Results 1 to 9 of 9

Thread: Rootkit

  1. #1

    Default Rootkit

    Hello

    I use openSUSE 12.3 KDE 64-Bit.

    Today I decided to install "chkrootkit" in openSUSE.
    Then he called me back this line:

    "Searching for Suckit rootkit... Warning: /sbin/init INFECTED".
    ----------

    I installed also the "rkhunter" and returned the following:

    Suckit Rootkit [ Not found ].

    System checks summary
    =====================

    File properties checks...
    Required commands check failed
    Files checked: 180
    Suspect files: 3

    Rootkit checks...
    Rootkits checked : 306
    Possible rootkits: 0

    Applications checks...
    Applications checked: 4
    Suspect applications: 0

    What should I do?

    Thank you!

  2. #2

    Default Re: Rootkit

    Verify the file matches the package from which it came using the following
    command:

    Code:
    --------------------
    rpm -qfV /sbin/init
    --------------------

    If nothing comes back at all, that's a good thing. Post the output if
    anything does come back.

    Next, you should verify that the package which you just used to check the
    file actually matches one that came from openSUSE, on the off chance the
    supposed rootkit somehow modified the package definition to thwart the
    check you just did. I do not know the command off the top of my head to
    do that verification, so I'll let somebody else chime in.

    Another option may be to build another box, apply the same patches, and
    then check the checksum of /sbin/init with the other system (or anybody
    else in this forum running 12.3 with the same patches).

    If nothing turns up doing the checks above, report a bug to chkrootkit.
    If something does appear above, stop running things as 'root'. :-)

    --
    Good luck.

    If you find this post helpful and are logged into the web interface,
    show your appreciation and click on the star below...

  3. #3

    Default Re: Rootkit

    "rpm -qfV /sbin/init"

    Nothing was returned.

    Thank you!

  4. #4

    Default Re: Rootkit

    With systemd, /sbin/init is just a symlink to systemd.
    Maybe this causes the false alert by rkhunter?

  5. #5

    Default Re: Rootkit

    Quote Originally Posted by wolfi323 View Post
    With systemd, /sbin/init is just a symlink to systemd.
    Maybe this causes the false alert by rkhunter?
    Not with rkhunter, but with chkrootkit.
    Probably is a (false positive).

  6. #6

    Default Re: Rootkit

    Quote Originally Posted by rhus View Post
    Not with rkhunter, but with chkrootkit.
    Probably is a (false positive).
    OK, chkrootkit, sorry.

    According to "rpm -qfV" everything is ok with /sbin/init.
    You can also check yourself with "ls -l /sbin/init".
    As I already said, /sbin/init should just be a symlink to systemd. If it is, that's definitely a false report.

    Maybe chkrootkit doesn't know about systemd yet, and reports /sbin/init as INFECTED because it is just a symlink.

  7. #7

  8. #8

    Default Re: Rootkit

    Quote Originally Posted by wolfi323 View Post
    OK, chkrootkit, sorry.

    According to "rpm -qfV" everything is ok with /sbin/init.
    You can also check yourself with "ls -l /sbin/init".
    As I already said, /sbin/init should just be a symlink to systemd. If it is, that's definitely a false report.

    Maybe chkrootkit doesn't know about systemd yet, and reports /sbin/init as INFECTED because it is just a symlink.
    Look!

    ls -l /sbin/init
    lrwxrwxrwx 1 root root 26 Out 7 17:42 /sbin/init -> ../usr/lib/systemd/systemd

  9. #9

    Default Re: Rootkit

    Marcus Meissner responded in:
    https://bugzilla.novell.com/show_bug.cgi?id=845625

    "it detects the string "HOME" in /sbin/init of systemd... its a misdetection."

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •