Results 1 to 4 of 4

Thread: again some false positive in chkrootkit?

  1. #1
    Join Date
    Jan 2009
    Location
    Somewhere in Fictionland
    Posts
    1,479

    Default again some false positive in chkrootkit?

    I am getting spoiled results in rkhunter and chkrootkit.
    That can be a false positive. If so it would be good to know because ti is getting annoying and I will then file a bug report. This goes that: all rootkit appear as negative but the "suckit" rootkit (which is then a known bug that - astonishing enough - is not fixed).
    So I have now "1" deletion signed in "checking for "wted". That goes:
    Code:
    Checking `wted'... 1 deletion(s) between Fri Apr 20 23:23:40 2012 and Fri Apr 20 23:24:09 2012
    1 deletion(s) between Fri Apr 20 23:24:19 2012 and Fri Apr 20 23:24:58 2012
    1 deletion(s) between Sat Apr 21 10:47:18 2012 and Sat Apr 21 10:47:32 2012
    1 deletion(s) between Sat Apr 21 13:40:59 2012 and Sat Apr 21 13:41:14 2012
    1 deletion(s) between Sun Apr 22 00:13:49 2012 and Sun Apr 22 00:14:04 2012
    1 deletion(s) between Sun Apr 22 08:53:50 2012 and Sun Apr 22 08:54:04 2012
    1 deletion(s) between Sun Apr 22 20:45:12 2012 and Sun Apr 22 20:45:27 2012
    1 deletion(s) between Mon Apr 23 00:05:49 2012 and Mon Apr 23 00:06:03 2012
    1 deletion(s) between Mon Apr 23 14:59:35 2012 and Mon Apr 23 14:59:50 2012
    1 deletion(s) between Mon Apr 23 17:33:51 2012 and Mon Apr 23 17:34:07 2012
    1 deletion(s) between Tue Apr 24 19:45:35 2012 and Tue Apr 24 19:45:51 2012
    1 deletion(s) between Wed Apr 25 00:32:27 2012 and Wed Apr 25 00:32:59 2012
    1 deletion(s) between Wed Apr 25 09:58:43 2012 and Wed Apr 25 09:58:59 2012
    1 deletion(s) between Wed Apr 25 20:57:12 2012 and Wed Apr 25 20:57:26 2012
    1 deletion(s) between Thu Apr 26 23:07:31 2012 and Thu Apr 26 23:08:12 2012
    1 deletion(s) between Fri Apr 27 11:37:31 2012 and Fri Apr 27 11:37:47 2012
    1 deletion(s) between Fri Apr 27 12:03:06 2012 and Fri Apr 27 12:03:18 2012
    1 deletion(s) between Fri Apr 27 16:13:24 2012 and Fri Apr 27 16:13:43 2012
    1 deletion(s) between Fri Apr 27 16:23:58 2012 and Fri Apr 27 16:24:12 2012
    1 deletion(s) between Fri Apr 27 19:21:48 2012 and Fri Apr 27 19:22:02 2012
    1 deletion(s) between Sat Apr 28 00:12:24 2012 and Sat Apr 28 00:12:38 2012
    1 deletion(s) between Sat Apr 28 12:19:11 2012 and Sat Apr 28 12:19:27 2012
    1 deletion(s) between Sat Apr 28 12:48:31 2012 and Sat Apr 28 12:48:43 2012
    1 deletion(s) between Sat Apr 28 13:55:18 2012 and Sat Apr 28 13:55:32 2012
    1 deletion(s) between Sat Apr 28 16:28:00 2012 and Sat Apr 28 16:28:30 2012
    1 deletion(s) between Sun Apr 29 01:22:26 2012 and Sun Apr 29 01:23:15 2012
    1 deletion(s) between Sun Apr 29 14:21:50 2012 and Sun Apr 29 14:22:04 2012
    1 deletion(s) between Sun Apr 29 17:18:53 2012 and Sun Apr 29 17:19:08 2012
    1 deletion(s) between Sun Apr 29 20:39:48 2012 and Sun Apr 29 20:39:59 2012
    1 deletion(s) between Sun Apr 29 21:29:42 2012 and Sun Apr 29 21:32:10 2012
    1 deletion(s) between Sun Apr 29 21:32:10 2012 and Sun Apr 29 21:32:24 2012
    1 deletion(s) between Sun Apr 29 21:32:33 2012 and Sun Apr 29 21:32:53 2012
    1 deletion(s) between Mon Apr 30 22:40:23 2012 and Mon Apr 30 22:40:38 2012
    1 deletion(s) between Tue May  1 09:53:24 2012 and Tue May  1 09:53:39 2012
    That is, more or less, one every shutdown. I belief this is another "false cry". So if somebody could run chkrootkit on a 64 bit machine and report back if he gets the same I will drop a bug-report on that.
    Thanks.
    Just "clicking away" security warnings about a change in repo signature ? Not able to control?
    Then please vote for
    https://features.opensuse.org/312047
    openSUSE should have an efficient web of trust.

