[Bug 454566] Re: False positive for SucKit
** Package changed: chkrootkit (Ubuntu) => cyborg ** Changed in: cyborg Assignee: (unassigned) => mit (mit2596) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/454566 Title: False positive for SucKit To manage notifications about this bug go to: https://bugs.launchpad.net/cyborg/+bug/454566/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 454566] Re: False positive for SucKit
** Changed in: chkrootkit (Debian) Status: Unknown => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/454566 Title: False positive for SucKit To manage notifications about this bug go to: https://bugs.launchpad.net/server-papercuts/+bug/454566/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 454566] Re: False positive for SucKit
This bug was fixed in the package chkrootkit - 0.50-3ubuntu1 --- chkrootkit (0.50-3ubuntu1) vivid; urgency=low * Merge from Debian unstable. (LP: #454566) Remaining changes: - debian/patches/fix-stack-smash.patch: + Fix segfault when running chkrootkit. (Closes: #767403) -- Artur RonaTue, 24 Mar 2015 00:52:06 +0100 ** Changed in: chkrootkit (Ubuntu) Status: Confirmed => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/454566 Title: False positive for SucKit To manage notifications about this bug go to: https://bugs.launchpad.net/server-papercuts/+bug/454566/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 454566] Re: False positive for SucKit
** Branch linked: lp:ubuntu/vivid-proposed/chkrootkit -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/454566 Title: False positive for SucKit To manage notifications about this bug go to: https://bugs.launchpad.net/server-papercuts/+bug/454566/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 454566] Re: False positive for SucKit
** Bug watch added: Debian Bug tracker #740898 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=740898 ** Also affects: chkrootkit (Debian) via http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=740898 Importance: Unknown Status: Unknown -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/454566 Title: False positive for SucKit To manage notifications about this bug go to: https://bugs.launchpad.net/server-papercuts/+bug/454566/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 454566] Re: False positive for SucKit
Looking at the patch applied in F21, it doesn't seem like Fedora actually fixed it. They simply check whether /sbin/init is a link to systemd, and ignore the report if so. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/454566 Title: False positive for SucKit To manage notifications about this bug go to: https://bugs.launchpad.net/server-papercuts/+bug/454566/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 454566] Re: False positive for SucKit
Fedora fixed it in FC21 with chkrootkit-0.50-4.fc2. https://bugzilla.redhat.com/show_bug.cgi?id=636231#c1 ** Bug watch added: Red Hat Bugzilla #636231 https://bugzilla.redhat.com/show_bug.cgi?id=636231 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/454566 Title: False positive for SucKit To manage notifications about this bug go to: https://bugs.launchpad.net/server-papercuts/+bug/454566/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 454566] Re: False positive for SucKit
+1 to backporting chkrootkit 0.50. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/454566 Title: False positive for SucKit To manage notifications about this bug go to: https://bugs.launchpad.net/server-papercuts/+bug/454566/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 454566] Re: False positive for SucKit
Current version of chkrootkit is 0.50, released on June 4th, 2014. Maybe we could get that version packaged up and backported? -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/454566 Title: False positive for SucKit To manage notifications about this bug go to: https://bugs.launchpad.net/server-papercuts/+bug/454566/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 454566] Re: False positive for SucKit
Alright did some checking for myself, I just went ahead and did the sha256sum checks on my own as well as hardlink check. I've made a tutorial to check yourself -- Testing with Sha256sum/md5sum First we want to make a sha256sum or md5sum of the init in our system. To do this open terminal and... # cd /sbin # sha256sum init You will get a long code, paste it into a text editor. Next.. if you are using "trusty" Go here: http://packages.ubuntu.com/trusty/upstart if not go here http://packages.ubuntu.com/search?keywords=upstart&searchon=names&suite=all§ion=all under "package upstart" find yours Once on the package page...(Upstart) go down to the bottom and click the download link for your architecture once downloaded, right click on the .deb file and click extract here. Now in the newly extracted folder we downloaded open it then open sbin folder, then in terminal type "sha256sum " and drag n drop init file there into terminal. You will get yet another long code. Go back into the text editor and paste that code below your previous one. Do they match? Good! They don't? Make sure you downloaded the correct upstart. If you still do the hardlink below and it fails, then maybe a reinstall is needed. Testing with hardlink In terminal type # cd /sbin # ls -l init Does it show 1? Good. Now do this.. # ln /sbin/init /sbin/init2 # ls -l init Does it STILL show 1? It's infected if it still shows 1.. Do this afterwards to remove the file we just made(cleanup) # rm init2 -- Good luck! -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/454566 Title: False positive for SucKit To manage notifications about this bug go to: https://bugs.launchpad.net/server-papercuts/+bug/454566/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 454566] Re: False positive for SucKit
Confirmed still exists even in Linux Mint. No idea why Ubuntu has this problem. Maybe it's not a false positive? Who really knows. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/454566 Title: False positive for SucKit To manage notifications about this bug go to: https://bugs.launchpad.net/server-papercuts/+bug/454566/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 454566] Re: False positive for SucKit
Following comment #30,I've also verified the md5sum of my /sbin/init with the original package on http://packages.ubuntu.com/ and they do match. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/454566 Title: False positive for SucKit To manage notifications about this bug go to: https://bugs.launchpad.net/server-papercuts/+bug/454566/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 454566] Re: False positive for SucKit
Same here on Lubuntu 14.04 : on a new install chkrootkit reports Warning: /sbin/init INFECTED but then there's no evidence of this with repeated passes of unhide and rkhunter. Apparently,also running chkrootkit -x and chkrootkit -x does not report the infection,as far as I can see. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/454566 Title: False positive for SucKit To manage notifications about this bug go to: https://bugs.launchpad.net/server-papercuts/+bug/454566/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 454566] Re: False positive for SucKit
I also get this notice on 14.04 and Linux Mint 17(based on 14.04) chkroothit -n Searching for Suckit rootkit...Warning: /sbin/init INFECTED -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/454566 Title: False positive for SucKit To manage notifications about this bug go to: https://bugs.launchpad.net/server-papercuts/+bug/454566/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 454566] Re: False positive for SucKit
Just upgraded two machines to 14.04; one of them is still getting this. I wonder why there is no option on Ubuntu's "and put your money where your mouth is" page for "fix known bugs instead of fiddling with the GUI". -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/454566 Title: False positive for SucKit To manage notifications about this bug go to: https://bugs.launchpad.net/server-papercuts/+bug/454566/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 454566] Re: False positive for SucKit
After an upgrade from 12.04 to 14.04 I got a scared with the message "suckit rootkit detected", too. rkhunter does not find anything. Here is the MD5SUM of my /sbin/init c9b343f85e6804e2d7ee70b810b1a15a /sbin/init which is the same as found in /var/lib/dpkg/info/upstart.md5sums. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/454566 Title: False positive for SucKit To manage notifications about this bug go to: https://bugs.launchpad.net/server-papercuts/+bug/454566/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 454566] Re: False positive for SucKit
The attachment "Chkroot suckit false positive fix" seems to be a patch. If it isn't, please remove the "patch" flag from the attachment, remove the "patch" tag, and if you are a member of the ~ubuntu-reviewers, unsubscribe the team. [This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issues please contact him.] ** Tags added: patch -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/454566 Title: False positive for SucKit To manage notifications about this bug go to: https://bugs.launchpad.net/server-papercuts/+bug/454566/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 454566] Re: False positive for SucKit
heres a patch for it ** Patch added: "Chkroot suckit false positive fix" https://bugs.launchpad.net/ubuntu/+source/chkrootkit/+bug/454566/+attachment/4095317/+files/chkrootkit_suckit_false_positive.patch -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/454566 Title: False positive for SucKit To manage notifications about this bug go to: https://bugs.launchpad.net/server-papercuts/+bug/454566/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 454566] Re: False positive for SucKit
In most major new distros (including redhat and ubuntu) "strings /sbin/init | grep HOME" returns: XDG_CACHE_HOME XDG_CONFIG_HOME which still triggers an alert (false positive) for suckit rootkit in 14.04. I checked the suckit source, and it gives: sk2rc2$ strings ./src/sk | grep HOME HOME=%s So it means if we include = into the check, we will correctly detect it. On line 1000 of chkrootkit it says: ### Suckit if [ -f ${ROOTDIR}sbin/init ]; then if [ "${QUIET}" != "t" ];then printn "Searching for Suckit rootkit... "; fi if [ ${SYSTEM} != "HP-UX" ] && ( ${strings} ${ROOTDIR}sbin/init | ${egrep} HOME || \ cat ${ROOTDIR}/proc/1/maps | ${egrep} "init." ) >/dev/null 2>&1 then echo "Warning: ${ROOTDIR}sbin/init INFECTED" --- I sugest changing line 1003 from: if [ ${SYSTEM} != "HP-UX" ] && ( ${strings} ${ROOTDIR}sbin/init | ${egrep} HOME || \ to: if [ ${SYSTEM} != "HP-UX" ] && ( ${strings} ${ROOTDIR}sbin/init | ${egrep} 'HOME=' || \ and line 541 should also be changed from: expertmode_output="${strings} ${ROOTDIR}sbin/init | ${egrep HOME" to expertmode_output="${strings} ${ROOTDIR}sbin/init | ${egrep 'HOME='" -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/454566 Title: False positive for SucKit To manage notifications about this bug go to: https://bugs.launchpad.net/server-papercuts/+bug/454566/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 454566] Re: False positive for SucKit
exits in xubuntu 13.10 32bit and you may get egrep not found error as well -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/454566 Title: False positive for SucKit To manage notifications about this bug go to: https://bugs.launchpad.net/server-papercuts/+bug/454566/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 454566] Re: False positive for SucKit
PROBLEM STILL EXISTS ON 14.04 LTS!!! please either fix chkrootkit or change /sbin/init - I hope in a more security aware post snowden era this will now trigger some more action - certainly many users will be very irritated about this. This does not happen on other distros. Must be fixed before release. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/454566 Title: False positive for SucKit To manage notifications about this bug go to: https://bugs.launchpad.net/server-papercuts/+bug/454566/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 454566] Re: False positive for SucKit
Problem still exists on 13.10 / amd64. I've dumped /sbin/init with debugfs, compared it with the one from the package and they are identical. /sbin/init seems to match 'HOME' and /proc/1/maps does not match 'init.' -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/454566 Title: False positive for SucKit To manage notifications about this bug go to: https://bugs.launchpad.net/server-papercuts/+bug/454566/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 454566] Re: False positive for SucKit
Yes same for me with a fresh install of 13.04 this bug still shows -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/454566 Title: False positive for SucKit To manage notifications about this bug go to: https://bugs.launchpad.net/server-papercuts/+bug/454566/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 454566] Re: False positive for SucKit
This went away in 12.10 and reappared when I upgraded to 13.04. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/454566 Title: False positive for SucKit To manage notifications about this bug go to: https://bugs.launchpad.net/server-papercuts/+bug/454566/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 454566] Re: False positive for SucKit
