[Bug 454566] Re: False positive for SucKit

[mit]

** Package changed: chkrootkit (Ubuntu) => cyborg

** Changed in: cyborg
 Assignee: (unassigned) => mit (mit2596)

-- 
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to chkrootkit in Ubuntu.
https://bugs.launchpad.net/bugs/454566

Title:
  False positive for SucKit

To manage notifications about this bug go to:
https://bugs.launchpad.net/cyborg/+bug/454566/+subscriptions

-- 
Ubuntu-server-bugs mailing list
Ubuntu-server-bugs@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs

[Bug 454566] Re: False positive for SucKit

[Launchpad Bug Tracker]

** Branch linked: lp:ubuntu/vivid-proposed/chkrootkit

-- 
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to chkrootkit in Ubuntu.
https://bugs.launchpad.net/bugs/454566

Title:
  False positive for SucKit

To manage notifications about this bug go to:
https://bugs.launchpad.net/server-papercuts/+bug/454566/+subscriptions

-- 
Ubuntu-server-bugs mailing list
Ubuntu-server-bugs@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs

[Bug 454566] Re: False positive for SucKit

[Bug Watch Updater]

** Changed in: chkrootkit (Debian)
   Status: Unknown = Fix Released

-- 
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to chkrootkit in Ubuntu.
https://bugs.launchpad.net/bugs/454566

Title:
  False positive for SucKit

To manage notifications about this bug go to:
https://bugs.launchpad.net/server-papercuts/+bug/454566/+subscriptions

-- 
Ubuntu-server-bugs mailing list
Ubuntu-server-bugs@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs

[Bug 454566] Re: False positive for SucKit

[Launchpad Bug Tracker]

This bug was fixed in the package chkrootkit - 0.50-3ubuntu1

---
chkrootkit (0.50-3ubuntu1) vivid; urgency=low

  * Merge from Debian unstable. (LP: #454566) Remaining changes:
- debian/patches/fix-stack-smash.patch:
  + Fix segfault when running chkrootkit. (Closes: #767403)
 -- Artur Rona ari-tc...@ubuntu.com   Tue, 24 Mar 2015 00:52:06 +0100

** Changed in: chkrootkit (Ubuntu)
   Status: Confirmed = Fix Released

-- 
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to chkrootkit in Ubuntu.
https://bugs.launchpad.net/bugs/454566

Title:
  False positive for SucKit

To manage notifications about this bug go to:
https://bugs.launchpad.net/server-papercuts/+bug/454566/+subscriptions

-- 
Ubuntu-server-bugs mailing list
Ubuntu-server-bugs@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs

[Bug 454566] Re: False positive for SucKit

[Artur Rona]

** Bug watch added: Debian Bug tracker #740898
   http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=740898

** Also affects: chkrootkit (Debian) via
   http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=740898
   Importance: Unknown
   Status: Unknown

-- 
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to chkrootkit in Ubuntu.
https://bugs.launchpad.net/bugs/454566

Title:
  False positive for SucKit

To manage notifications about this bug go to:
https://bugs.launchpad.net/server-papercuts/+bug/454566/+subscriptions

-- 
Ubuntu-server-bugs mailing list
Ubuntu-server-bugs@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs

[Bug 454566] Re: False positive for SucKit

[Serge Hallyn]

Looking at the patch applied in F21, it doesn't seem like Fedora
actually fixed it.  They simply check whether /sbin/init is a link to
systemd, and ignore the report if so.

-- 
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to chkrootkit in Ubuntu.
https://bugs.launchpad.net/bugs/454566

Title:
  False positive for SucKit

To manage notifications about this bug go to:
https://bugs.launchpad.net/server-papercuts/+bug/454566/+subscriptions

-- 
Ubuntu-server-bugs mailing list
Ubuntu-server-bugs@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs

[Bug 454566] Re: False positive for SucKit

[Thomas Mayer]

Fedora fixed it in FC21 with chkrootkit-0.50-4.fc2.
https://bugzilla.redhat.com/show_bug.cgi?id=636231#c1

** Bug watch added: Red Hat Bugzilla #636231
   https://bugzilla.redhat.com/show_bug.cgi?id=636231

-- 
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to chkrootkit in Ubuntu.
https://bugs.launchpad.net/bugs/454566

Title:
  False positive for SucKit

To manage notifications about this bug go to:
https://bugs.launchpad.net/server-papercuts/+bug/454566/+subscriptions

-- 
Ubuntu-server-bugs mailing list
Ubuntu-server-bugs@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs

[Bug 454566] Re: False positive for SucKit

[Rigved Rakshit]

+1 to backporting chkrootkit 0.50.

