After installing and online updating SUSE 12.1, I ran chkrootkit and it claimed that /sbin/init was infected by the “Suckit” rootkit. I ran aide and did not notice any odd changes but I am not sure that I am knowledgeable enough to know. Hoping that this is a bug and not an infection. Anyone else notice this?
Carl Peterson
Sorry,
After posting this message found my answer already posted
Carl
On Tue, 17 Jan 2012 01:16:02 +0000, cnpeterson2000 wrote:
> After installing and online updating SUSE 12.1, I ran chkrootkit and it
> claimed that /sbin/init was infected by the “Suckit” rootkit. I ran aide
> and did not notice any odd changes but I am not sure that I am
> knowledgeable enough to know. Hoping that this is a bug and not an
> infection. Anyone else notice this?
I haven’t noticed this on any of my 12.1 systems (just ran chkrootkit on
3 systems running 12.1 and init is fine here) - what are the results of:
rpm -Vv systemd-sysvinit
?
Jim
–
Jim Henderson
openSUSE Forums Administrator
Forum Use Terms & Conditions at http://tinyurl.com/openSUSE-T-C
He was referring to a bug in chkrootkit treated in this](http://forums.opensuse.org/english/get-technical-help-here/applications/467921-beware-chkrootkit-issue-systemd.html#post2405079) thread. I appears connected with systemd and a bugreport](https://bugzilla.novell.com/show_bug.cgi?id=731281) has been filed against.
On Tue, 17 Jan 2012 09:26:07 +0000, stakanov wrote:
> He was referring to a bug in chkrootkit treated in ‘this’
> (http://tinyurl.com/7jskna9) thread. I appears connected with systemd
> and a ‘bugreport’ (https://bugzilla.novell.com/show_bug.cgi?id=731281)
> has been filed against.
Interesting, because I didn’t run into that issue when I checked my 3
12.1 systems.
Jim
–
Jim Henderson
openSUSE Forums Administrator
Forum Use Terms & Conditions at http://tinyurl.com/openSUSE-T-C
LOL, if I have to be sarcastic I would say: duh! That was because you were not infected.rotfl! and I would use the occasion to promote the feature I bring forward in my signature. But I would be surprised that one kit rkhunter senses a problem, and chrootkit doesn’t. BTW, some warnings (not saying I am infected) I did get also on 11.1 evergreen with rkhunter but I that was with the compiled version. We know that it is highly improbable (since the systems with 12.1 where by what was written newly set up). Still, I couldn’t help the irony, forgive me. :shame:
On Tue, 17 Jan 2012 20:26:02 +0000, stakanov wrote:
> LOL, if I have to be sarcastic I would say: duh! That was because you
> were not infected.
Indeed I wasn’t infected.
I’m not sure I understand the point here. OP said he ran chkrootkit and
it said he was infected. I ran it and I wasn’t. I’m running systemd on
all three of my systems.
So I suggested a way for him to validate that the RPM is correct.
Not sure what’s so ironic about that.
Jim
–
Jim Henderson
openSUSE Forums Administrator
Forum Use Terms & Conditions at http://tinyurl.com/openSUSE-T-C
Well, if you have read the thread, it was from another OP. So the issue is known and a bug report has been raised. It is to be seen if the three machines that did not give this result are homogeneous, that is all three of the same installation, and maybe updates from 11.4 or maybe all three new installs. Such a difference could explain that you did not encounter the problem.
For the irony: I am fighting quite some time for a controllable page with the repo signature. Albeit the devs seem to think the risk is small, I would not underestimate the badness of malware programmers. Personally I do not think there is an infection. I suspect this to be an artifact of the way the system was installed. But as I have no 12.1 system under my hands I cannot try if on my updated machine it gives a false positive as well. So my comment was to be taken as ironic. But sure, he should check the rpm, you are perfectly right. If he finds a way to check for the validity of the repo where he has taken it…
On Tue, 17 Jan 2012 21:26:02 +0000, stakanov wrote:
> Well, if you have read the thread, it was from another OP. So the issue
> is known and a bug report has been raised. It is to be seen if the three
> machines that did not give this result are homogeneous, that is all
> three of the same installation, and maybe updates from 11.4 or maybe all
> three new installs. Such a difference could explain that you did not
> encounter the problem.
A mix of installs and platforms were used in my setups. I probably
should have specified that. 
Jim
Jim Henderson
openSUSE Forums Administrator
Forum Use Terms & Conditions at http://tinyurl.com/openSUSE-T-C
Then I would raise this within the bug report. This would mean there is more then one user that encountered an rpm that was not O.K. and that rings a very bad bell, or that the two or more installs share some package or setting that gives such result (which still is worth investigating). But since you have three negative machines I really would suggest you raise that point in the report, don’t you think so?
On Tue, 17 Jan 2012 23:36:02 +0000, stakanov wrote:
> hendersj;2431472 Wrote:
>> On Tue, 17 Jan 2012 21:26:02 +0000, stakanov wrote:
>>
>> > Well, if you have read the thread, it was from another OP. So the
>> issue
>> > is known and a bug report has been raised. It is to be seen if the
>> three
>> > machines that did not give this result are homogeneous, that is all
>> > three of the same installation, and maybe updates from 11.4 or maybe
>> all
>> > three new installs. Such a difference could explain that you did not
>> > encounter the problem.
>>
>> A mix of installs and platforms were used in my setups. I probably
>> should have specified that.
>>
>> Jim
>> –
>> Jim Henderson
>> openSUSE Forums Administrator
>> Forum Use Terms & Conditions at ‘openSUSE Forums FAQ’
>> (http://tinyurl.com/openSUSE-T-C)
>
> Then I would raise this within the bug report. This would mean there is
> more then one user that encountered an rpm that was not O.K. and that
> rings a very bad bell, or that the two or more installs share some
> package or setting that gives such result (which still is worth
> investigating). But since you have three negative machines I really
> would suggest you raise that point in the report, don’t you think so?
Not a bad idea, perhaps this evening after I’ve gotten home. Just
getting ready to head out for the day.
Jim
–
Jim Henderson
openSUSE Forums Administrator
Forum Use Terms & Conditions at http://tinyurl.com/openSUSE-T-C
I just ran chkrootkit on my machine too and had the same positive find
Searching for Suckit rootkit... Warning: /sbin/init INFECTED
So is it a bug or should I be concerned?
You should ALWAYS be concerned. About whether the weather will be O.K., about what your gf is doing if she is heading suddenly every second evening for “bowling” and/or if your aquarium is empty and your wife announces that today there is fish for lunch. For the time being, I would stay cool and wait, we are going to have an update on this ASAP, I am confident about this. Then, having done all the list of before when applicable, you can still be concerned. lol! Just now, stay cool, wait, and have a gorgeous day.
PS. And if all this is too slow, you might read the bugreport and what is moving there, I posted the link up in this thread.
hahaha nice post, all righty. Take care mate 