[Bug 454566] Re: False positive for SucKit
Sander Johansen
sanderm at gmail.com
Thu Apr 24 10:57:07 UTC 2014
In most major new distros (including redhat and ubuntu) "strings /sbin/init | grep HOME" returns:
XDG_CACHE_HOME
XDG_CONFIG_HOME
which still triggers an alert (false positive) for suckit rootkit in
14.04.
I checked the suckit source, and it gives:
sk2rc2$ strings ./src/sk | grep HOME
HOME=%s
So it means if we include = into the check, we will correctly detect it.
On line 1000 of chkrootkit it says:
### Suckit
if [ -f ${ROOTDIR}sbin/init ]; then
if [ "${QUIET}" != "t" ];then printn "Searching for Suckit rootkit... "; fi
if [ ${SYSTEM} != "HP-UX" ] && ( ${strings} ${ROOTDIR}sbin/init | ${egrep} HOME || \
cat ${ROOTDIR}/proc/1/maps | ${egrep} "init." ) >/dev/null 2>&1
then
echo "Warning: ${ROOTDIR}sbin/init INFECTED"
-----------
I sugest changing line 1003 from:
if [ ${SYSTEM} != "HP-UX" ] && ( ${strings} ${ROOTDIR}sbin/init | ${egrep} HOME || \
to:
if [ ${SYSTEM} != "HP-UX" ] && ( ${strings} ${ROOTDIR}sbin/init | ${egrep} 'HOME=' || \
and line 541 should also be changed from:
expertmode_output="${strings} ${ROOTDIR}sbin/init | ${egrep HOME"
to
expertmode_output="${strings} ${ROOTDIR}sbin/init | ${egrep 'HOME='"
--
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to chkrootkit in Ubuntu.
https://bugs.launchpad.net/bugs/454566
Title:
False positive for SucKit
To manage notifications about this bug go to:
https://bugs.launchpad.net/server-papercuts/+bug/454566/+subscriptions
More information about the Ubuntu-server-bugs
mailing list