Rkhunter and Chkrootkit Warnings on fresh installed Opensuse 12.2 !!!

Hello everybody,

After an OpenSuSE 12.2 fresh install:

  • Rkhunter tells me that there is an “unknown rootkit” !!!
  • Chkrootkit tells me that there is a “suckit rootkit” infection !!!

Is there anybody who would made these scans and would had similar warnings ??? (I am just hoping that they are false positives.)

I got these warnings from rkhunter after installing 12.2.

Warning: The following processes are using suspicious files:
         Command: cron
           UID: 0    PID: 1580
           Pathname: /etc/crontab
           Possible Rootkit: Unknown rootkit
         Command: cron
           UID: 0    PID: 7082
           Pathname: /etc/crontab
           Possible Rootkit: Unknown rootkit
         Command: egrep
           UID: 0    PID: 8573
           Pathname: /etc/crontab
           Possible Rootkit: Unknown rootkit
         Command: rkhunter
           UID: 0    PID: 16316
           Pathname: /etc/crontab
           Possible Rootkit: Unknown rootkit
         Command: run-crons
           UID: 0    PID: 7086
           Pathname: /etc/crontab
           Possible Rootkit: Unknown rootkit
         Command: sh
           UID: 0    PID: 7084
           Pathname: /etc/crontab
           Possible Rootkit: Unknown rootkit
         Command: sort
           UID: 0    PID: 8574
           Pathname: /etc/crontab
           Possible Rootkit: Unknown rootkit
         Command: suse.de-rkhunte
           UID: 0    PID: 12088
           Pathname: /etc/crontab
           Possible Rootkit: Unknown rootkit
         Command: uniq
           UID: 0    PID: 8575
           Pathname: /etc/crontab
           Possible Rootkit: Unknown rootkit

As far as I know, they’re false positive but I’m no expert on these things.

I added these two lines to /etc/rkhunter.conf.local

RTKT_FILE_WHITELIST="/etc/crontab"
USER_FILEPROP_FILES_DIRS="/etc/crontab"

Please. like @londy, allways show what your computer shows (between CODE tags) and do not on y tell a story.

  • OS: OpenSuse 12.2 (64bit)
  • Rkhunter log:

[14:19:48] Info: Starting test name 'malware'
[14:19:48] Performing malware checks
[14:19:48]
[14:19:48] Info: Test 'deleted_files' disabled at users request.
[14:19:48]
[14:19:48] Info: Starting test name 'running_procs'
[14:19:49]   Checking running processes for suspicious files  Warning ]
[14:19:49] Warning: The following processes are using suspicious files:
[14:19:49]          Command: cron
[14:19:49]            UID: 0    PID: 5207
[14:19:49]            Pathname: /etc/crontab
[14:19:49]            Possible Rootkit: Unknown rootkit
[14:19:49]
[14:19:49] Info: Test 'hidden_procs' disabled at users request.
[14:19:49]
[14:19:49] Info: Test 'suspscan' disabled at users request.
[14:19:49]
[14:19:49] Info: Starting test name 'other_malware'
[14:19:49]   Performing check for login backdoors
[14:19:49]     Checking for '/bin/.login'                     Not found ]
[14:19:49]     Checking for '/sbin/.login'                    Not found ]
[14:19:49]   Checking for login backdoors                     None found ]
[14:19:49]
[14:19:49]   Performing check for suspicious directories
[14:19:49]     Checking for directory '/usr/X11R6/bin/.,/copy'  Not found ]
[14:19:49]     Checking for directory '/dev/rd/cdb'           Not found ]
[14:19:49]   Checking for suspicious directories              None found ]
[14:19:50]
[14:19:50]   Checking for software intrusions                 Skipped ]
[14:19:50] Info: Check skipped - tripwire not installed
[14:19:50]
[14:19:50]   Performing check for sniffer log files
[14:19:50]     Checking for file '/usr/lib/libice.log'        Not found ]
[14:19:50]     Checking for file '/dev/prom/sn.l'             Not found ]
[14:19:50]     Checking for file '/dev/fd/.88/zxsniff.log'    Not found ]
[14:19:50]   Checking for sniffer log files                   None found ]
[14:19:50]
[14:19:50] Info: Starting test name 'trojans'
[14:19:50] Performing trojan specific checks
[14:19:50]   Checking for enabled inetd services              Skipped ]
[14:19:50] Info: Check skipped - file '/etc/inetd.conf' does not exist.
[14:19:50]
[14:19:50]   Performing check for enabled xinetd services
[14:19:50] Info: Using xinetd configuration file '/etc/xinetd.conf'
[14:19:50]     Checking '/etc/xinetd.conf' for enabled services  None found ]
[14:19:50]       Found 'includedir /etc/xinetd.d' directive
[14:19:50]     Checking '/etc/xinetd.d/chargen' for enabled services  None found ]
[14:19:50]     Checking '/etc/xinetd.d/chargen-udp' for enabled services  None found ]
[14:19:50]     Checking '/etc/xinetd.d/daytime' for enabled services  None found ]
[14:19:50]     Checking '/etc/xinetd.d/daytime-udp' for enabled services  None found ]
[14:19:50]     Checking '/etc/xinetd.d/discard' for enabled services  None found ]
[14:19:50]     Checking '/etc/xinetd.d/discard-udp' for enabled services  None found ]
[14:19:50]     Checking '/etc/xinetd.d/echo' for enabled services  None found ]
[14:19:50]     Checking '/etc/xinetd.d/echo-udp' for enabled services  None found ]
[14:19:50]     Checking '/etc/xinetd.d/netstat' for enabled services  None found ]
[14:19:50]     Checking '/etc/xinetd.d/rsync' for enabled services  None found ]
[14:19:50]     Checking '/etc/xinetd.d/sane-port' for enabled services  None found ]
[14:19:50]     Checking '/etc/xinetd.d/servers' for enabled services  None found ]
[14:19:50]     Checking '/etc/xinetd.d/services' for enabled services  None found ]
[14:19:50]     Checking '/etc/xinetd.d/swat' for enabled services  None found ]
[14:19:50]     Checking '/etc/xinetd.d/systat' for enabled services  None found ]
[14:19:51]     Checking '/etc/xinetd.d/time' for enabled services  None found ]
[14:19:51]     Checking '/etc/xinetd.d/time-udp' for enabled services  None found ]
[14:19:51]     Checking '/etc/xinetd.d/vnc' for enabled services  None found ]
[14:19:51]   Checking for enabled xinetd services             None found ]
[14:19:51] Info: Apache backdoor check skipped: Apache modules and configuration directories not found.
[14:19:51]
[14:19:51] Info: Starting test name 'os_specific'
[14:19:51] Performing Linux specific checks
[14:19:51]   Checking loaded kernel modules                   OK ]
[14:19:51] Info: Using modules pathname of '/lib/modules/3.4.6-2.10-desktop'
[14:19:51]   Checking kernel module names                     OK ]
[14:19:51]
[14:19:51] Info: Starting test name 'network'
[14:19:51] Checking the network...
[14:19:51]
[14:19:51] Performing checks on the network ports
[14:19:51] Info: Starting test name 'ports'
[14:19:51]   Performing check for backdoor ports
[14:19:51]     Checking for TCP port 1524                     Not found ]
[14:19:51]     Checking for TCP port 1984                     Not found ]
[14:19:51]     Checking for UDP port 2001                     Not found ]
[14:19:51]     Checking for TCP port 2006                     Not found ]
[14:19:51]     Checking for TCP port 2128                     Not found ]
[14:19:51]     Checking for TCP port 6666                     Not found ]
[14:19:51]     Checking for TCP port 6667                     Not found ]
[14:19:51]     Checking for TCP port 6668                     Not found ]
[14:19:52]     Checking for TCP port 6669                     Not found ]
[14:19:52]     Checking for TCP port 7000                     Not found ]
[14:19:52]     Checking for TCP port 13000                    Not found ]
[14:19:52]     Checking for TCP port 14856                    Not found ]
[14:19:52]     Checking for TCP port 25000                    Not found ]
[14:19:52]     Checking for TCP port 29812                    Not found ]
[14:19:52]     Checking for TCP port 31337                    Not found ]
[14:19:52]     Checking for TCP port 32982                    Not found ]
[14:19:52]     Checking for TCP port 33369                    Not found ]
[14:19:52]     Checking for TCP port 47107                    Not found ]
[14:19:52]     Checking for TCP port 47018                    Not found ]
[14:19:52]     Checking for TCP port 60922                    Not found ]
[14:19:52]     Checking for TCP port 62883                    Not found ]
[14:19:52]     Checking for TCP port 65535                    Not found ]
[14:19:52]   Checking for backdoor ports                      None found ]
[14:19:52]
[14:19:52] Info: Test 'hidden_ports' disabled at users request.
[14:19:52]
[14:19:52] Performing checks on the network interfaces
[14:19:52] Info: Starting test name 'promisc'
[14:19:52]   Checking for promiscuous interfaces              None found ]
[14:19:53]
[14:19:53] Info: Test 'packet_cap_apps' disabled at users request.
[14:19:53]
[14:19:53] Info: Starting test name 'local_host'
[14:19:53] Checking the local host...
[14:19:53]
[14:19:53] Info: Starting test name 'startup_files'
[14:19:53] Performing system boot checks
[14:19:53]   Checking for local host name                     Found ]
[14:19:53]
[14:19:53] Info: Starting test name 'startup_malware'
[14:19:53] Info: Using system startup paths: /etc/init.d /etc/inittab
[14:19:53]   Checking for system startup files                Found ]
[14:19:55]   Checking system startup files for malware        None found ]
[14:19:55]
[14:19:55] Info: Starting test name 'group_accounts'
[14:19:55] Performing group and account checks
[14:19:55]   Checking for passwd file                         Found ]
[14:19:55] Info: Found password file: /etc/passwd
[14:19:55]   Checking for root equivalent (UID 0) accounts    None found ]
[14:19:55] Info: Found shadow file: /etc/shadow
[14:19:55]   Checking for passwordless accounts               None found ]
[14:19:55]
[14:19:55] Info: Starting test name 'passwd_changes'
[14:19:55]   Checking for passwd file changes                 Warning ]
[14:19:55] Warning: Unable to check for passwd file differences: no copy of the passwd file exists.
[14:19:55]
[14:19:55] Info: Starting test name 'group_changes'
[14:19:55]   Checking for group file changes                  Warning ]
[14:19:55] Warning: Unable to check for group file differences: no copy of the group file exists.
[14:19:55]   Checking root account shell history files        OK ]
[14:19:55]
[14:19:55] Info: Starting test name 'system_configs'
[14:19:55] Performing system configuration file checks
[14:19:55]   Checking for SSH configuration file              Found ]
[14:19:55] Info: Found SSH configuration file: /etc/ssh/sshd_config
[14:19:55] Info: Rkhunter option ALLOW_SSH_ROOT_USER set to 'yes'.
[14:19:55] Info: Rkhunter option ALLOW_SSH_PROT_V1 set to '0'.
[14:19:55]   Checking if SSH root access is allowed           Warning ]
[14:19:55] Warning: The SSH configuration option 'PermitRootLogin' has not been set.
           The default value may be 'yes', to allow root access.
[14:19:55]   Checking if SSH protocol v1 is allowed           Warning ]
[14:19:55] Warning: The SSH configuration option 'Protocol' has not been set.
           The default value may be '2,1', to allow the use of protocol version 1.
[14:19:55]   Checking for running syslog daemon               Found ]
[14:19:55] Info: Found rsyslog configuration file: /etc/rsyslog.conf
[14:19:55]   Checking for syslog configuration file           Found ]
[14:19:55]   Checking if syslog remote logging is allowed     Not allowed ]
[14:19:55]
[14:19:55] Info: Starting test name 'filesystem'
[14:19:55] Performing filesystem checks
[14:19:56] Info: SCAN_MODE_DEV set to 'THOROUGH'
[14:19:56] Info: Found file '/dev/shm/pulse-shm-2540841389': it is whitelisted.
[14:19:56] Info: Found file '/dev/shm/pulse-shm-3709611046': it is whitelisted.
[14:19:56] Info: Found file '/dev/shm/pulse-shm-4108338592': it is whitelisted.
[14:19:56] Info: Found file '/dev/shm/pulse-shm-3591046746': it is whitelisted.
[14:19:56] Info: Found file '/dev/shm/pulse-shm-1216186442': it is whitelisted.
[14:19:56]   Checking /dev for suspicious file types          Warning ]
[14:19:56] Warning: Suspicious file types found in /dev:
[14:19:56]          /dev/.sysconfig/network/new-stamp-3: ASCII text
[14:19:56]          /dev/.sysconfig/network/new-stamp-2: ASCII text
[14:19:56]   Checking for hidden files and directories        Warning ]
[14:19:56] Warning: Hidden directory found: '/dev/.sysconfig'
[14:19:56] Warning: Hidden file found: /usr/share/man/man5/.k5identity.5.gz: gzip compressed data, from Unix, max compression
[14:19:56] Warning: Hidden file found: /usr/share/man/man5/.k5login.5.gz: gzip compressed data, from Unix, max compression
[14:19:56]
[14:19:56] Info: Starting test name 'apps'
[14:19:56] Checking application versions...
[14:19:56] Info: Application 'exim' not found.
[14:19:56]   Checking version of GnuPG                        OK ]
[14:19:56] Info: Application 'gpg' version '2.0.19' found.
[14:19:56] Info: Application 'httpd' not found.
[14:19:56] Info: Application 'named' not found.
[14:19:56]   Checking version of OpenSSL                      OK ]
[14:19:56] Info: Application 'openssl' version '1.0.1c' found.
[14:19:56] Info: Application 'php' not found.
[14:19:56] Info: Application 'procmail' not found.
[14:19:56] Info: Application 'proftpd' not found.
[14:19:57]   Checking version of OpenSSH                      OK ]
[14:19:57] Info: Application 'sshd' version '6.0p1' found.
[14:19:57] Info: Applications checked: 3 out of 9
[14:19:57]
[14:19:57] System checks summary
[14:19:57] =====================
[14:19:57]
[14:19:57] File properties checks...
[14:19:57] Files checked: 170
[14:19:57] Suspect files: 0
[14:19:57]
[14:19:57] Rootkit checks...
[14:19:57] Rootkits checked : 194
[14:19:57] Possible rootkits: 1
[14:19:57] Rootkit names    : Unknown rootkit
[14:19:57]
[14:19:57] Applications checks...
[14:19:57] Applications checked: 3
[14:19:57] Suspect applications: 0
[14:19:57]
[14:19:57] The system checks took: 1 minute and 25 seconds
[14:19:57]
[14:19:57] Info: End date is Tue Sep 11 14:19:57 CEST 2012
 
  • After a reinstall, chkrootkit did not work and I got :
 chkrootkit: can't find `strings'.

PS: before the reinstall I got the following warning (that seems to be a bug):

 Searching for Suckit rootkit... Warning: /sbin/init INFECTED 

Thx for your help

Thx @londy for your response. I’m not an expert neither that is why I do not feel comfortable to whitelist something I do not know !

@hcvv, I post it an excerpt of my rkhunter.log, do you have a similar results ? what about chkrootkit ?

I am looking forward to hearing from you !

Thank you everybody !

First, I do not understand why you did a reinstall. Was that from a different repo or any other difference between the earlier install and the new one? Repeating the same installation is rather useless (except when you destroyed parts of the package manualy).

Then, when chkrootkit complains that it can not find *strings, *that is strange. The tool strings is basicaly allways installed. Try that, my test:

henk@boven:~> which strings
/usr/bin/strings
henk@boven:~>

and thus it is there.

I do not have installed chkrootkit nor *rkhunter. *Maybe I am a bit lousy in security (in this subject, not overall :wink: ) and I am stiill on 11.4
So, in fact, as a forum member, I did not have the intention to answer in this post. As a mod I pointed you to the CODE tags.

I can find a package chkrootkit in the OSS rpo, but I can not find *rkhunter, *maybe it is in 12.2?

When I glance through your output, I do not see any alarming issues. The crontab warning is a bit strange, but you did not tell what you found inspecting* /etc/crontab*.

Since I am a newbie and coming from “windows’s world”, may be it seems a little bit paranoid but you would tell me it is linux and do not be :wink: ! anyway…

I thank you for your response. Now I come back to 12.1 and there is no rkhunter warning rotfl!. Chkrootkit works but gives

Searching for Suckit rootkit... Warning: /sbin/init INFECTED

which seems to be a bug !!!

Thank you everybody

On 09/12/2012 11:06 AM, RANGOOO wrote:
> I am looking forward to hearing from you !

there have been many before you asking questions about security:

how to have it?

what to do to keep it?

how to re-get if if not CERTAIN you have not been penetrated?

how to know when you have enough security?

security is SUCH a huge field i doubt a lot of folks here are willing to
step up and pass judgment on your system without ever having sat down
at your machine and run a lot more than just rkhunter, etc…

and, even if someone does: do you actually know if that answer is correct?

we here are users just like you…
well, maybe we have been using Linux for a lot of years…or not…

maybe some are actual working linux admins…or not…

maybe some really are experts in security…on there system, in
their environment and to the level they need…

so i’m not gonna answer for your system, BUT:

if you download openSUSE from http://software.opensuse.org/

-check the downloaded iso with the md5 or sha1 code also downloaded from
software.opensuse.org then you know you have an iso as trustworthy as
any you can get (i guess)

  • then burn it to a disk, boot from the disk, run the offered “Media
    Check”…but do not install yet!

  • THIS is the time to plan what all you want to install for security
    (like) rkhunter, chrootkit, tripwire and whatever else you wish to rely
    on…download them now from a trusted source, and compare trusted
    check sums on each, and and format and then copy them on whatever
    external media you wish to install them from–because you will NOT
    connect to the internet or network prior to running all of those to base
    line what is safe! [remember the centrifuges destroyed in a warm country
    by a virus? i guess they were probably infected by UBS keys dropped in
    parking lots, or near the homes of workers known to work with/on/near
    the targets…who plugged them into their own laptops to see what was on
    the thumbdrive and . . .]

  • so then do a full format and install from your known clean openSUSE
    install medium without the internet connected

  • then install from your known clean medium rkhunter/etc, READ their
    documentation so you know their strengths and weaknesses…then run them
    against your absolutely known un-penetrated system…and you can maybe
    trust that whatever they find is harmless…maybe (most probably–well,
    probably enough that i would trust it–but i doubt if the CIA or NSA would.)

from then on your machine is only as safe as are your normal security
procedures…some of mine are: never log into the GUI as root; never run
any internet app (mail, browser, chat, etc etc etc) as root; and then
there are lots and lots of other things to do: like never let an
untrusted individual have free physical access to the machine; don’t run
stuff you don’t need (like sshd, ftpd, etc etc etc); and on and on and
on…

btw: i do not wear an aluminum foil cap…it is not thick enough! :wink:


dd http://goo.gl/PUjnL