For those similarly affected: I recently reinstalled the upstart package (0.6.5-8) on Lucid (10.04.4) and then received the Suckit [false] flag from chkrootkit 0.49-3 (as well as the version in Debian Wheezy (0.49-4.1)). After restarting the server, the flag disappeared. So, it appears to be sufficient that init is replaced on disk (even by the same version) to trigger the false positive, and that restarting the system will resolve it. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/454566 Title: False positive for SucKit To manage notifications about this bug go to: https://bugs.launchpad.net/server-papercuts/+bug/454566/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 454566] Re: False positive for SucKit
Same here, also a falsepos (conclusion after doing the other usual tests for Suckit). The problem exists in Lucid Lynx: $ lsb_release -a No LSB modules are available. Distributor ID: Ubuntu Description:Ubuntu 10.04.2 LTS Release:10.04 Codename: lucid $ apt-cache show chkrootkit Package: chkrootkit Priority: optional Section: misc Installed-Size: 920 Maintainer: Ubuntu Developers Original-Maintainer: Giuseppe Iuculano Architecture: amd64 Version: 0.49-3 Depends: libc6 (>= 2.7), debconf (>= 0.5) | debconf-2.0, binutils, net-tools, debconf, procps Filename: pool/main/c/chkrootkit/chkrootkit_0.49-3_amd64.deb Size: 339634 MD5sum: 9b369491740acda76ec586c535f5da98 SHA1: 1bf2e3f1738403aa07f682b82fea1db135ae0e09 SHA256: f0b970901ecc72494adbf6317df53a485c101f4a54311a6e3e1be838a57b859c Description: rootkit detector The chkrootkit security scanner searches the local system for signs that it is infected with a 'rootkit'. Rootkits are set of programs and hacks designed to take control of a target machine by using known security flaws. . Types that chkrootkit can identify are listed on the project's home page. . Please note that where chkrootkit detects no intrusions, this does not guarantee that the system is uncompromised. In addition to running chkrootkit, more specific tests should always be performed. Homepage: http://www.chkrootkit.org/ Bugs: https://bugs.launchpad.net/ubuntu/+filebug Origin: Ubuntu Supported: 5y -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/454566 Title: False positive for SucKit -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 454566] Re: False positive for SucKit
+1 on Maverick after installing upstart 0.6.6-4 on 2011-02-11. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/454566 Title: False positive for SucKit -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 454566] Re: False positive for SucKit
Confirmed on Maverick. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/454566 Title: False positive for SucKit -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
Re: [Bug 454566] Re: False positive for SucKit
On Thursday, 2010-08-19 at 08:02:45 -, Maxime wrote: > I can confirm the issue on Lucid. It's probably related to an upstart > update to 0.6.5-7. > [...] > Searching for Suckit rootkit... Warning: > /sbin/init INFECTED > [...] > # strings /sbin/init | egrep HOME > # cat /proc/1/maps | egrep "init." > 00e41000-00e5a000 r-xp 68:01 1572880/sbin/init (deleted) > 00e5a000-00e5b000 r--p 00019000 68:01 1572880/sbin/init (deleted) > 00e5b000-00e5c000 rw-p 0001a000 68:01 1572880/sbin/init (deleted) I rechecked, and I get this, too: # chkrootkit -q Warning: /sbin/init INFECTED Also the deleted /sbin/init. I rebooted the system, and now /sbin/init isn't deleted anymore (surprise! ;-) and the INFECTED is gone, too. So I suppose the cause of the INFECTED is that the running /sbin/init is different from the one in the filesystem. Checking ... Jupp, here is the line from chkrootkit: expertmode_output "cat ${ROOTDIR}proc/1/maps | ${egrep} init." This triggers when there is an entry in /proc/1/maps where "init" is not at the end of the line. Googling, I found this was discussed for Gentoo in http://forums.gentoo.org/viewtopic-t-326062-highlight-suckit.html ... and for Ubuntu in http://ubuntuforums.org/showthread.php?p=9741505 Alas, I could not find out what /proc/1/maps looks like when a real Suckit is on the machine. Quite possibly Suckit removes /sbin/init and links its own version there. If it dows this only once, the " (deleted)" will disappear after the first reboot, so it's not a good indicator, and it reaps many more false positives. So I think chkrootit would be better off without this test. Lupe Christoph -- False positive for SucKit https://bugs.launchpad.net/bugs/454566 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 454566] Re: False positive for SucKit