  2. #2
    Join Date
    Jun 2008
    Location
    Sogndal, Noreg
    Posts
    1,103

    Default Re: again some false positive in chkrootkit?

    A test with 'chkrootkit' on 64 bit OS 12.1:

    Code:
    Checking `wted'... 2 deletion(s) between Sat Apr 21 04:47:26 2012 and Sat Apr 21 04:47:31 2012
    2 deletion(s) between Sat Apr 21 05:00:14 2012 and Sat Apr 21 05:00:19 2012
    2 deletion(s) between Sat Apr 21 05:04:35 2012 and Sat Apr 21 05:04:40 2012
    2 deletion(s) between Sat Apr 21 05:09:39 2012 and Sat Apr 21 05:09:49 2012
    1 deletion(s) between Sat Apr 21 05:35:55 2012 and Sat Apr 21 05:36:14 2012
    1 deletion(s) between Sat Apr 21 05:36:14 2012 and Sat Apr 21 05:36:30 2012
    1 deletion(s) between Sat Apr 21 05:38:03 2012 and Sat Apr 21 05:38:12 2012
    1 deletion(s) between Sat Apr 21 05:38:22 2012 and Sat Apr 21 05:39:51 2012
    1 deletion(s) between Sat Apr 21 05:41:12 2012 and Sat Apr 21 05:42:18 2012
    1 deletion(s) between Sat Apr 21 05:43:35 2012 and Sat Apr 21 05:44:54 2012
    1 deletion(s) between Sat Apr 21 05:46:06 2012 and Sat Apr 21 05:46:44 2012
    1 deletion(s) between Sat Apr 21 05:46:51 2012 and Sat Apr 21 05:48:04 2012
    1 deletion(s) between Sat Apr 21 07:24:11 2012 and Sat Apr 21 07:24:17 2012
    1 deletion(s) between Sat Apr 21 07:56:37 2012 and Sat Apr 21 07:56:44 2012
    1 deletion(s) between Sat Apr 21 08:05:27 2012 and Sat Apr 21 08:05:35 2012
    1 deletion(s) between Sun Apr 22 02:27:50 2012 and Sun Apr 22 02:27:57 2012
    1 deletion(s) between Sun Apr 22 02:54:34 2012 and Sun Apr 22 02:54:41 2012
    1 deletion(s) between Sun Apr 22 05:28:58 2012 and Sun Apr 22 05:29:05 2012
    1 deletion(s) between Sun Apr 22 17:04:57 2012 and Sun Apr 22 17:05:03 2012
    1 deletion(s) between Sun Apr 22 19:22:34 2012 and Sun Apr 22 19:22:40 2012
    1 deletion(s) between Sun Apr 22 23:58:31 2012 and Sun Apr 22 23:58:44 2012
    2 deletion(s) between Mon Apr 23 00:30:35 2012 and Mon Apr 23 00:30:42 2012
    2 deletion(s) between Mon Apr 23 02:59:21 2012 and Mon Apr 23 02:59:29 2012
    1 deletion(s) between Tue Apr 24 00:48:32 2012 and Tue Apr 24 00:48:42 2012
    1 deletion(s) between Tue Apr 24 05:56:25 2012 and Tue Apr 24 05:56:32 2012
    1 deletion(s) between Tue Apr 24 18:47:24 2012 and Tue Apr 24 18:47:37 2012
    2 deletion(s) between Wed Apr 25 00:33:16 2012 and Wed Apr 25 00:34:18 2012
    1 deletion(s) between Wed Apr 25 02:15:44 2012 and Wed Apr 25 02:15:53 2012
    1 deletion(s) between Wed Apr 25 06:55:08 2012 and Wed Apr 25 06:55:15 2012
    1 deletion(s) between Wed Apr 25 06:57:02 2012 and Wed Apr 25 23:44:54 2012
    1 deletion(s) between Wed Apr 25 23:51:20 2012 and Wed Apr 25 23:51:31 2012
    1 deletion(s) between Wed Apr 25 23:52:19 2012 and Wed Apr 25 23:52:24 2012
    1 deletion(s) between Thu Apr 26 02:11:25 2012 and Thu Apr 26 02:11:31 2012
    1 deletion(s) between Thu Apr 26 14:07:26 2012 and Thu Apr 26 14:07:33 2012
    1 deletion(s) between Fri Apr 27 22:19:58 2012 and Fri Apr 27 22:20:04 2012
    1 deletion(s) between Sat Apr 28 21:47:29 2012 and Sat Apr 28 21:47:41 2012
    1 deletion(s) between Sun Apr 29 01:50:51 2012 and Sun Apr 29 01:50:59 2012
    1 deletion(s) between Mon Apr 30 08:10:06 2012 and Mon Apr 30 08:10:12 2012
    1 deletion(s) between Mon Apr 30 23:36:49 2012 and Mon Apr 30 23:37:00 2012
    1 deletion(s) between Tue May  1 00:54:01 2012 and Tue May  1 00:54:07 2012
    1 deletion(s) between Tue May  1 22:22:12 2012 and Tue May  1 22:22:19 2012
    1 deletion(s) between Tue May  1 22:23:37 2012 and Tue May  1 22:26:33 2012
    1 deletion(s) between Tue May  1 22:27:34 2012 and Tue May  1 22:27:41 2012
    I did a similar test with an x86 machine as well and got more or less the same list.

