[Bug 454566] Re: False positive for SucKit
In most major new distros (including redhat and ubuntu) strings /sbin/init |
grep HOME returns:
XDG_CACHE_HOME
XDG_CONFIG_HOME
which still triggers an alert (false positive) for suckit rootkit in
14.04.
I checked the suckit source, and it gives:
sk2rc2$ strings ./src/sk | grep HOME
HOME=%s
So it means if we include = into the check, we will correctly detect it.
On line 1000 of chkrootkit it says:
### Suckit
if [ -f ${ROOTDIR}sbin/init ]; then
if [ ${QUIET} != t ];then printn Searching for Suckit rootkit... ;
fi
if [ ${SYSTEM} != HP-UX ] ( ${strings} ${ROOTDIR}sbin/init |
${egrep} HOME || \
cat ${ROOTDIR}/proc/1/maps | ${egrep} init. ) /dev/null 21
then
echo Warning: ${ROOTDIR}sbin/init INFECTED
---
I sugest changing line 1003 from:
if [ ${SYSTEM} != HP-UX ] ( ${strings} ${ROOTDIR}sbin/init |
${egrep} HOME || \
to:
if [ ${SYSTEM} != HP-UX ] ( ${strings} ${ROOTDIR}sbin/init |
${egrep} 'HOME=' || \
and line 541 should also be changed from:
expertmode_output=${strings} ${ROOTDIR}sbin/init | ${egrep HOME
to
expertmode_output=${strings} ${ROOTDIR}sbin/init | ${egrep 'HOME='
--
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to chkrootkit in Ubuntu.
https://bugs.launchpad.net/bugs/454566
Title:
False positive for SucKit
To manage notifications about this bug go to:
https://bugs.launchpad.net/server-papercuts/+bug/454566/+subscriptions
--
Ubuntu-server-bugs mailing list
Ubuntu-server-bugs@lists.ubuntu.com
Modify settings or unsubscribe at:
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 599790] Re: Error message flood when enabling events in Ubuntu
This bug is not present in 10.04 LTS. But I found another bug after I upgraded. All spaces was stored as \040 in ~/.mysql_history on 9.10. But in 10.04 they use normal spaces. Means all my previous history have lots of \040 inside it, so I get an error when executing those commands. -- Error message flood when enabling events in Ubuntu https://bugs.launchpad.net/bugs/599790 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to mysql-dfsg-5.1 in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 599790] [NEW] Error message flood when enabling events in Ubuntu
Public bug reported: When enabling events with SET GLOBAL event_scheduler = ON; I get a flood of error messages when I stop mysql. Here is what's happening: /etc/init.d/mysql restart * Stopping MySQL database server mysqld ERROR 1053 (08S01) at line 1: Server shutdown in progress ERROR 2002 (HY000): Can't connect to local MySQL server through socket '/var/run/mysqld/mysqld.sock' (2) ERROR 2002 (HY000): Can't connect to local MySQL server through socket '/var/run/mysqld/mysqld.sock' (2) ERROR 2002 (HY000): Can't connect to local MySQL server through socket '/var/run/mysqld/mysqld.sock' (2) . . ... To stop it, I have to do killall -9 xargs from another shell. This is happening on Ubuntu 9.10 with mysql 5.1.37-1ubuntu5.4 I managed to enable event scheduler in my.cnf with setting event_scheduler = 1 . Then the bug permanently will occour every time I stop mysql. I've heard that the mysql init script is diffrent from the ubuntu/debian version. That might be the reason of this bug. ProblemType: Bug Architecture: amd64 Date: Tue Jun 29 13:02:34 2010 DistroRelease: Ubuntu 9.10 Logs.var.log.kern.log: MySQLConf.etc.mysql.conf.d.mysqld.safe.syslog.cnf: [mysqld_safe] syslog MySQLVarLibDirListing: ['Provisioning', 'debian-5.1.flag', 'mysql_upgrade_info', 'DB3693', 'ib_logfile0', 'DB13453812', 'l...@002bfound', 'mysql', 'DB13453817', 'ibdata1', 'ib_logfile1', 'test'] Package: mysql-server-5.1 5.1.37-1ubuntu5.4 ProcEnviron: PATH=(custom, no user) LANG=en_US.UTF-8 SHELL=/bin/bash ProcVersionSignature: Ubuntu 2.6.31-19.56-server SourcePackage: mysql-dfsg-5.1 Uname: Linux 2.6.31-19-server x86_64 mtime.conffile..etc.apparmor.d.usr.sbin.mysqld: 2010-06-28T16:36:44.028478 ** Affects: mysql-dfsg-5.1 (Ubuntu) Importance: Undecided Status: New ** Tags: amd64 apport-bug -- Error message flood when enabling events in Ubuntu https://bugs.launchpad.net/bugs/599790 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to mysql-dfsg-5.1 in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 599790] Re: Error message flood when enabling events in Ubuntu
** Attachment added: .etc.apparmor.d.usr.sbin.mysqld.txt http://launchpadlibrarian.net/51107773/.etc.apparmor.d.usr.sbin.mysqld.txt ** Attachment added: Dependencies.txt http://launchpadlibrarian.net/51107774/Dependencies.txt ** Attachment added: Logs.var.log.daemon.log.txt http://launchpadlibrarian.net/51107775/Logs.var.log.daemon.log.txt ** Attachment added: MySQLConf.etc.mysql.my.cnf.txt http://launchpadlibrarian.net/51107776/MySQLConf.etc.mysql.my.cnf.txt ** Attachment added: modified.conffile..etc.apparmor.d.usr.sbin.mysqld.txt http://launchpadlibrarian.net/51107778/modified.conffile..etc.apparmor.d.usr.sbin.mysqld.txt -- Error message flood when enabling events in Ubuntu https://bugs.launchpad.net/bugs/599790 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to mysql-dfsg-5.1 in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
