Description of problem: Running chkrootkit generates a number of warnings: warning, got bogus l2cap line. Version-Release number of selected component (if applicable): chkrootkit-0.50-4.fc22.x86_64 net-tools-2.0-0.31.20141124git.fc22.x86_64 How reproducible: Install and run chkrootkit on a host with bluetooth support. Steps to Reproduce: 1. 2. 3. Actual results: Expected results: Additional info: chkrootkit is a set of bash scripts and uses netstat to look for network connections. The warning comes from each invocation of netstat and can be produced by: netstat -an --protocol=bluetooth which produces: Active Bluetooth connections (servers and established) Proto Destination Source State PSM DCID SCID IMTU OMTU Security warning, got bogus l2cap line. Proto Destination Source State Channel netstat: no support for `AF BLUETOOTH' on this system. Suggested fix: Change netstat invocations to limit listing to the address family of interest. Or, since net-tools is "end of life", switch to using ss from iproute.
I think the component for this bug should be netstat, no chkrootkit, since that's where the issue lies. I'm seeing the same warning for netstat on F21 (net-tools-2.0-0.31.20141124git.fc21.x86_64). # netstat -l ... Active Bluetooth connections (only servers) Proto Destination Source State PSM DCID SCID IMTU OMTU Security warning, got bogus l2cap line. warning, got bogus l2cap line. warning, got bogus l2cap line. warning, got bogus l2cap line. warning, got bogus l2cap line.
I filed the bug against chkrootkit after seeing that net-tools package (netstat) was marked "end of life" and is not likely to be updated in Fedora or upstream. I can live with errors from netstat since it is generally used interactively but error output from a root-kit scanner may cause unnecessary alarm. I have "fixed" my own version by restricting the netstat protocol options but I'm no root-kit expert so I don't know if the affected Trojans only use IPv4/IPv6. Quick fix: - OPT=-an + OPT=-an46 in 4 places in chkrootkit script. One instance is quoted. That fixes things for netstat for now but switching to ss would take considerably more effort.
Hi, (In reply to DaveG from comment #2) > I filed the bug against chkrootkit after seeing that net-tools package > (netstat) was marked "end of life" and is not likely to be updated in Fedora > or upstream. what will be the netstat replacement ? Thanks,
(In reply to Sergio Monteiro Basto from comment #3) > Hi, > > (In reply to DaveG from comment #2) > > I filed the bug against chkrootkit after seeing that net-tools package > > (netstat) was marked "end of life" and is not likely to be updated in Fedora > > or upstream. > > what will be the netstat replacement ? > ss
Yes, 'ss' from the iproute package. Similar output but different format.
Thanks :)
Does this still occur with ss?
chkrootkit-0.50-8.fc24 has been submitted as an update to Fedora 24. https://bodhi.fedoraproject.org/updates/FEDORA-2016-b93b991ea4
chkrootkit-0.50-8.fc23 has been submitted as an update to Fedora 23. https://bodhi.fedoraproject.org/updates/FEDORA-2016-6c1a60982e
chkrootkit-0.50-8.fc22 has been submitted as an update to Fedora 22. https://bodhi.fedoraproject.org/updates/FEDORA-2016-533e10ae24
chkrootkit-0.50-8.fc22 has been pushed to the Fedora 22 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-533e10ae24
chkrootkit-0.50-8.fc24 has been pushed to the Fedora 24 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-b93b991ea4
chkrootkit-0.50-8.fc23 has been pushed to the Fedora 23 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-6c1a60982e
chkrootkit-0.50-8.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report.
chkrootkit-0.50-8.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.
chkrootkit-0.50-8.fc24 has been pushed to the Fedora 24 stable repository. If problems still persist, please make note of it in this bug report.