    What does this result actually say?
    OpenSuSE 13.1, KDE 4.11.5, 64bit
    Gigabyte 990FXA-UD3, AMD FX8350, MSI GeForce GTX 760, RME HDSP9632, 16GB HyperX Kingston DDR3, Samsung 840-Pro SSD 128GB, WD Desktop Black 1TB, Hitachi Deskstar 7K1000 750GB

  3. #3
    Join Date
    Jan 2009
    Location
    Somewhere in Fictionland
    Posts
    1,479

    Default Re: again some false positive in chkrootkit?

    Thank you for your help. Well, it says that the calibration of the current chrootkit package is for the systemV and not for systemd. The changes in the startup routine cause false alarms because these changes (which are normal an typical for all openSUSE systems) will require a whitelisting in the program. Thanks.
    Just "clicking away" security warnings about a change in repo signature ? Not able to control?
    Then please vote for
    https://features.opensuse.org/312047
    openSUSE should have an efficient web of trust.

  4. #4
    Join Date
    Jun 2008
    Location
    Sogndal, Noreg
    Posts
    1,103

    Default Re: again some false positive in chkrootkit?

    OK

    Cheers
    OpenSuSE 13.1, KDE 4.11.5, 64bit
    Gigabyte 990FXA-UD3, AMD FX8350, MSI GeForce GTX 760, RME HDSP9632, 16GB HyperX Kingston DDR3, Samsung 840-Pro SSD 128GB, WD Desktop Black 1TB, Hitachi Deskstar 7K1000 750GB

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •