... nothing found
    Searching for Suckit rootkit... Warning: /sbin/init INFECTED
    Searching for Volc rootkit... nothing found
    Searching for Gold2 rootkit... nothing found
    Searching for TC2 Worm default files and dirs... nothing found
    Searching for Anonoying rootkit default files and dirs... nothing found
    Searching for ZK rootkit default files and dirs... nothing found
    Searching for ShKit rootkit default files and dirs... nothing found
    Searching for AjaKit rootkit default files and dirs... nothing found
    Searching for zaRwT rootkit default files and dirs... nothing found
    Searching for Madalin rootkit default files... nothing found
    Searching for Fu rootkit default files... nothing found
    Searching for ESRK rootkit default files... nothing found
    Searching for rootedoor... nothing found
    Searching for ENYELKM rootkit default files... nothing found
    Searching for common ssh-scanners default files... nothing found
    Searching for suspect PHP files... nothing found
    Searching for anomalies in shell history files... nothing found
    Checking `asp'... not infected
    Checking `bindshell'... not infected
    Checking `lkm'... find: `/proc/5715/net': Invalid argument
    not tested: can't exec
    Checking `rexedcs'... not found
    Checking `sniffer'... not tested: can't exec ./ifpromisc
    Checking `w55808'... not infected
    Checking `wted'... not tested: can't exec ./chkwtmp
    Checking `scalper'... not infected
    Checking `slapper'... not infected
    Checking `z2'... not tested: can't exec ./chklastlog
    Checking `chkutmp'... not tested: can't exec ./chkutmp
    Checking `OSX_RSPLUG'... not infected
    it shows one of the file is infected. what should i do? is this reliable?

  2. #2
    Join Date
    Jun 2008
    Location
    Netherlands
    Posts
    25,002

    Default Re: Rootkit Scan- Says INFECTED!

    Please use CODE tags when posting computer text (next time): http://forums.opensuse.org/english/i...ags-guide.html
    Henk van Velden

  3. #3
    Join Date
    Feb 2009
    Location
    Spain
    Posts
    25,547

    Default Re: Rootkit Scan- Says INFECTED!

    On 2012-03-29 17:46, smithark wrote:

    >> Searching for Suckit rootkit... Warning: /sbin/init* INFECTED*


    You only needed to post this line.

    > it shows one of the file is infected. what should i do? is this
    > reliable?


    Compare to the original file in the rpm and find out.

    --
    Cheers / Saludos,

    Carlos E. R.
    (from 11.4 x86_64 "Celadon" at Telcontar)

  4. #4
    Join Date
    Jan 2009
    Location
    Somewhere in Fictionland
    Posts
    1,479

    Default Re: Rootkit Scan- Says INFECTED!

    you do not specify but I suppose you used the current opensuse version of chkrootkit. This version is known to give false positives for the suckit rootkit in combination with system.d. A bug has been raised in bugzilla.
    You should always in such cases run the rkhunter scan to have a comparable result. Of course there a a few more option that you can follow now:
    • you can despare, burn all the warez you stock on your PC and then burn your house (not reccomanded)#
    • you can try out if the rootkit does what it promised (that could occasionally be an option, well...)
    • you can send henk and carlos a bootle of vodka, so they relax slightly more.

    Seriously, the problem has been discussed before in the forum.
    You have a very good security guide that you can follow, set up apparmor profiles for exposed applications and you can check your ssh settings. But for what I see there, what you really should:
    • declare well what version of opensuse you are using
    • what scan you did use and what version
    • use an alternative scan with rkhunter (and build up the signature database of it to recognize alterations taken place)
    • read the bugzilla of openSUSE
    • never login as root (yes I know that is childish to say but always good to quote)
    • never install software from unknown sources
    • deactivate the java plugin in firefox (it has nearly no use and is source of potential problems)
    • use noscript browser plugin
    • well, we said already about apparmor
    • finally have a beer, lager, slightly iced.

    Cheers.
    Just "clicking away" security warnings about a change in repo signature ? Not able to control?
    Then please vote for
    https://features.opensuse.org/312047
    openSUSE should have an efficient web of trust.

  5. #5

    Default Re: Rootkit Scan- Says INFECTED!

    Yes. It's a known bug in chkrootkit: https://bugzilla.redhat.com/show_bug.cgi?id=636231.

  6. #6
    Join Date
    Jun 2008
    Location
    Netherlands
    Posts
    25,002

    Default Re: Rootkit Scan- Says INFECTED!

    Quote Originally Posted by stakanov View Post
    • you can send henk and carlos a bootle of vodka, so they relax slightly more.
    Would be the first time I earn something substantial by posting here. I support this suggestion fullhearted.
    Henk van Velden

  7. #7
    Join Date
    Jan 2009
    Location
    Somewhere in Fictionland
    Posts
    1,479

    Default Re: Rootkit Scan- Says INFECTED!

    Quote Originally Posted by hcvv View Post
    Would be the first time I earn something substantial by posting here. I support this suggestion fullhearted.
    I send you one if you pm me your postal address, promised :-)
    Just "clicking away" security warnings about a change in repo signature ? Not able to control?
    Then please vote for
    https://features.opensuse.org/312047
    openSUSE should have an efficient web of trust.

  8. #8

    Default Re: Rootkit Scan- Says INFECTED!

    thanks lot for your replies.
    @ stakanov,
    i use version 0.49 of chkrootkit and thanks for the advice esp the one about beer, lager slightly iced

    i panicked when i saw the word 'INFECTED'. sorry for the trouble. thanks a lot for the info.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •