One tells me, on several machines, that /sbin/init is infected with the Suckit rootkit; the other says not. Is there a way to tell whether I'm seeing a false positive or a false negative?
Fwiw, this result occurs both on an F16 machine, and on an f17 one with a fresh install. (Both are fully updated.)
On Thu, 7 Jun 2012 15:16:09 +0000 (UTC) Beartooth beartooth@comcast.net wrote:
One tells me, on several machines, that /sbin/init is infected with the Suckit rootkit; the other says not. Is there a way to tell whether I'm seeing a false positive or a false negative?
https://bugzilla.redhat.com/show_bug.cgi?id=636231 chkrootkit hasn't been updated in a long time upstream.
rkhunter is an active project and just released 1.4.0.
Fwiw, this result occurs both on an F16 machine, and on an f17 one with a fresh install. (Both are fully updated.)
Yes, this false positive has been around since 2010 it seems.
kevin
On Thu, 7 Jun 2012 15:16:09 +0000 (UTC) Beartooth beartooth@comcast.net wrote:
One tells me, on several machines, that /sbin/init is infected with the Suckit rootkit; the other says not. Is there a way to tell whether I'm seeing a false positive or a false negative?
chkrootkit thinks that the new systemd replacement for init is an infection[1]. Nothing to worry about.
Alan [1] Some users think likewise but it's not a worm or virus 8)
Use a bootable disc with either or both tools on it, boot the machine(s) in question with that media and then run the tests. Fedora 17, which just came out, has a bootable security spin you could/should try, too.
From: Beartooth beartooth@comcast.net To: users@lists.fedoraproject.org Sent: Thursday, June 7, 2012 11:16 AM Subject: Which to trust: chkrootkit or rkhunter?
One tells me, on several machines, that /sbin/init is infected with the Suckit rootkit; the other says not. Is there a way to tell whether I'm seeing a false positive or a false negative?
Fwiw, this result occurs both on an F16 machine, and on an f17 one with a fresh install. (Both are fully updated.)
-- Beartooth Staffwright, Neo-Redneck Not Quite Clueless Power User I have precious (very precious!) little idea where up is.
-- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
On Thu, 7 Jun 2012 15:16:09 +0000 (UTC), Beartooth wrote:
One tells me, on several machines, that /sbin/init is infected with the Suckit rootkit; the other says not. Is there a way to tell whether I'm seeing a false positive or a false negative?
Check out: http://bugz.fedoraproject.org/chkrootkit
It's an FAQ. It has been answered many times before in various places.
Am 07.06.2012 17:16, schrieb Beartooth:
One tells me, on several machines, that /sbin/init is infected with the Suckit rootkit; the other says not. Is there a way to tell whether I'm seeing a false positive or a false negative?
this is a well known false positive on fedora since years
On Thu, 7 Jun 2012 15:16:09 +0000 (UTC) Beartooth beartooth@comcast.net wrote:
One tells me, on several machines, that /sbin/init is infected with the Suckit rootkit; the other says not. Is there a way to tell whether I'm seeing a false positive or a false negative?
this was queried and answered not more than 2 months ago on this lists, it is a false positive m
On Thu, Jun 07, 2012 at 03:16:09PM +0000, Beartooth wrote:
One tells me, on several machines, that /sbin/init is infected with the Suckit rootkit; the other says not. Is there a way to tell whether I'm seeing a false positive or a false negative?
Fwiw, this result occurs both on an F16 machine, and on an f17 one with a fresh install. (Both are fully updated.)
If you do an 'rpm -V systemd' and you don't see any result for /sbin/init or /lib/systemd/systemd, my bet would be false positive. -V means verify: compares the checksums of the files belonging to that package with what's registered in the RPM database, and alerts for changes ("5" in the output IIRC).
Beartooth:
One tells me, on several machines, that /sbin/init is infected with the Suckit rootkit; the other says not. Is there a way to tell whether I'm seeing a false positive or a false negative?
Fwiw, this result occurs both on an F16 machine, and on an f17 one with a fresh install. (Both are fully updated.)
Here it is said that there might be a bug in chkrootkit: http://forums.fedoraforum.org/archive/index.php/t-261068.html
It looks like it doesn't recognize systemd or has some other issue with it.
Mateusz Marzantowicz
On Thu, 7 Jun 2012 10:37:14 -0600, Kevin Fenzi wrote:
chkrootkit hasn't been updated in a long time upstream.
Even its home page is gone since 2011. The last minor update is from 2009, but hasn't merged all patches.
Some people still run it (possibly only because it's available), but I wonder when they last found a rootkit with it on an actually compromised machine?
On 06/07/2012 09:34 AM, Heinz Diehl wrote:
On 07.06.2012, Beartooth wrote:
One tells me, on several machines, that /sbin/init is infected with the Suckit rootkit; the other says not. Is there a way to tell whether I'm seeing a false positive or a false negative?
Seems to be a bug in chkrootkit..
Search the archives for Alan Cox's reply to same issue I had raised a few weeks ago. The bottom line: There is no Suckit rootkit. It is just a remnant in the chkrootkit ruleset which is not valid in the case of /sbin/init.
-
Alan Cox -
Beartooth -
Heinz Diehl -
JD -
Joe Wulf -
Kevin Fenzi -
Mateusz Marzantowicz -
Maurizio Marini -
Michael Schwendt -
Paul W. Frields -
Reindl Harald