I use openSUSE 12.3 KDE 64-Bit.

Today I decided to install “chkrootkit” in openSUSE.
Then he called me back this line:

“Searching for Suckit rootkit… Warning: /sbin/init INFECTED”.

I installed also the “rkhunter” and returned the following:

Suckit Rootkit Not found ].

System checks summary

File properties checks…
Required commands check failed
Files checked: 180
Suspect files: 3

Rootkit checks…
Rootkits checked : 306
Possible rootkits: 0

Applications checks…
Applications checked: 4
Suspect applications: 0

What should I do?

Thank you!

Verify the file matches the package from which it came using the following


rpm -qfV /sbin/init

If nothing comes back at all, that’s a good thing. Post the output if
anything does come back.

Next, you should verify that the package which you just used to check the
file actually matches one that came from openSUSE, on the off chance the
supposed rootkit somehow modified the package definition to thwart the
check you just did. I do not know the command off the top of my head to
do that verification, so I’ll let somebody else chime in.

Another option may be to build another box, apply the same patches, and
then check the checksum of /sbin/init with the other system (or anybody
else in this forum running 12.3 with the same patches).

If nothing turns up doing the checks above, report a bug to chkrootkit.
If something does appear above, stop running things as ‘root’. :slight_smile:

Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below…

“rpm -qfV /sbin/init”

Nothing was returned.

Thank you!

With systemd, /sbin/init is just a symlink to systemd.
Maybe this causes the false alert by rkhunter?

Not with rkhunter, but with chkrootkit.
Probably is a (false positive).

OK, chkrootkit, sorry.

According to “rpm -qfV” everything is ok with /sbin/init.
You can also check yourself with “ls -l /sbin/init”.
As I already said, /sbin/init should just be a symlink to systemd. If it is, that’s definitely a false report.

Maybe chkrootkit doesn’t know about systemd yet, and reports /sbin/init as INFECTED because it is just a symlink.

Also see this:
Gentoo Forums :: View topic - Diagnose SucKit


ls -l /sbin/init
lrwxrwxrwx 1 root root 26 Out 7 17:42 /sbin/init → …/usr/lib/systemd/systemd

Marcus Meissner responded in:

“it detects the string “HOME” in /sbin/init of systemd… its a misdetection.”