Hide Forgot
Description of problem: Running chkrootkit on a Rawhide system (systemd, not upstart) shows: Searching for HKRK rootkit... nothing found Searching for Suckit rootkit... Warning: /sbin/init INFECTED Searching for Volc rootkit... nothing found Searching for Gold2 rootkit... nothing found Probably (I hope!) due to systemd installing a link for /sbin/init: lrwxrwxrwx. 1 root root 14 Sep 21 06:18 /sbin/init -> ../bin/systemd Version-Release number of selected component (if applicable): chkrootkit-0.49-1.fc14.x86_64 How reproducible: Every time.... Steps to Reproduce: 1. 2. 3. Actual results: Expected results: Additional info:
It is a false positive, but the symlink is not the cause. chkrootkit uses a too simple method to detect "Suckit": strings /sbin/init | grep HOME The systemd binary contains the string "HOME" and that's alright. chkrootkit should be fixed. => reassigning back to you, Jon!
Ok, thanks for the clarification!
*** Bug 693767 has been marked as a duplicate of this bug. ***
got the same flag: Searching for Suckit rootkit... Warning: /sbin/init INFECTED on x86_64 systems, just upgraded to fc15 on about 3 servers, all showing the suckit rootkit.
This bug is still with us in F15.
This bug is still in Fedora 15 (chkrootkit still thinks that systemd is malicious). Other distributions are seeing the same problem, so this is a general upstream problem in chkrootkit: Ubuntu #454566: https://bugs.launchpad.net/ubuntu/+source/chkrootkit/+bug/454566 Gentoo: http://forums.gentoo.org/viewtopic-t-326062-highlight-suckit.html
still valid in F16.
As mentioned in Comment 7, this is still valid with F16. I'm adding this additional comment with the following lines because it took me a fair number of searches to come across this page. Ossec (which I think uses chkrootkit) detects this too. Hopefully this comment will help others discover the known issue (as a false positive) with less time. OSSEC will fire on rule 510: Rule: 510 fired (level 7) -> "Host-based anomaly detection event (rootcheck)." Trojaned version of file '/sbin/init' detected. Signature used: 'bash|/dev/h|HOME' (Generic). Trojaned version of file '/sbin/init' detected. Signature used: 'HOME' (Suckit rootkit).
I have this problem in F16 too, Bug 743696 - wtmp is being corrupted at shutdown. has more information. Perhaps these two bugs could be merged?
No, bug 743696 is not related to this one.
the warning "Suckit rootkit... Warning: /sbin/init INFECTED" still is present in Fedora 17.
Fedora 17 user here. Just scanned with chkrootkit, and it found the Suckit rootkit /sbin/init INFECTED. After Googling, I learned this is (possibly) a false positive/bug which already exists in older Fedora versions. How come this is not fixed yet? It scared the hell out of me. Did the check with ln / ls -l.
I am also a Fedora 17 user and encountered this same bug. chkrootkit reports that it found the Suckit rootkit, but it looks like this is a false positive. It should get fixed.
Still valid in F17. Reported a bug at: https://bugzilla.redhat.com/show_bug.cgi?id=859574
Someone found a patch to fix this bug, Check out this page. http://askubuntu.com/questions/25176/chkrootkit-says-sbin-init-is-infected-what-does-that-mean It involves changing two lines. # diff chkrootkit chkrootkit.backup 983,986c983,984 < # if [ ${SYSTEM} != "HP-UX" ] && ( ${strings} ${ROOTDIR}sbin/init | ${egrep} HOME || \ < # cat ${ROOTDIR}/proc/1/maps | ${egrep} "init." ) >/dev/null 2>&1 < if [ ${SYSTEM} != "HP-UX" ] && ( ${strings} ${ROOTDIR}sbin/init | ${egrep} HOME ) \ < >/dev/null 2>&1 --- > if [ ${SYSTEM} != "HP-UX" ] && ( ${strings} ${ROOTDIR}sbin/init | ${egrep} HOME || \ > cat ${ROOTDIR}/proc/1/maps | ${egrep} "init." ) >/dev/null 2>&1 #
This doesn't seem to work for me, can you create a -U3 patch I can test that works for you? I have: --- chkrootkit.orig 2012-10-26 08:01:43.484215162 -0500 +++ chkrootkit 2012-10-26 08:08:05.254344231 -0500 @@ -980,8 +980,8 @@ ### Suckit if [ -f ${ROOTDIR}sbin/init ]; then if [ "${QUIET}" != "t" ];then printn "Searching for Suckit rootkit... "; fi - if [ ${SYSTEM} != "HP-UX" ] && ( ${strings} ${ROOTDIR}sbin/init | ${egrep} HOME || \ - cat ${ROOTDIR}/proc/1/maps | ${egrep} "init." ) >/dev/null 2>&1 + if [ ${SYSTEM} != "HP-UX" ] && ( ${strings} ${ROOTDIR}sbin/init | ${egrep} HOME ) \ + >/dev/null 2>&1 then echo "Warning: ${ROOTDIR}sbin/init INFECTED" else
*** Bug 859574 has been marked as a duplicate of this bug. ***
The patch cannot work, see comment 1.
Ok, So the symlink patch will not work. Any other ideas? Info: It is still a problem in Fedora 18. Searching for Suckit rootkit... Warning: /sbin/init INFECTED
Well, what's so difficult? $ file /sbin/init /sbin/init: symbolic link to `../lib/systemd/systemd' $ strings /sbin/init|grep systemd|wc -l 192 Obviously, searching the "init" binary for "HOME" is an oversimplified detection of the Suckit rootkit. It may have been convenient enough for a few years instead of figuring out a safer signature of Suckit infection. If you think the original check is still useful nowadays, you could conditionalize it, check whether /sbin/init is a symlink to systemd and either skip checking systemd or verify that /sbin/init contains systemd strings. That won't help with detecting new rootkits (which chkrootkit doesn't do anyway) or systemd being infected/replaced with something, but would kill the false positive at least. Btw, http://www.chkrootkit.org is gone for more than two years.
(In reply to comment #20) > Btw, http://www.chkrootkit.org is gone for more than two years. And the last release was more than 3 years ago. Time to EOL the package?
This bug appears to have been reported against 'rawhide' during the Fedora 19 development cycle. Changing version to '19'. (As we did not run this process for some time, it could affect also pre-Fedora 19 development cycle bugs. We are very sorry. It will help us with cleanup during Fedora 19 End Of Life. Thank you.) More information and reason for this action is here: https://fedoraproject.org/wiki/BugZappers/HouseKeeping/Fedora19
still happening in Fedora 19...
Still broken with chkrootkit-0.49-8.fc20.x86_64
Ping?
Can this be reproduced with 0.50?
yes # chkrootkit | grep INFECT Searching for Suckit rootkit... Warning: /sbin/init INFECTED # rpm -q chkrootkit chkrootkit-0.50-3.fc21.i686
Created attachment 943753 [details] Patch for 0.50 to address Suckit false postive (when /sbin/init = systemd)
i know chkrootkit is not actively developed, etc., (and I also use rkhunter) but this still bugs me. ergo, patch. -b
If Fedora is gonna change, you guys should remove ancient packages like this, that just give false positives, making new enthusiast to don't trust their systems (not everybody knows about bugzilla.redhat).
Thanks for the patch, updates coming. Duff, there are many alternatives to this package. Not all ancient software is useless, there are games that haven't seen a commit in a decade that are heavily played. Age!= irrelevance. I appreciate your argument, but I'd rather fix things than throw the baby out with the bathwater, no matter how dirty the bathwater.
chkrootkit-0.50-4.fc20 has been submitted as an update for Fedora 20. https://admin.fedoraproject.org/updates/chkrootkit-0.50-4.fc20
chkrootkit-0.50-4.fc21 has been submitted as an update for Fedora 21. https://admin.fedoraproject.org/updates/chkrootkit-0.50-4.fc21
I can confirm that the x86_64 package for Fedora 20 works for me. If you really want to know, the SRPM built and ran just fine on an i386/Fedora 17 box, too. Thanks for packaging.
Package chkrootkit-0.50-4.fc21: * should fix your issue, * was pushed to the Fedora 21 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing chkrootkit-0.50-4.fc21' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2014-13427/chkrootkit-0.50-4.fc21 then log in and leave karma (feedback).
Any update for Fedora 19?
@Dennis, While you wait, you can try recompiling the SRPM, which is what I did for Fedora 17: > wget https://kojipkgs.fedoraproject.org//packages/chkrootkit/0.50/4.fc21/src/chkrootkit-0.50-4.fc21.src.rpm > rpmbuild --rebuild chkrootkit-0.50-4.fc21.src.rpm > sudo yum update /PATH/TO/chkrootkit-0.50-4.fc19.ARCH.rpm NB: you might need to "sudo yum install rpm-build" first.
Sure, I'll get that out.
chkrootkit-0.50-4.fc19 has been submitted as an update for Fedora 19. https://admin.fedoraproject.org/updates/chkrootkit-0.50-4.fc19
chkrootkit-0.50-4.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report.
chkrootkit-0.50-4.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report.
chkrootkit-0.50-4.fc21 has been pushed to the Fedora 21 stable repository. If problems still persist, please make note of it in this bug report.