[Bug 454566] Re: False positive for SucKit

[Lupe Christoph]

On Thursday, 2010-08-19 at 08:02:45 -0000, Maxime wrote:
> I can confirm the issue on Lucid. It's probably related to an upstart
> update to 0.6.5-7.

> [...]
> Searching for Suckit rootkit...                             Warning: /sbin/init INFECTED
> [...]

> # strings /sbin/init | egrep HOME
> # cat /proc/1/maps | egrep "init."
> 00e41000-00e5a000 r-xp 00000000 68:01 1572880    /sbin/init (deleted)
> 00e5a000-00e5b000 r--p 00019000 68:01 1572880    /sbin/init (deleted)
> 00e5b000-00e5c000 rw-p 0001a000 68:01 1572880    /sbin/init (deleted)

I rechecked, and I get this, too:

# chkrootkit -q

Warning: /sbin/init INFECTED

Also the deleted /sbin/init. I rebooted the system, and now /sbin/init
isn't deleted anymore (surprise! ;-) and the INFECTED is gone, too.

So I suppose the cause of the INFECTED is that the running /sbin/init is
different from the one in the filesystem. Checking ... Jupp, here is the
line from chkrootkit:

      expertmode_output "cat ${ROOTDIR}proc/1/maps | ${egrep} init."

This triggers when there is an entry in /proc/1/maps where "init" is not
at the end of the line.

Googling, I found this was discussed for Gentoo in
http://forums.gentoo.org/viewtopic-t-326062-highlight-suckit.html
... and for Ubuntu in http://ubuntuforums.org/showthread.php?p=9741505

Alas, I could not find out what /proc/1/maps looks like when a real
Suckit is on the machine. Quite possibly Suckit removes /sbin/init and
links its own version there. If it dows this only once, the " (deleted)"
will disappear after the first reboot, so it's not a good indicator, and
it reaps many more false positives. So I think chkrootit would be
better off without this test.

Lupe Christoph

-- 
False positive for SucKit
https://bugs.launchpad.net/bugs/454566
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to chkrootkit in ubuntu.