https://bugzilla.novell.com/show_bug.cgi?id=731281 https://bugzilla.novell.com/show_bug.cgi?id=731281#c0 Summary: Chkrootkit gives a false positive about /sbin/init and wted Classification: openSUSE Product: openSUSE 12.1 Version: Final Platform: x86-64 OS/Version: SuSE Other Status: NEW Severity: Normal Priority: P5 - None Component: Security AssignedTo: security-team@suse.de ReportedBy: creation1985@yahoo.com QAContact: qa@suse.de Found By: --- Blocker: --- User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:8.0) Gecko/20100101 Firefox/8.0 After 2500 upgrades from yesterday including systemd i have noticed the following lines while running chkrootkit daily check: .. Searching for Suckit rootkit... Warning: /sbin/init INFECTED .. Checking `wted'... 1 deletion(s) between Thu Nov 17 11:29:12 2011 and Thu Nov 17 11:29:22 2011 1 deletion(s) between Thu Nov 17 11:30:45 2011 and Thu Nov 17 11:33:43 2011 1 deletion(s) between Thu Nov 17 12:10:23 2011 and Thu Nov 17 12:10:34 2011 1 deletion(s) between Thu Nov 17 12:59:33 2011 and Thu Nov 17 12:59:39 2011 1 deletion(s) between Thu Nov 17 13:15:53 2011 and Thu Nov 17 13:16:09 2011 1 deletion(s) between Thu Nov 17 13:20:07 2011 and Thu Nov 17 13:20:11 2011 1 deletion(s) between Thu Nov 17 13:21:56 2011 and Thu Nov 17 13:22:10 2011 1 deletion(s) between Thu Nov 17 13:36:22 2011 and Thu Nov 17 13:36:27 2011 1 deletion(s) between Thu Nov 17 13:51:13 2011 and Thu Nov 17 13:51:16 2011 1 deletion(s) between Thu Nov 17 15:05:34 2011 and Thu Nov 17 15:05:37 2011 1 deletion(s) between Thu Nov 17 15:07:41 2011 and Thu Nov 17 15:20:45 2011 1 deletion(s) between Thu Nov 17 15:23:54 2011 and Thu Nov 17 15:24:48 2011 1 deletion(s) between Thu Nov 17 20:15:11 2011 and Thu Nov 17 20:15:25 2011 .. Chkrootkit has Version 0.49-8.1.2 and its installed from the OSS repository. Just to be sure i have rkhunter installed too to double check on chkrootkit. Using rkhunter i get no messages about Suckit rootkit or any other infection. A day before the system upgrade chkrootkit did not presented that message so i belive that this is a false positive. The same thing was reported by an Fedora user on their Bugzilla as well. Reproducible: Always Steps to Reproduce: 1. install chkrootkit 2. run chkrookit -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.