Verify the file matches the package from which it came using the following
command:
Code:
rpm -qfV /sbin/init
If nothing comes back at all, that’s a good thing. Post the output if
anything does come back.
Next, you should verify that the package which you just used to check the
file actually matches one that came from openSUSE, on the off chance the
supposed rootkit somehow modified the package definition to thwart the
check you just did. I do not know the command off the top of my head to
do that verification, so I’ll let somebody else chime in.
Another option may be to build another box, apply the same patches, and
then check the checksum of /sbin/init with the other system (or anybody
else in this forum running 12.3 with the same patches).
If nothing turns up doing the checks above, report a bug to chkrootkit.
If something does appear above, stop running things as ‘root’.
–
Good luck.
If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below…
According to “rpm -qfV” everything is ok with /sbin/init.
You can also check yourself with “ls -l /sbin/init”.
As I already said, /sbin/init should just be a symlink to systemd. If it is, that’s definitely a false report.
Maybe chkrootkit doesn’t know about systemd yet, and reports /sbin/init as INFECTED because it is just a symlink.
