Bug#901557: chkrootkit: false positive - Warning: /sbin/init INFECTED

[Cristian Ionescu-Idbohrn]

Package: chkrootkit
Version: 0.52-2
Severity: normal

There's a bug on line 1027 in /usr/sbin/chkrootkit:

      if [ "${QUIET}" != "t" ];then printn "Searching for Suckit rootkit... "; 
fi
      if [ ${SYSTEM} != "HP-UX" ] && ( ${strings} ${ROOTDIR}sbin/init | 
${egrep} '\.sniffer'   || \
              cat ${ROOTDIR}/proc/1/maps | ${egrep} "init." ) >/dev/null 2>&1
        then
        # ignore false positive  bug #740898
==>     readlink -f  ${ROOTDIR}sbin/init|${egrep} -q "/sbin/upstart$|/systemd$"
        if [ $? -eq 0 ]; then
          if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi
        else
          echo "Warning: ${ROOTDIR}sbin/init INFECTED"
        fi

Running the script with xtrace on in that area confirms:

        + [ t != t ]
        + [ Linux != HP-UX ]
        + readlink -f /sbin/init
        + /bin/egrep -q /sbin/upstart$|/systemd$
        + [ 1 -eq 0 ]
        + echo Warning: /sbin/init INFECTED
        Warning: /sbin/init INFECTED
        + set +x

$ dlocate dlocate /sbin/init
sysvinit-core: /sbin/init

/sbin/init is _not_ a symlink on my system:

$ ls -l /sbin/init
-rwxr-xr-x 1 root root 40664 Sep  8  2017 /sbin/init

the `egrep' command will fail, thus a Warning is produced.

Patch suggestion:

--- /usr/sbin/chkrootkit.orig   2018-06-14 19:09:12.190645377 +0200
+++ /usr/sbin/chkrootkit        2018-06-14 19:27:10.268114365 +0200
@@ -1024,7 +1024,7 @@
              cat ${ROOTDIR}/proc/1/maps | ${egrep} "init." ) >/dev/null 2>&1
         then
         # ignore false positive  bug #740898
-        readlink -f  ${ROOTDIR}sbin/init|${egrep} -q "/sbin/upstart$|/systemd$"
+        [ ! -h ${ROOTDIR}sbin/init ] || readlink -f  
${ROOTDIR}sbin/init|${egrep} -q "/sbin/upstart$|/systemd$"
         if [ $? -eq 0 ]; then
           if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi
         else


-- System Information:
Debian Release: buster/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.15.0-3-amd64 (SMP w/8 CPU cores)
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968), LANGUAGE=en_US:en 
(charmap=ANSI_X3.4-1968)
Shell: /bin/sh linked to /bin/dash
Init: sysvinit (via /sbin/init)

Versions of packages chkrootkit depends on:
ii  binutils               2.30-21
ii  debconf [debconf-2.0]  1.5.67
ii  libc6                  2.27-3
ii  net-tools              1.60+git20161116.90da8a0-2
ii  openssh-client         1:7.7p1-2
ii  procps                 2:3.3.15-2

chkrootkit recommends no packages.

chkrootkit suggests no packages.

-- Configuration Files:
/etc/cron.daily/chkrootkit changed [not included]

-- debconf information:
* chkrootkit/run_daily_opts: -n -q -e '/usr/bin/slice'
* chkrootkit/diff_mode: true
* chkrootkit/run_daily: true


Cheers,

-- 
Cristian