Rootkit Scan- Says INFECTED!

hi,
i saw the followed the tutorial from 9 Best practices to secure your Linux Desktop & Server | Including installation & Configuration | Unixmen and got this result:

ROOTDIR is /' Checking amd’… not found
Checking basename'... not infected Checking biff’… not found
Checking chfn'... not infected Checking chsh’… not infected
Checking cron'... not infected Checking crontab’… not infected
Checking date'... not infected Checking du’… not infected
Checking dirname'... not infected Checking echo’… not infected
Checking egrep'... not infected Checking env’… not infected
Checking find'... not infected Checking fingerd’… not found
Checking gpm'... not infected Checking grep’… not infected
Checking hdparm'... not infected Checking su’… not infected
Checking ifconfig'... not infected Checking inetd’… not tested
Checking inetdconf'... not found Checking identd’… not found
Checking init'... not infected Checking killall’… not infected
Checking ldsopreload'... can't exec ./strings-static, not tested Checking login’… not infected
Checking ls'... not infected Checking lsof’… not infected
Checking mail'... not infected Checking mingetty’… not infected
Checking netstat'... not infected Checking named’… not found
Checking passwd'... not infected Checking pidof’… not infected
Checking pop2'... not found Checking pop3’… not found
Checking ps'... not infected Checking pstree’… not infected
Checking rpcinfo'... not infected Checking rlogind’… not found
Checking rshd'... not found Checking slogin’… not infected
Checking sendmail'... not infected Checking sshd’… not infected
Checking syslogd'... not tested Checking tar’… not infected
Checking tcpd'... not infected Checking tcpdump’… not infected
Checking top'... not infected Checking telnetd’… not found
Checking timed'... not found Checking traceroute’… not infected
Checking vdir'... not infected Checking w’… not infected
Checking write'... not infected Checking aliens’… no suspect files
Searching for sniffer’s logs, it may take a while… nothing found
Searching for HiDrootkit’s default dir… nothing found
Searching for t0rn’s default files and dirs… nothing found
Searching for t0rn’s v8 defaults… nothing found
Searching for Lion Worm default files and dirs… nothing found
Searching for RSHA’s default files and dir… nothing found
Searching for RH-Sharpe’s default files… nothing found
Searching for Ambient’s rootkit (ark) default files and dirs… nothing found
Searching for suspicious files and dirs, it may take a while…
/usr/lib/perl5/5.14.2/i586-linux-thread-multi/.packlist

Searching for LPD Worm files and dirs… nothing found
Searching for Ramen Worm files and dirs… nothing found
Searching for Maniac files and dirs… nothing found
Searching for RK17 files and dirs… nothing found
Searching for Ducoci rootkit… nothing found
Searching for Adore Worm… nothing found
Searching for ■■■■■ Worm… nothing found
Searching for Omega Worm… nothing found
Searching for Sadmind/IIS Worm… nothing found
Searching for MonKit… nothing found
Searching for Showtee… nothing found
Searching for OpticKit… nothing found
Searching for T.R.K… nothing found
Searching for Mithra… nothing found
Searching for LOC rootkit… nothing found
Searching for Romanian rootkit… nothing found
Searching for Suckit rootkit… Warning: /sbin/init** INFECTED**
Searching for Volc rootkit… nothing found
Searching for Gold2 rootkit… nothing found
Searching for TC2 Worm default files and dirs… nothing found
Searching for Anonoying rootkit default files and dirs… nothing found
Searching for ZK rootkit default files and dirs… nothing found
Searching for ShKit rootkit default files and dirs… nothing found
Searching for AjaKit rootkit default files and dirs… nothing found
Searching for zaRwT rootkit default files and dirs… nothing found
Searching for Madalin rootkit default files… nothing found
Searching for Fu rootkit default files… nothing found
Searching for ESRK rootkit default files… nothing found
Searching for rootedoor… nothing found
Searching for ENYELKM rootkit default files… nothing found
Searching for common ssh-scanners default files… nothing found
Searching for suspect PHP files… nothing found
Searching for anomalies in shell history files… nothing found
Checking asp'... not infected Checking bindshell’… not infected
Checking lkm'... find: /proc/5715/net’: Invalid argument
not tested: can’t exec
Checking rexedcs'... not found Checking sniffer’… not tested: can’t exec ./ifpromisc
Checking w55808'... not infected Checking wted’… not tested: can’t exec ./chkwtmp
Checking scalper'... not infected Checking slapper’… not infected
Checking z2'... not tested: can't exec ./chklastlog Checking chkutmp’… not tested: can’t exec ./chkutmp
Checking `OSX_RSPLUG’… not infected

it shows one of the file is infected. what should i do? is this reliable?

Please use CODE tags when posting computer text (next time): http://forums.opensuse.org/english/information-new-users/advanced-how-faq-read-only/451526-posting-code-tags-guide.html

On 2012-03-29 17:46, smithark wrote:

>> Searching for Suckit rootkit… Warning: /sbin/init* INFECTED*

You only needed to post this line.

> it shows one of the file is infected. what should i do? is this
> reliable?

Compare to the original file in the rpm and find out.


Cheers / Saludos,

Carlos E. R.
(from 11.4 x86_64 “Celadon” at Telcontar)

you do not specify but I suppose you used the current opensuse version of chkrootkit. This version is known to give false positives for the suckit rootkit in combination with system.d. A bug has been raised in bugzilla.
You should always in such cases run the rkhunter scan to have a comparable result. Of course there a a few more option that you can follow now:

  • you can despare, burn all the warez you stock on your PC and then burn your house (not reccomanded)#
  • you can try out if the rootkit does what it promised (that could occasionally be an option, well…)
  • you can send henk and carlos a bootle of vodka, so they relax slightly more.

Seriously, the problem has been discussed before in the forum.
You have a very good security guide that you can follow, set up apparmor profiles for exposed applications and you can check your ssh settings. But for what I see there, what you really should:

  • declare well what version of opensuse you are using
  • what scan you did use and what version
  • use an alternative scan with rkhunter (and build up the signature database of it to recognize alterations taken place)
  • read the bugzilla of openSUSE
  • never login as root (yes I know that is childish to say but always good to quote)
  • never install software from unknown sources
  • deactivate the java plugin in firefox (it has nearly no use and is source of potential problems)
  • use noscript browser plugin
  • well, we said already about apparmor
  • finally have a beer, lager, slightly iced.

Cheers.

Yes. It’s a known bug in chkrootkit: https://bugzilla.redhat.com/show_bug.cgi?id=636231.

Would be the first time I earn something substantial by posting here. I support this suggestion fullhearted.

I send you one if you pm me your postal address, promised :slight_smile:

thanks lot for your replies.
@ stakanov,
i use version 0.49 of chkrootkit and thanks for the advice esp the one about beer, lager slightly icedlol!

i panicked when i saw the word ‘INFECTED’. sorry for the trouble. thanks a lot for the info.