Same thing for me. After my Lucid box ran weekly updates I started seeing the "Searching for Suckit rootkit... Warning: /sbin/init INFECTED" message from chkrootkit. -- False positive for SucKit https://bugs.launchpad.net/bugs/454566 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 454566] Re: False positive for SucKit
** Changed in: chkrootkit (Ubuntu) Importance: Wishlist => Medium ** Changed in: chkrootkit (Ubuntu) Status: Incomplete => Confirmed -- False positive for SucKit https://bugs.launchpad.net/bugs/454566 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 454566] Re: False positive for SucKit
i have exact the same behavior and output as Maxime wrote in #14. This false positive happens on my box since 17.08.2010 after this update: "Preparing to replace upstart 0.6.5-6 (using .../upstart_0.6.5-7_amd64.deb)" -- False positive for SucKit https://bugs.launchpad.net/bugs/454566 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 454566] Re: False positive for SucKit
I can confirm the issue on Lucid. It's probably related to an upstart update to 0.6.5-7. # lsb_release -d Description:Ubuntu 10.04.1 LTS # chkrootkit -V chkrootkit version 0.49 # chkrootkit [...] Searching for Suckit rootkit... Warning: /sbin/init INFECTED [...] # strings /sbin/init | egrep HOME # cat /proc/1/maps | egrep "init." 00e41000-00e5a000 r-xp 68:01 1572880/sbin/init (deleted) 00e5a000-00e5b000 r--p 00019000 68:01 1572880/sbin/init (deleted) 00e5b000-00e5c000 rw-p 0001a000 68:01 1572880/sbin/init (deleted) -- False positive for SucKit https://bugs.launchpad.net/bugs/454566 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 454566] Re: False positive for SucKit
I've got a reproduction here on a Lucid install. Linux Neptune 2.6.32-24-generic #39-Ubuntu SMP Wed Jul 28 06:07:29 UTC 2010 i686 GNU/Linux mes...@neptune:/sbin$ sudo chkrootkit -V chkrootkit version 0.49 Searching for Suckit rootkit... Warning: /sbin/init INFECTED mes...@neptune:/sbin$ lsb_release -a No LSB modules are available. Distributor ID: Ubuntu Description:Ubuntu 10.04.1 LTS Release:10.04 Codename: lucid mes...@neptune:/sbin$ -- Tried to include as much info about base software as possible. Tried the verification methods mentioned in the Gentoo doc and this system failed both, which is good since that means I have no infections. It also casts a false positive on Sun's Java as well as a few others which I will list here: --- Searching for suspicious files and dirs, it may take a while... The following suspicious files and directories were found: /usr/lib/pymodules/python2.6/.path /usr/lib/firefox-3.6.8/.autoreg /usr/lib/jvm/.java-6-sun.jinfo /usr/lib/jvm/java-6-sun-1.6.0.20/.systemPrefs /usr/lib/xulrunner-1.9.2.8/.autoreg --- I know it doesn't matter all that much but I'm submitting since I can reproduce the event on Lucid and because Chuck asked for it so.. here is. If you guys would like any more info feel free to hit me up. Matt -- False positive for SucKit https://bugs.launchpad.net/bugs/454566 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
Re: [Bug 454566] Re: False positive for SucKit
On Wednesday, 2010-04-28 at 18:09:39 -, Chuck Short wrote: > can you try to reproduce this on lucid please? Searching for Suckit rootkit... nothing found I believe the false positive was gone for quite a while, probably due to changes in init. Lupe Christoph -- | There is no substitute for bad design except worse design. | | /me | -- False positive for SucKit https://bugs.launchpad.net/bugs/454566 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 454566] Re: False positive for SucKit
can you try to reproduce this on lucid please? chuck -- False positive for SucKit https://bugs.launchpad.net/bugs/454566 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 454566] Re: False positive for SucKit
False positives with such tools come with the territory. Refused as a server papercut during 20100217 meeting. ** Changed in: server-papercuts Status: New => Invalid -- False positive for SucKit https://bugs.launchpad.net/bugs/454566 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 454566] Re: False positive for SucKit
I'm pretty sure I saw the string "HOME" in /sbin/init, but I can't prove it anymore. BTW, expertmode_output is just debugging: expertmode_output() { echo "###" echo "### Output of: $1" echo "###" eval $1 2>&1 #cat <&1` #EOF return 0 } -- False positive for SucKit https://bugs.launchpad.net/bugs/454566 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 454566] Re: False positive for SucKit