-- 
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to chkrootkit in Ubuntu.
https://bugs.launchpad.net/bugs/454566

Title:
  False positive for SucKit

To manage notifications about this bug go to:
https://bugs.launchpad.net/server-papercuts/+bug/454566/+subscriptions

-- 
Ubuntu-server-bugs mailing list
Ubuntu-server-bugs@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs

[Bug 454566] Re: False positive for SucKit

[Thomas Leavitt]

Current version of chkrootkit is 0.50, released on June 4th, 2014. Maybe
we could get that version packaged up and backported?

-- 
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to chkrootkit in Ubuntu.
https://bugs.launchpad.net/bugs/454566

Title:
  False positive for SucKit

To manage notifications about this bug go to:
https://bugs.launchpad.net/server-papercuts/+bug/454566/+subscriptions

-- 
Ubuntu-server-bugs mailing list
Ubuntu-server-bugs@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs

[Bug 454566] Re: False positive for SucKit

[Madden]

Alright did some checking for myself, I just went ahead and did the
sha256sum checks on my own as well as hardlink check.

I've made a tutorial to check yourself
--
Testing with Sha256sum/md5sum
First we want to make a sha256sum or md5sum of the init in our system. To do 
this open terminal and...
# cd /sbin
# sha256sum init
You will get a long code, paste it into a text editor.
Next..
if you are using trusty
Go here: http://packages.ubuntu.com/trusty/upstart
if not go here 
http://packages.ubuntu.com/search?keywords=upstartsearchon=namessuite=allsection=all
under package upstart find yours

Once on the package page...(Upstart)
go down to the bottom and click the download link for your architecture
once downloaded, right click on the .deb file and click extract here.

Now in the newly extracted folder we downloaded open it then open sbin
folder, then in terminal type sha256sum  and drag n drop init file
there into terminal.

You will get yet another long code.

Go back into the text editor and paste that code below your previous one.
Do they match? Good! They don't? Make sure you downloaded the correct upstart. 
If you still do the hardlink below and it fails, then maybe a reinstall is 
needed.

Testing with hardlink
In terminal type
# cd /sbin
# ls -l init
Does it show 1? Good.
Now do this..
# ln /sbin/init /sbin/init2
# ls -l init
Does it STILL show 1?
It's infected if it still shows 1..
Do this afterwards to remove the file we just made(cleanup)
# rm init2
--
Good luck!

-- 
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to chkrootkit in Ubuntu.
https://bugs.launchpad.net/bugs/454566

Title:
  False positive for SucKit

To manage notifications about this bug go to:
https://bugs.launchpad.net/server-papercuts/+bug/454566/+subscriptions

-- 
Ubuntu-server-bugs mailing list
Ubuntu-server-bugs@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs

[Bug 454566] Re: False positive for SucKit

[Madden]

Confirmed still exists even in Linux Mint. No idea why Ubuntu has this
problem. Maybe it's not a false positive? Who really knows.

-- 
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to chkrootkit in Ubuntu.
https://bugs.launchpad.net/bugs/454566

Title:
  False positive for SucKit

To manage notifications about this bug go to:
https://bugs.launchpad.net/server-papercuts/+bug/454566/+subscriptions

-- 
Ubuntu-server-bugs mailing list
Ubuntu-server-bugs@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs

[Bug 454566] Re: False positive for SucKit

[msth67]

Following comment #30,I've also verified the md5sum of my /sbin/init
with the original package on http://packages.ubuntu.com/ and they do
match.

