Bug 636231
| Summary: | /sbin/init INFECTED - (systemd links /sbin/init->../bin/systemd) | ||||||
|---|---|---|---|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Tom London <selinux> | ||||
| Component: | chkrootkit | Assignee: | Gwyn Ciesla <gwync> | ||||
| Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | ||||
| Severity: | medium | Docs Contact: | |||||
| Priority: | low | ||||||
| Version: | 20 | CC: | awilliam, brovvnout+rh, bugzilla-redhat, centaur, cpanceac, dwheeler, fedora, gartim, gwync, ignatenko, jmorris, joona.palaste, josdekloe, l4coa3fnjplr, lpoetter, manuel.wolfshant, maurizio.antillon, metherid, mschmidt, pahan, plautrba, raj, ray0755, robatino, russ+bugzilla-redhat, sokol420, stealthcipher, wachumaju, whome9988, wjhendrickson | ||||
| Target Milestone: | --- | ||||||
| Target Release: | --- | ||||||
| Hardware: | All | ||||||
| OS: | Linux | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | chkrootkit-0.50-4.fc21 | Doc Type: | Bug Fix | ||||
| Doc Text: | Story Points: | --- | |||||
| Clone Of: | Environment: | ||||||
| Last Closed: | 2014-11-01 01:39:22 UTC | Type: | --- | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Attachments: |
|
||||||
|
Description
Tom London
2010-09-21 17:32:20 UTC
It is a false positive, but the symlink is not the cause. chkrootkit uses a too simple method to detect "Suckit": strings /sbin/init | grep HOME The systemd binary contains the string "HOME" and that's alright. chkrootkit should be fixed. => reassigning back to you, Jon! Ok, thanks for the clarification! *** Bug 693767 has been marked as a duplicate of this bug. *** got the same flag: Searching for Suckit rootkit... Warning: /sbin/init INFECTED on x86_64 systems, just upgraded to fc15 on about 3 servers, all showing the suckit rootkit. This bug is still with us in F15. This bug is still in Fedora 15 (chkrootkit still thinks that systemd is malicious). Other distributions are seeing the same problem, so this is a general upstream problem in chkrootkit: Ubuntu #454566: https://bugs.launchpad.net/ubuntu/+source/chkrootkit/+bug/454566 Gentoo: http://forums.gentoo.org/viewtopic-t-326062-highlight-suckit.html still valid in F16. As mentioned in Comment 7, this is still valid with F16. I'm adding this additional comment with the following lines because it took me a fair number of searches to come across this page. Ossec (which I think uses chkrootkit) detects this too. Hopefully this comment will help others discover the known issue (as a false positive) with less time. OSSEC will fire on rule 510: Rule: 510 fired (level 7) -> "Host-based anomaly detection event (rootcheck)." Trojaned version of file '/sbin/init' detected. Signature used: 'bash|/dev/h|HOME' (Generic). Trojaned version of file '/sbin/init' detected. Signature used: 'HOME' (Suckit rootkit). I have this problem in F16 too, Bug 743696 - wtmp is being corrupted at shutdown. has more information. Perhaps these two bugs could be merged? No, bug 743696 is not related to this one. the warning "Suckit rootkit... Warning: /sbin/init INFECTED" still is present in Fedora 17. Fedora 17 user here. Just scanned with chkrootkit, and it found the Suckit rootkit /sbin/init INFECTED. After Googling, I learned this is (possibly) a false positive/bug which already exists in older Fedora versions. How come this is not fixed yet? It scared the hell out of me. Did the check with ln / ls -l. I am also a Fedora 17 user and encountered this same bug. chkrootkit reports that it found the Suckit rootkit, but it looks like this is a false positive. It should get fixed. Still valid in F17. Reported a bug at: https://bugzilla.redhat.com/show_bug.cgi?id=859574 Someone found a patch to fix this bug, Check out this page. http://askubuntu.com/questions/25176/chkrootkit-says-sbin-init-is-infected-what-does-that-mean It involves changing two lines. # diff chkrootkit chkrootkit.backup 983,986c983,984 < # if [ ${SYSTEM} != "HP-UX" ] && ( ${strings} ${ROOTDIR}sbin/init | ${egrep} HOME || \ < # cat ${ROOTDIR}/proc/1/maps | ${egrep} "init." ) >/dev/null 2>&1 < if [ ${SYSTEM} != "HP-UX" ] && ( ${strings} ${ROOTDIR}sbin/init | ${egrep} HOME ) \ < >/dev/null 2>&1 --- > if [ ${SYSTEM} != "HP-UX" ] && ( ${strings} ${ROOTDIR}sbin/init | ${egrep} HOME || \ > cat ${ROOTDIR}/proc/1/maps | ${egrep} "init." ) >/dev/null 2>&1 # This doesn't seem to work for me, can you create a -U3 patch I can test that works for you? I have:
--- chkrootkit.orig 2012-10-26 08:01:43.484215162 -0500
+++ chkrootkit 2012-10-26 08:08:05.254344231 -0500
@@ -980,8 +980,8 @@
### Suckit
if [ -f ${ROOTDIR}sbin/init ]; then
if [ "${QUIET}" != "t" ];then printn "Searching for Suckit rootkit... "; fi
- if [ ${SYSTEM} != "HP-UX" ] && ( ${strings} ${ROOTDIR}sbin/init | ${egrep} HOME || \
- cat ${ROOTDIR}/proc/1/maps | ${egrep} "init." ) >/dev/null 2>&1
+ if [ ${SYSTEM} != "HP-UX" ] && ( ${strings} ${ROOTDIR}sbin/init | ${egrep} HOME ) \
+ >/dev/null 2>&1
then
echo "Warning: ${ROOTDIR}sbin/init INFECTED"
else
*** Bug 859574 has been marked as a duplicate of this bug. *** The patch cannot work, see comment 1. Ok, So the symlink patch will not work. Any other ideas? Info: It is still a problem in Fedora 18. Searching for Suckit rootkit... Warning: /sbin/init INFECTED Well, what's so difficult? $ file /sbin/init /sbin/init: symbolic link to `../lib/systemd/systemd' $ strings /sbin/init|grep systemd|wc -l 192 Obviously, searching the "init" binary for "HOME" is an oversimplified detection of the Suckit rootkit. It may have been convenient enough for a few years instead of figuring out a safer signature of Suckit infection. If you think the original check is still useful nowadays, you could conditionalize it, check whether /sbin/init is a symlink to systemd and either skip checking systemd or verify that /sbin/init contains systemd strings. That won't help with detecting new rootkits (which chkrootkit doesn't do anyway) or systemd being infected/replaced with something, but would kill the false positive at least. Btw, http://www.chkrootkit.org is gone for more than two years. (In reply to comment #20) > Btw, http://www.chkrootkit.org is gone for more than two years. And the last release was more than 3 years ago. Time to EOL the package? This bug appears to have been reported against 'rawhide' during the Fedora 19 development cycle. Changing version to '19'. (As we did not run this process for some time, it could affect also pre-Fedora 19 development cycle bugs. We are very sorry. It will help us with cleanup during Fedora 19 End Of Life. Thank you.) More information and reason for this action is here: https://fedoraproject.org/wiki/BugZappers/HouseKeeping/Fedora19 still happening in Fedora 19... Still broken with chkrootkit-0.49-8.fc20.x86_64 Ping? Can this be reproduced with 0.50? yes # chkrootkit | grep INFECT Searching for Suckit rootkit... Warning: /sbin/init INFECTED # rpm -q chkrootkit chkrootkit-0.50-3.fc21.i686 Created attachment 943753 [details]
Patch for 0.50 to address Suckit false postive (when /sbin/init = systemd)
i know chkrootkit is not actively developed, etc., (and I also use rkhunter) but this still bugs me. ergo, patch. -b If Fedora is gonna change, you guys should remove ancient packages like this, that just give false positives, making new enthusiast to don't trust their systems (not everybody knows about bugzilla.redhat). Thanks for the patch, updates coming. Duff, there are many alternatives to this package. Not all ancient software is useless, there are games that haven't seen a commit in a decade that are heavily played. Age!= irrelevance. I appreciate your argument, but I'd rather fix things than throw the baby out with the bathwater, no matter how dirty the bathwater. chkrootkit-0.50-4.fc20 has been submitted as an update for Fedora 20. https://admin.fedoraproject.org/updates/chkrootkit-0.50-4.fc20 chkrootkit-0.50-4.fc21 has been submitted as an update for Fedora 21. https://admin.fedoraproject.org/updates/chkrootkit-0.50-4.fc21 I can confirm that the x86_64 package for Fedora 20 works for me. If you really want to know, the SRPM built and ran just fine on an i386/Fedora 17 box, too. Thanks for packaging. Package chkrootkit-0.50-4.fc21: * should fix your issue, * was pushed to the Fedora 21 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing chkrootkit-0.50-4.fc21' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2014-13427/chkrootkit-0.50-4.fc21 then log in and leave karma (feedback). Any update for Fedora 19? @Dennis,
While you wait, you can try recompiling the SRPM, which is what I did for Fedora 17:
> wget https://kojipkgs.fedoraproject.org//packages/chkrootkit/0.50/4.fc21/src/chkrootkit-0.50-4.fc21.src.rpm
> rpmbuild --rebuild chkrootkit-0.50-4.fc21.src.rpm
> sudo yum update /PATH/TO/chkrootkit-0.50-4.fc19.ARCH.rpm
NB: you might need to "sudo yum install rpm-build" first.
Sure, I'll get that out. chkrootkit-0.50-4.fc19 has been submitted as an update for Fedora 19. https://admin.fedoraproject.org/updates/chkrootkit-0.50-4.fc19 chkrootkit-0.50-4.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report. chkrootkit-0.50-4.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report. chkrootkit-0.50-4.fc21 has been pushed to the Fedora 21 stable repository. If problems still persist, please make note of it in this bug report. |