I don't think that chkrootkit alerting about this rootkit is related to upstart init changes, but the output from /proc/1/maps instead. Something like this should improve the test: expertmode_output "${egrep} '^[^/]+${ROOTDIR}sbin/init.' ${ROOTDIR}proc/1/maps" What do you think? -- False positive for SucKit https://bugs.launchpad.net/bugs/454566 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 454566] Re: False positive for SucKit
I have seen this problem pop up a few times since I reported it and vanish again. Must be related to Phase of Moon. Right now it has disappeared: Searching for Suckit rootkit... nothing found chkrootkit: Installed: 0.48-10 The version of chkrootkit is still the same, only /sbin/init and /sbin/telinit have changed. # ls -li /sbin/init /sbin/telinit 172201 -rwxr-xr-x 1 root root 199472 2009-12-10 18:00 /sbin/init 172637 -rwxr-xr-x 1 root root 96568 2009-12-10 18:00 /sbin/telinit Looking at the code in chkrootkit, the difference is that /sbin/init does no longer contain the string "HOME". The changelog of the "upstart" package does not mention"HOME", so I can't tell if they fixed this intentionally. The only update since I created the bug report is 0.6.3-11, so this must have fixed it. The strange thing is that I see nothing in that update that would have deleted "HOME". http://launchpadlibrarian.net/36606433/upstart_0.6.3-10_0.6.3-11.diff.gz I'd rather not rely on upstart taking care of problems in chkrootkit... -- False positive for SucKit https://bugs.launchpad.net/bugs/454566 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 454566] Re: False positive for SucKit
Just tried on latest karmic and it does not fail: ii chkrootkit 0.48-10 ii upstart0.6.3-11 $ ls -li /sbin/init /sbin/telinit 444149 -rwxr-xr-x 1 root root 169676 2009-12-10 17:19 /sbin/init 448912 -rwxr-xr-x 1 root root 79312 2009-12-10 17:19 /sbin/telinit Can you please confirm that this is been solved? ** Changed in: chkrootkit (Ubuntu) Status: Confirmed => Incomplete -- False positive for SucKit https://bugs.launchpad.net/bugs/454566 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 454566] Re: False positive for SucKit
** Also affects: server-papercuts Importance: Undecided Status: New -- False positive for SucKit https://bugs.launchpad.net/bugs/454566 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 454566] Re: False positive for SucKit
Confirmed in Karmic. I posted this to the Ubuntu forums and was referred this bug report. My forums post is here:http://ubuntuforums.org/showthread.php?t=1386791 -- False positive for SucKit https://bugs.launchpad.net/bugs/454566 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 454566] Re: False positive for SucKit
Thanks for the bug report. This will be looked at again for karmic+1. Regards chuck ** Changed in: chkrootkit (Ubuntu) Importance: Low => Wishlist ** Changed in: chkrootkit (Ubuntu) Status: Incomplete => Confirmed -- False positive for SucKit https://bugs.launchpad.net/bugs/454566 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
Re: [Bug 454566] Re: False positive for SucKit
On Monday, 2009-10-19 at 13:18:45 -, Chuck Short wrote: > Thanks for the bug report. I was wondering if you have any suggestion to > improve it. Well, as there are some finer tests on the page I mentioned, what about implementing them in chkrootkit? Lupe Christoph -- | There is no substitute for bad design except worse design. | | /me | -- False positive for SucKit https://bugs.launchpad.net/bugs/454566 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 454566] Re: False positive for SucKit
Thanks for the bug report. I was wondering if you have any suggestion to improve it. Thanks chuck ** Changed in: chkrootkit (Ubuntu) Importance: Undecided => Low ** Changed in: chkrootkit (Ubuntu) Status: New => Incomplete -- False positive for SucKit https://bugs.launchpad.net/bugs/454566 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 454566] Re: False positive for SucKit
** Attachment added: "Dependencies.txt" http://launchpadlibrarian.net/33872395/Dependencies.txt ** Attachment added: "XsessionErrors.txt" http://launchpadlibrarian.net/33872396/XsessionErrors.txt -- False positive for SucKit https://bugs.launchpad.net/bugs/454566 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs