In most major new distros (including redhat and ubuntu) "strings /sbin/init | grep HOME" returns: XDG_CACHE_HOME XDG_CONFIG_HOME
which still triggers an alert (false positive) for suckit rootkit in 14.04. I checked the suckit source, and it gives: sk2rc2$ strings ./src/sk | grep HOME HOME=%s So it means if we include = into the check, we will correctly detect it. On line 1000 of chkrootkit it says: ### Suckit if [ -f ${ROOTDIR}sbin/init ]; then if [ "${QUIET}" != "t" ];then printn "Searching for Suckit rootkit... "; fi if [ ${SYSTEM} != "HP-UX" ] && ( ${strings} ${ROOTDIR}sbin/init | ${egrep} HOME || \ cat ${ROOTDIR}/proc/1/maps | ${egrep} "init." ) >/dev/null 2>&1 then echo "Warning: ${ROOTDIR}sbin/init INFECTED" ----------- I sugest changing line 1003 from: if [ ${SYSTEM} != "HP-UX" ] && ( ${strings} ${ROOTDIR}sbin/init | ${egrep} HOME || \ to: if [ ${SYSTEM} != "HP-UX" ] && ( ${strings} ${ROOTDIR}sbin/init | ${egrep} 'HOME=' || \ and line 541 should also be changed from: expertmode_output="${strings} ${ROOTDIR}sbin/init | ${egrep HOME" to expertmode_output="${strings} ${ROOTDIR}sbin/init | ${egrep 'HOME='" -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to chkrootkit in Ubuntu. https://bugs.launchpad.net/bugs/454566 Title: False positive for SucKit To manage notifications about this bug go to: https://bugs.launchpad.net/server-papercuts/+bug/454566/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs