[Bug 731281] New: Chkrootkit gives a false positive about /sbin/init and wted
https://bugzilla.novell.com/show_bug.cgi?id=731281 https://bugzilla.novell.com/show_bug.cgi?id=731281#c0 Summary: Chkrootkit gives a false positive about /sbin/init and wted Classification: openSUSE Product: openSUSE 12.1 Version: Final Platform: x86-64 OS/Version: SuSE Other Status: NEW Severity: Normal Priority: P5 - None Component: Security AssignedTo: security-team@suse.de ReportedBy: creation1985@yahoo.com QAContact: qa@suse.de Found By: --- Blocker: --- User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:8.0) Gecko/20100101 Firefox/8.0 After 2500 upgrades from yesterday including systemd i have noticed the following lines while running chkrootkit daily check: .. Searching for Suckit rootkit... Warning: /sbin/init INFECTED .. Checking `wted'... 1 deletion(s) between Thu Nov 17 11:29:12 2011 and Thu Nov 17 11:29:22 2011 1 deletion(s) between Thu Nov 17 11:30:45 2011 and Thu Nov 17 11:33:43 2011 1 deletion(s) between Thu Nov 17 12:10:23 2011 and Thu Nov 17 12:10:34 2011 1 deletion(s) between Thu Nov 17 12:59:33 2011 and Thu Nov 17 12:59:39 2011 1 deletion(s) between Thu Nov 17 13:15:53 2011 and Thu Nov 17 13:16:09 2011 1 deletion(s) between Thu Nov 17 13:20:07 2011 and Thu Nov 17 13:20:11 2011 1 deletion(s) between Thu Nov 17 13:21:56 2011 and Thu Nov 17 13:22:10 2011 1 deletion(s) between Thu Nov 17 13:36:22 2011 and Thu Nov 17 13:36:27 2011 1 deletion(s) between Thu Nov 17 13:51:13 2011 and Thu Nov 17 13:51:16 2011 1 deletion(s) between Thu Nov 17 15:05:34 2011 and Thu Nov 17 15:05:37 2011 1 deletion(s) between Thu Nov 17 15:07:41 2011 and Thu Nov 17 15:20:45 2011 1 deletion(s) between Thu Nov 17 15:23:54 2011 and Thu Nov 17 15:24:48 2011 1 deletion(s) between Thu Nov 17 20:15:11 2011 and Thu Nov 17 20:15:25 2011 .. Chkrootkit has Version 0.49-8.1.2 and its installed from the OSS repository. Just to be sure i have rkhunter installed too to double check on chkrootkit. Using rkhunter i get no messages about Suckit rootkit or any other infection. A day before the system upgrade chkrootkit did not presented that message so i belive that this is a false positive. The same thing was reported by an Fedora user on their Bugzilla as well. Reproducible: Always Steps to Reproduce: 1. install chkrootkit 2. run chkrookit -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=731281 https://bugzilla.novell.com/show_bug.cgi?id=731281#c1 Marcus Meissner <meissner@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |meissner@suse.com --- Comment #1 from Marcus Meissner <meissner@suse.com> 2011-11-21 12:24:50 UTC --- This is due to systemd. # ls -la /sbin/init lrwxrwxrwx 1 root root 14 31. Okt 13:52 /sbin/init -> ../bin/systemd # strings /sbin/init |grep HOME HOME .. This will trigger the warning. chkrootkit needs to be relaxed here -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=731281 https://bugzilla.novell.com/show_bug.cgi?id=731281#c2 Jim Henderson <hendersj@gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |hendersj@gmail.com --- Comment #2 from Jim Henderson <hendersj@gmail.com> 2012-01-18 17:20:46 UTC --- I've got a couple 12.1 x86_64 systems here (and an x86 system) - we had a question about this in the forums so I checked my systems, and I didn't get this warning using chkrootkit. The strings command does show results, so I wonder if something's changed in chkrootkit to relax this now? -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=731281 https://bugzilla.novell.com/show_bug.cgi?id=731281#c3 --- Comment #3 from Ursan Marius Bogdan <creation1985@yahoo.com> 2012-01-18 21:18:48 UTC --- Jim, i still get the warnings about "/sbin/init INFECTED" and those lines from "wted". -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=731281 https://bugzilla.novell.com/show_bug.cgi?id=731281#c4 --- Comment #4 from Jim Henderson <hendersj@gmail.com> 2012-01-18 21:21:45 UTC --- Interesting. I wonder: If you run "rpm -Vv systemd" what result do you get? Also, where did you obtain chkrootkit from? I installed from the OSS repo for 12.1. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=731281 https://bugzilla.novell.com/show_bug.cgi?id=731281#c5 --- Comment #5 from Ursan Marius Bogdan <creation1985@yahoo.com> 2012-01-19 07:25:57 UTC --- Created an attachment (id=471819) --> (http://bugzilla.novell.com/attachment.cgi?id=471819) systemd output -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=731281 https://bugzilla.novell.com/show_bug.cgi?id=731281#c6 --- Comment #6 from Ursan Marius Bogdan <creation1985@yahoo.com> 2012-01-19 07:26:51 UTC --- I got chkrootkit from openSUSE official repos and then i got it from openSUSE Tumbleweed repo. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=731281 https://bugzilla.novell.com/show_bug.cgi?id=731281#c Ludwig Nussel <lnussel@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- AssignedTo|security-team@suse.de |meissner@suse.com -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=731281 https://bugzilla.novell.com/show_bug.cgi?id=731281#c7 Ursan Marius Bogdan <creation@suseromania.ro> changed: What |Removed |Added ---------------------------------------------------------------------------- Component|Security |Security Product|openSUSE 12.1 |openSUSE 12.2 Summary|Chkrootkit gives a false |Chkrootkit gives a false |positive about /sbin/init |positive about cron under |and wted |openSUSE 12.2 OS/Version|openSUSE 12.1 |openSUSE 12.2 --- Comment #7 from Ursan Marius Bogdan <creation@suseromania.ro> 2012-10-14 18:29:42 UTC --- Good evening, it seems that now rkhunter has another thing with cron: [20:51:54] Info: Starting test name 'running_procs' [20:51:57] Checking running processes for suspicious files [ Warning ] [20:51:57] Warning: The following processes are using suspicious files: [20:51:57] Command: cron [20:51:57] UID: 0 PID: 2250 [20:51:57] Pathname: /etc/crontab [20:51:57] Possible Rootkit: Unknown rootkit Using ps -aux i found process 2250: root 2250 0.0 0.0 4912 920 ? Ss 19:22 0:00 /usr/sbin/cron -n -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=731281 https://bugzilla.novell.com/show_bug.cgi?id=731281#c8 --- Comment #8 from Marcus Meissner <meissner@suse.com> 2013-09-27 14:26:19 UTC --- rootkit detection in the running system is just not reliable from in-system I could remove the non-systemd compliant check update -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
participants (1)
-
bugzilla_noreply@novell.com