-- 
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to chkrootkit in Ubuntu.
https://bugs.launchpad.net/bugs/454566

Title:
  False positive for SucKit

To manage notifications about this bug go to:
https://bugs.launchpad.net/server-papercuts/+bug/454566/+subscriptions

-- 
Ubuntu-server-bugs mailing list
Ubuntu-server-bugs@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs

[Bug 454566] Re: False positive for SucKit

[msth67]

Same here on Lubuntu 14.04 : on a new install chkrootkit reports  Warning: 
/sbin/init INFECTED but then there's no evidence of this with repeated passes 
of unhide and rkhunter.
Apparently,also running chkrootkit -x and chkrootkit -x does not report the 
infection,as far as I can see.

-- 
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to chkrootkit in Ubuntu.
https://bugs.launchpad.net/bugs/454566

Title:
  False positive for SucKit

To manage notifications about this bug go to:
https://bugs.launchpad.net/server-papercuts/+bug/454566/+subscriptions

-- 
Ubuntu-server-bugs mailing list
Ubuntu-server-bugs@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs

[Bug 454566] Re: False positive for SucKit

[NiVeK]

I also get this notice on 14.04 and Linux Mint 17(based on 14.04)

chkroothit -n
Searching for Suckit rootkit...Warning: /sbin/init INFECTED

-- 
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to chkrootkit in Ubuntu.
https://bugs.launchpad.net/bugs/454566

Title:
  False positive for SucKit

To manage notifications about this bug go to:
https://bugs.launchpad.net/server-papercuts/+bug/454566/+subscriptions

-- 
Ubuntu-server-bugs mailing list
Ubuntu-server-bugs@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs

[Bug 454566] Re: False positive for SucKit

[Adam Funk]

Just upgraded two machines to 14.04; one of them is still getting this.

I wonder why there is no option on Ubuntu's and put your money where
your mouth is page for fix known bugs instead of fiddling with the
GUI.

-- 
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to chkrootkit in Ubuntu.
https://bugs.launchpad.net/bugs/454566

Title:
  False positive for SucKit

To manage notifications about this bug go to:
https://bugs.launchpad.net/server-papercuts/+bug/454566/+subscriptions

-- 
Ubuntu-server-bugs mailing list
Ubuntu-server-bugs@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs

[Bug 454566] Re: False positive for SucKit

[rpkrawczyk]

After an upgrade from 12.04 to 14.04 I got a scared with the message
suckit rootkit detected, too. rkhunter does not find anything. Here is
the MD5SUM of my /sbin/init

c9b343f85e6804e2d7ee70b810b1a15a  /sbin/init

which is the same as found in /var/lib/dpkg/info/upstart.md5sums.

-- 
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to chkrootkit in Ubuntu.
https://bugs.launchpad.net/bugs/454566

Title:
  False positive for SucKit

To manage notifications about this bug go to:
https://bugs.launchpad.net/server-papercuts/+bug/454566/+subscriptions

-- 
Ubuntu-server-bugs mailing list
Ubuntu-server-bugs@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs

[Bug 454566] Re: False positive for SucKit

[Sander Johansen]

In most major new distros (including redhat and ubuntu) strings /sbin/init | 
grep HOME returns:
XDG_CACHE_HOME
XDG_CONFIG_HOME

which still triggers an alert (false positive) for suckit rootkit in
14.04.

I checked the suckit source, and it gives:
sk2rc2$ strings ./src/sk | grep HOME
HOME=%s

So it means if we include = into the check, we will correctly detect it.

On line 1000 of chkrootkit it says:

   ### Suckit
   if [ -f ${ROOTDIR}sbin/init ]; then
  if [ ${QUIET} != t ];then printn Searching for Suckit rootkit... ; 
fi
  if [ ${SYSTEM} != HP-UX ]  ( ${strings} ${ROOTDIR}sbin/init | 
${egrep} HOME  || \
  cat ${ROOTDIR}/proc/1/maps | ${egrep} init. ) /dev/null 21
then
echo Warning: ${ROOTDIR}sbin/init INFECTED

---
I sugest changing line 1003 from:
  if [ ${SYSTEM} != HP-UX ]  ( ${strings} ${ROOTDIR}sbin/init | 
${egrep} HOME  || \
to:
  if [ ${SYSTEM} != HP-UX ]  ( ${strings} ${ROOTDIR}sbin/init | 
${egrep} 'HOME='  || \


and line 541 should also be changed from:
expertmode_output=${strings} ${ROOTDIR}sbin/init | ${egrep HOME
to
expertmode_output=${strings} ${ROOTDIR}sbin/init | ${egrep 'HOME='

-- 
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to chkrootkit in Ubuntu.
https://bugs.launchpad.net/bugs/454566

Title:
  False positive for SucKit

To manage notifications about this bug go to:
https://bugs.launchpad.net/server-papercuts/+bug/454566/+subscriptions

-- 
Ubuntu-server-bugs mailing list
Ubuntu-server-bugs@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs

[Bug 454566] Re: False positive for SucKit

[Sander]

heres a patch for it

** Patch added: Chkroot suckit false positive fix
   
https://bugs.launchpad.net/ubuntu/+source/chkrootkit/+bug/454566/+attachment/4095317/+files/chkrootkit_suckit_false_positive.patch

-- 
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to chkrootkit in Ubuntu.
https://bugs.launchpad.net/bugs/454566

Title:
  False positive for SucKit

To manage notifications about this bug go to:
https://bugs.launchpad.net/server-papercuts/+bug/454566/+subscriptions

-- 
Ubuntu-server-bugs mailing list
Ubuntu-server-bugs@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs

[Bug 454566] Re: False positive for SucKit

[Ubuntu Foundations Team Bug Bot]

The attachment Chkroot suckit false positive fix seems to be a patch.
If it isn't, please remove the patch flag from the attachment, remove
the patch tag, and if you are a member of the ~ubuntu-reviewers,
unsubscribe the team.

[This is an automated message performed by a Launchpad user owned by
~brian-murray, for any issues please contact him.]

** Tags added: patch

-- 
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to chkrootkit in Ubuntu.
https://bugs.launchpad.net/bugs/454566

Title:
  False positive for SucKit

To manage notifications about this bug go to:
https://bugs.launchpad.net/server-papercuts/+bug/454566/+subscriptions

-- 
Ubuntu-server-bugs mailing list
Ubuntu-server-bugs@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs

[Bug 454566] Re: False positive for SucKit

[Galen Thurber]

exits in 
xubuntu 13.10 32bit
and you may get egrep not found error as well

-- 
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to chkrootkit in Ubuntu.
https://bugs.launchpad.net/bugs/454566

Title:
  False positive for SucKit

To manage notifications about this bug go to:
https://bugs.launchpad.net/server-papercuts/+bug/454566/+subscriptions

-- 
Ubuntu-server-bugs mailing list
Ubuntu-server-bugs@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs

[Bug 454566] Re: False positive for SucKit

[UBUCATZ]

PROBLEM STILL EXISTS ON 14.04 LTS!!!

please either fix chkrootkit or change /sbin/init - I hope in a more
security aware post snowden era this will now trigger some more action -
certainly many users will be very irritated about this.

This does not happen on other distros. Must be fixed before release.

-- 
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to chkrootkit in Ubuntu.
https://bugs.launchpad.net/bugs/454566

Title:
  False positive for SucKit

To manage notifications about this bug go to:
https://bugs.launchpad.net/server-papercuts/+bug/454566/+subscriptions

-- 
Ubuntu-server-bugs mailing list
Ubuntu-server-bugs@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs

[Bug 454566] Re: False positive for SucKit

[Jorik Jonker]

Problem still exists on 13.10 / amd64. I've dumped /sbin/init with
debugfs, compared it with the one from the package and they are
identical. /sbin/init seems to match 'HOME' and /proc/1/maps does not
match 'init.'

-- 
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to chkrootkit in Ubuntu.
https://bugs.launchpad.net/bugs/454566

Title:
  False positive for SucKit

To manage notifications about this bug go to:
https://bugs.launchpad.net/server-papercuts/+bug/454566/+subscriptions

-- 
Ubuntu-server-bugs mailing list
Ubuntu-server-bugs@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs

[Bug 454566] Re: False positive for SucKit

[chrisfaron]

Yes same for me with a fresh install of 13.04 this bug still shows

-- 
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to chkrootkit in Ubuntu.
https://bugs.launchpad.net/bugs/454566

Title:
  False positive for SucKit

To manage notifications about this bug go to:
https://bugs.launchpad.net/server-papercuts/+bug/454566/+subscriptions

-- 
Ubuntu-server-bugs mailing list
Ubuntu-server-bugs@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs

[Bug 454566] Re: False positive for SucKit

[Adam Funk]

This went away in 12.10 and reappared when I upgraded to 13.04.

-- 
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to chkrootkit in Ubuntu.
https://bugs.launchpad.net/bugs/454566

Title:
  False positive for SucKit

To manage notifications about this bug go to:
https://bugs.launchpad.net/server-papercuts/+bug/454566/+subscriptions

-- 
Ubuntu-server-bugs mailing list
Ubuntu-server-bugs@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs

[Bug 454566] Re: False positive for SucKit

[Jay Gates]

For those similarly affected: I recently reinstalled the upstart package
(0.6.5-8) on Lucid (10.04.4) and then received the Suckit [false] flag
from chkrootkit 0.49-3 (as well as the version in Debian Wheezy
(0.49-4.1)).  After restarting the server, the flag disappeared.  So, it
appears to be sufficient that init is replaced on disk (even by the same
version) to trigger the false positive, and that restarting the system
will resolve it.

-- 
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to chkrootkit in Ubuntu.
https://bugs.launchpad.net/bugs/454566

Title:
  False positive for SucKit

To manage notifications about this bug go to:
https://bugs.launchpad.net/server-papercuts/+bug/454566/+subscriptions

-- 
Ubuntu-server-bugs mailing list
Ubuntu-server-bugs@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs

[Bug 454566] Re: False positive for SucKit

[Oliver]

Same here, also a falsepos (conclusion after doing the other usual tests
for Suckit). The problem exists in Lucid Lynx:

$ lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description:Ubuntu 10.04.2 LTS
Release:10.04
Codename:   lucid

$ apt-cache show chkrootkit
Package: chkrootkit
Priority: optional
Section: misc
Installed-Size: 920
Maintainer: Ubuntu Developers ubuntu-devel-disc...@lists.ubuntu.com
Original-Maintainer: Giuseppe Iuculano giuse...@iuculano.it
Architecture: amd64
Version: 0.49-3
Depends: libc6 (= 2.7), debconf (= 0.5) | debconf-2.0, binutils, net-tools, 
debconf, procps
Filename: pool/main/c/chkrootkit/chkrootkit_0.49-3_amd64.deb
Size: 339634
MD5sum: 9b369491740acda76ec586c535f5da98
SHA1: 1bf2e3f1738403aa07f682b82fea1db135ae0e09
SHA256: f0b970901ecc72494adbf6317df53a485c101f4a54311a6e3e1be838a57b859c
Description: rootkit detector
 The chkrootkit security scanner searches the local system for signs
 that it is infected with a 'rootkit'. Rootkits are set of programs
 and hacks designed to take control of a target machine by using known
 security flaws.
 .
 Types that chkrootkit can identify are listed on the project's home page.
 .
 Please note that where chkrootkit detects no intrusions, this does
 not guarantee that the system is uncompromised. In addition to
 running chkrootkit, more specific tests should always be performed.
Homepage: http://www.chkrootkit.org/
Bugs: https://bugs.launchpad.net/ubuntu/+filebug
Origin: Ubuntu
Supported: 5y

-- 
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to chkrootkit in ubuntu.
https://bugs.launchpad.net/bugs/454566

Title:
  False positive for SucKit

-- 
Ubuntu-server-bugs mailing list
Ubuntu-server-bugs@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs

[Bug 454566] Re: False positive for SucKit

[Boyd Stephen Smith Jr.]

+1 on Maverick after installing upstart 0.6.6-4 on 2011-02-11.

-- 
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to chkrootkit in ubuntu.
https://bugs.launchpad.net/bugs/454566

Title:
  False positive for SucKit

-- 
Ubuntu-server-bugs mailing list
Ubuntu-server-bugs@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs

[Bug 454566] Re: False positive for SucKit

[Brownout]

Confirmed on Maverick.

-- 
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to chkrootkit in ubuntu.
https://bugs.launchpad.net/bugs/454566

Title:
  False positive for SucKit

-- 
Ubuntu-server-bugs mailing list
Ubuntu-server-bugs@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs

[Bug 454566] Re: False positive for SucKit

[Thierry Carrez]

** Changed in: chkrootkit (Ubuntu)
   Importance: Wishlist = Medium

** Changed in: chkrootkit (Ubuntu)
   Status: Incomplete = Confirmed

-- 
False positive for SucKit
https://bugs.launchpad.net/bugs/454566
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to chkrootkit in ubuntu.

-- 
Ubuntu-server-bugs mailing list
Ubuntu-server-bugs@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs

[Bug 454566] Re: False positive for SucKit

[windracer]

Same thing for me. After my Lucid box ran weekly updates I started
seeing the Searching for Suckit rootkit... Warning: /sbin/init
INFECTED message from chkrootkit.

-- 
False positive for SucKit
https://bugs.launchpad.net/bugs/454566
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to chkrootkit in ubuntu.

-- 
Ubuntu-server-bugs mailing list
Ubuntu-server-bugs@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs

[Bug 454566] Re: False positive for SucKit

[moojix]

i have exact the same behavior and output as Maxime wrote in #14.
This false positive happens on my box since 17.08.2010 after this update:

Preparing to replace upstart 0.6.5-6 (using
.../upstart_0.6.5-7_amd64.deb)

-- 
False positive for SucKit
https://bugs.launchpad.net/bugs/454566
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to chkrootkit in ubuntu.

-- 
Ubuntu-server-bugs mailing list
Ubuntu-server-bugs@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs

[Bug 454566] Re: False positive for SucKit

[Maxime]

I can confirm the issue on Lucid. It's probably related to an upstart
update to 0.6.5-7.

# lsb_release -d
Description:Ubuntu 10.04.1 LTS
# chkrootkit -V
chkrootkit version 0.49
# chkrootkit  
[...]
Searching for Suckit rootkit... Warning: /sbin/init 
INFECTED
[...]

# strings /sbin/init | egrep HOME
# cat /proc/1/maps | egrep init.
00e41000-00e5a000 r-xp  68:01 1572880/sbin/init (deleted)
00e5a000-00e5b000 r--p 00019000 68:01 1572880/sbin/init (deleted)
00e5b000-00e5c000 rw-p 0001a000 68:01 1572880/sbin/init (deleted)

-- 
False positive for SucKit
https://bugs.launchpad.net/bugs/454566
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to chkrootkit in ubuntu.

-- 
Ubuntu-server-bugs mailing list
Ubuntu-server-bugs@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs

[Bug 454566] Re: False positive for SucKit

[Matt Eskes]

I've got a reproduction here on a Lucid install.

Linux Neptune 2.6.32-24-generic #39-Ubuntu SMP Wed Jul 28 06:07:29 UTC
2010 i686 GNU/Linux

mes...@neptune:/sbin$ sudo chkrootkit -V
chkrootkit version 0.49

Searching for Suckit rootkit... Warning:
/sbin/init INFECTED

mes...@neptune:/sbin$ lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description:Ubuntu 10.04.1 LTS
Release:10.04
Codename:   lucid
mes...@neptune:/sbin$ 

--
Tried to include as much info about base software as possible. Tried the 
verification methods mentioned in the Gentoo doc and this system failed both, 
which is good since that means I have no infections. It also casts a false 
positive on Sun's Java as well as a few others which I will list here:
---
Searching for suspicious files and dirs, it may take a while... The following 
suspicious files and directories were found:  
/usr/lib/pymodules/python2.6/.path /usr/lib/firefox-3.6.8/.autoreg 
/usr/lib/jvm/.java-6-sun.jinfo /usr/lib/jvm/java-6-sun-1.6.0.20/.systemPrefs 
/usr/lib/xulrunner-1.9.2.8/.autoreg
---

I know it doesn't matter all that much but I'm submitting since I can
reproduce the event on Lucid and because Chuck asked for it so.. here
is. If you guys would like any more info feel free to hit me up.


Matt

-- 
False positive for SucKit
https://bugs.launchpad.net/bugs/454566
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to chkrootkit in ubuntu.

-- 
Ubuntu-server-bugs mailing list
Ubuntu-server-bugs@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs

[Bug 454566] Re: False positive for SucKit

[Chuck Short]

can you try to reproduce this on lucid please?

chuck

-- 
False positive for SucKit
https://bugs.launchpad.net/bugs/454566
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to chkrootkit in ubuntu.

-- 
Ubuntu-server-bugs mailing list
Ubuntu-server-bugs@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs

Re: [Bug 454566] Re: False positive for SucKit

[Lupe Christoph]

On Wednesday, 2010-04-28 at 18:09:39 -, Chuck Short wrote:
 can you try to reproduce this on lucid please?

Searching for Suckit rootkit... nothing
found

I believe the false positive was gone for quite a while, probably due to
changes in init.

Lupe Christoph
-- 
| There is no substitute for bad design except worse design.   |
| /me  |

-- 
False positive for SucKit
https://bugs.launchpad.net/bugs/454566
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to chkrootkit in ubuntu.

-- 
Ubuntu-server-bugs mailing list
Ubuntu-server-bugs@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs

[Bug 454566] Re: False positive for SucKit

[Thierry Carrez]

False positives with such tools come with the territory. Refused as a
server papercut during 20100217 meeting.

** Changed in: server-papercuts
   Status: New = Invalid

-- 
False positive for SucKit
https://bugs.launchpad.net/bugs/454566
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to chkrootkit in ubuntu.

-- 
Ubuntu-server-bugs mailing list
Ubuntu-server-bugs@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs

[Bug 454566] Re: False positive for SucKit

[Lupe Christoph]

I'm pretty sure I saw the string HOME in /sbin/init, but I can't prove
it anymore.

BTW, expertmode_output is just debugging:

expertmode_output() {
echo ###
echo ### Output of: $1
echo ###
eval $1 21
#cat EOF
#`$1 21`
#EOF
return 0
}

-- 
False positive for SucKit
https://bugs.launchpad.net/bugs/454566
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to chkrootkit in ubuntu.

-- 
Ubuntu-server-bugs mailing list
Ubuntu-server-bugs@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs

[Bug 454566] Re: False positive for SucKit

[Alex Muntada]

** Also affects: server-papercuts
   Importance: Undecided
   Status: New

-- 
False positive for SucKit
https://bugs.launchpad.net/bugs/454566
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to chkrootkit in ubuntu.

-- 
Ubuntu-server-bugs mailing list
Ubuntu-server-bugs@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs

[Bug 454566] Re: False positive for SucKit

[Alex Muntada]

Just tried on latest karmic and it does not fail:

ii  chkrootkit 0.48-10
ii  upstart0.6.3-11

$ ls -li /sbin/init /sbin/telinit
444149 -rwxr-xr-x 1 root root 169676 2009-12-10 17:19 /sbin/init
448912 -rwxr-xr-x 1 root root  79312 2009-12-10 17:19 /sbin/telinit

Can you please confirm that this is been solved?

** Changed in: chkrootkit (Ubuntu)
   Status: Confirmed = Incomplete

-- 
False positive for SucKit
https://bugs.launchpad.net/bugs/454566
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to chkrootkit in ubuntu.

-- 
Ubuntu-server-bugs mailing list
Ubuntu-server-bugs@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs

[Bug 454566] Re: False positive for SucKit

[Lupe Christoph]

I have seen this problem pop up a few times since I reported it and
vanish again. Must be related to Phase of Moon. Right now it has
disappeared:

Searching for Suckit rootkit... nothing
found

chkrootkit:
  Installed: 0.48-10

The version of chkrootkit is still the same, only /sbin/init and
/sbin/telinit have changed.

# ls -li /sbin/init /sbin/telinit
172201 -rwxr-xr-x 1 root root 199472 2009-12-10 18:00 /sbin/init
172637 -rwxr-xr-x 1 root root  96568 2009-12-10 18:00 /sbin/telinit

Looking at the code in chkrootkit, the difference is that /sbin/init
does no longer contain the string HOME. The changelog of the upstart
package does not mentionHOME, so I can't tell if they fixed this
intentionally. The only update since I created the bug report is
0.6.3-11, so this must have fixed it. The strange thing is that I see
nothing in that update that would have deleted HOME.
http://launchpadlibrarian.net/36606433/upstart_0.6.3-10_0.6.3-11.diff.gz

I'd rather not rely on upstart taking care of problems in chkrootkit...

-- 
False positive for SucKit
https://bugs.launchpad.net/bugs/454566
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to chkrootkit in ubuntu.

-- 
Ubuntu-server-bugs mailing list
Ubuntu-server-bugs@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs

[Bug 454566] Re: False positive for SucKit

[Alex Muntada]

I don't think that chkrootkit alerting about this rootkit is related to
upstart init changes, but the output from /proc/1/maps instead.
Something like this should improve the test:

expertmode_output ${egrep} '^[^/]+${ROOTDIR}sbin/init.'
${ROOTDIR}proc/1/maps

What do you think?

-- 
False positive for SucKit
https://bugs.launchpad.net/bugs/454566
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to chkrootkit in ubuntu.

-- 
Ubuntu-server-bugs mailing list
Ubuntu-server-bugs@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs

[Bug 454566] Re: False positive for SucKit

[ardchoille]

Confirmed in Karmic. I posted this to the Ubuntu forums and was referred this 
bug report.
My forums post is here:http://ubuntuforums.org/showthread.php?t=1386791

-- 
False positive for SucKit
https://bugs.launchpad.net/bugs/454566
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to chkrootkit in ubuntu.

-- 
Ubuntu-server-bugs mailing list
Ubuntu-server-bugs@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs

[Bug 454566] Re: False positive for SucKit

[Chuck Short]

Thanks for the bug report. This will be looked at again for karmic+1.

Regards
chuck

** Changed in: chkrootkit (Ubuntu)
   Importance: Low = Wishlist

** Changed in: chkrootkit (Ubuntu)
   Status: Incomplete = Confirmed

-- 
False positive for SucKit
https://bugs.launchpad.net/bugs/454566
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to chkrootkit in ubuntu.

-- 
Ubuntu-server-bugs mailing list
Ubuntu-server-bugs@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs

[Bug 454566] Re: False positive for SucKit

[Chuck Short]

Thanks for the bug report. I was wondering if you have any suggestion to
improve it.

Thanks
chuck

** Changed in: chkrootkit (Ubuntu)
   Importance: Undecided = Low

** Changed in: chkrootkit (Ubuntu)
   Status: New = Incomplete

-- 
False positive for SucKit
https://bugs.launchpad.net/bugs/454566
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to chkrootkit in ubuntu.

-- 
Ubuntu-server-bugs mailing list
Ubuntu-server-bugs@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs

Re: [Bug 454566] Re: False positive for SucKit

[Lupe Christoph]

On Monday, 2009-10-19 at 13:18:45 -, Chuck Short wrote:
 Thanks for the bug report. I was wondering if you have any suggestion to
 improve it.

Well, as there are some finer tests on the page I mentioned, what about
implementing them in chkrootkit?

Lupe Christoph
-- 
| There is no substitute for bad design except worse design.   |
| /me  |

-- 
False positive for SucKit
https://bugs.launchpad.net/bugs/454566
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to chkrootkit in ubuntu.

-- 
Ubuntu-server-bugs mailing list
Ubuntu-server-bugs@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs

[Bug 454566] Re: False positive for SucKit

[Lupe Christoph]

** Attachment added: Dependencies.txt
   http://launchpadlibrarian.net/33872395/Dependencies.txt

** Attachment added: XsessionErrors.txt
   http://launchpadlibrarian.net/33872396/XsessionErrors.txt

-- 
False positive for SucKit
https://bugs.launchpad.net/bugs/454566
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to chkrootkit in ubuntu.

-- 
Ubuntu-server-bugs mailing list
Ubuntu-server-bugs@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs