Bug 636231 - /sbin/init INFECTED - (systemd links /sbin/init->../bin/systemd)
Summary: /sbin/init INFECTED - (systemd links /sbin/init->../bin/systemd)
Alias: None
Product: Fedora
Classification: Fedora
Component: chkrootkit
Version: 20
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Gwyn Ciesla
QA Contact: Fedora Extras Quality Assurance
: 693767 859574 (view as bug list)
Depends On:
TreeView+ depends on / blocked
Reported: 2010-09-21 17:32 UTC by Tom London
Modified: 2014-11-02 13:16 UTC (History)
30 users (show)

Fixed In Version: chkrootkit-0.50-4.fc21
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2014-11-01 01:39:22 UTC
Type: ---

Attachments (Terms of Use)
Patch for 0.50 to address Suckit false postive (when /sbin/init = systemd) (942 bytes, patch)
2014-10-03 15:22 UTC, wjhendrickson
no flags Details | Diff

Description Tom London 2010-09-21 17:32:20 UTC
Description of problem:
Running chkrootkit on a Rawhide system (systemd, not upstart) shows:

Searching for HKRK rootkit... nothing found
Searching for Suckit rootkit... Warning: /sbin/init INFECTED
Searching for Volc rootkit... nothing found
Searching for Gold2 rootkit... nothing found

Probably (I hope!) due to systemd installing a link for /sbin/init:
lrwxrwxrwx. 1 root root 14 Sep 21 06:18 /sbin/init -> ../bin/systemd

Version-Release number of selected component (if applicable):

How reproducible:
Every time....

Steps to Reproduce:
Actual results:

Expected results:

Additional info:

Comment 1 Michal Schmidt 2010-12-14 16:24:36 UTC
It is a false positive, but the symlink is not the cause.
chkrootkit uses a too simple method to detect "Suckit":
strings /sbin/init | grep HOME
The systemd binary contains the string "HOME" and that's alright. chkrootkit should be fixed.
=> reassigning back to you, Jon!

Comment 2 Gwyn Ciesla 2010-12-14 16:29:23 UTC
Ok, thanks for the clarification!

Comment 3 Michael Schwendt 2011-05-20 14:58:28 UTC
*** Bug 693767 has been marked as a duplicate of this bug. ***

Comment 4 g. artim 2011-06-27 22:07:05 UTC
got the same flag:
Searching for Suckit rootkit... Warning: /sbin/init INFECTED
on x86_64 systems, just upgraded to fc15 on about 3 servers,
all showing the suckit rootkit.

Comment 5 Michael S. Tsirkin 2011-10-02 21:56:04 UTC
This bug is still with us in F15.

Comment 6 David A. Wheeler 2011-10-03 14:38:07 UTC
This bug is still in Fedora 15 (chkrootkit still thinks that systemd is malicious).  Other distributions are seeing the same problem, so this is a general upstream problem in chkrootkit:

Ubuntu #454566:


Comment 7 Adam Williamson 2011-10-04 01:48:40 UTC
still valid in F16.

Comment 8 Mike 2012-01-11 16:15:05 UTC
As mentioned in Comment 7, this is still valid with F16.  I'm adding this additional comment with the following lines because it took me a fair number of searches to come across this page.  Ossec (which I think uses chkrootkit) detects this too.  Hopefully this comment will help others discover the known issue (as a false positive) with less time. 

OSSEC will fire on rule 510: 

Rule: 510 fired (level 7) -> "Host-based anomaly detection event (rootcheck)."

Trojaned version of file '/sbin/init' detected. Signature used: 'bash|/dev/h|HOME' (Generic).

Trojaned version of file '/sbin/init' detected. Signature used: 'HOME' (Suckit rootkit).

Comment 9 Michael Stanton 2012-01-12 20:13:38 UTC
I have this problem in F16 too, Bug 743696 - wtmp is being corrupted at shutdown. has more information. Perhaps these two bugs could be merged?

Comment 10 Michal Schmidt 2012-01-13 10:56:33 UTC
No, bug 743696 is not related to this one.

Comment 11 Jos de Kloe 2012-08-23 09:17:57 UTC
the warning "Suckit rootkit... Warning: /sbin/init INFECTED"
still is present in Fedora 17.

Comment 12 Ray 2012-09-11 20:47:55 UTC
Fedora 17 user here. Just scanned with chkrootkit, and it found the Suckit rootkit /sbin/init INFECTED. After Googling, I learned this is (possibly) a false positive/bug which already exists in older Fedora versions. How come this is not fixed yet? It scared the hell out of me.

Did the check with ln / ls -l.

Comment 13 Joona Palaste 2012-09-16 13:06:05 UTC
I am also a Fedora 17 user and encountered this same bug. chkrootkit reports that it found the Suckit rootkit, but it looks like this is a false positive. It should get fixed.

Comment 14 Orion Caspar 2012-09-22 01:15:14 UTC
Still valid in F17. Reported a bug at:


Comment 15 Raj Upadhyaya 2012-10-26 03:09:18 UTC
Someone found a patch to fix this bug,  Check out this page.


It involves changing two lines.

# diff chkrootkit chkrootkit.backup
< #     if [ ${SYSTEM} != "HP-UX" ] && ( ${strings} ${ROOTDIR}sbin/init | ${egrep} HOME  || \
< #	      cat ${ROOTDIR}/proc/1/maps | ${egrep} "init." ) >/dev/null 2>&1
<       if [ ${SYSTEM} != "HP-UX" ] && ( ${strings} ${ROOTDIR}sbin/init | ${egrep} HOME  ) \
<              >/dev/null 2>&1
>       if [ ${SYSTEM} != "HP-UX" ] && ( ${strings} ${ROOTDIR}sbin/init | ${egrep} HOME  || \
> 	      cat ${ROOTDIR}/proc/1/maps | ${egrep} "init." ) >/dev/null 2>&1

Comment 16 Gwyn Ciesla 2012-10-26 13:11:23 UTC
This doesn't seem to work for me, can you create a -U3 patch I can test that works for you?  I have:

--- chkrootkit.orig	2012-10-26 08:01:43.484215162 -0500
+++ chkrootkit	2012-10-26 08:08:05.254344231 -0500
@@ -980,8 +980,8 @@
    ### Suckit
    if [ -f ${ROOTDIR}sbin/init ]; then
       if [ "${QUIET}" != "t" ];then printn "Searching for Suckit rootkit... "; fi
-      if [ ${SYSTEM} != "HP-UX" ] && ( ${strings} ${ROOTDIR}sbin/init | ${egrep} HOME  || \
-	      cat ${ROOTDIR}/proc/1/maps | ${egrep} "init." ) >/dev/null 2>&1
+      if [ ${SYSTEM} != "HP-UX" ] && ( ${strings} ${ROOTDIR}sbin/init | ${egrep} HOME  ) \
+	           >/dev/null 2>&1
         echo "Warning: ${ROOTDIR}sbin/init INFECTED"

Comment 17 Michael Schwendt 2013-01-14 00:40:24 UTC
*** Bug 859574 has been marked as a duplicate of this bug. ***

Comment 18 Michael Schwendt 2013-01-14 00:40:57 UTC
The patch cannot work, see comment 1.

Comment 19 Raj Upadhyaya 2013-01-14 01:07:37 UTC
So the symlink patch will not work.  Any other ideas?  Info:  It is still a problem in Fedora 18.

Searching for Suckit rootkit... Warning: /sbin/init INFECTED

Comment 20 Michael Schwendt 2013-01-14 12:40:17 UTC
Well, what's so difficult?

  $ file /sbin/init
  /sbin/init: symbolic link to `../lib/systemd/systemd'

  $ strings /sbin/init|grep systemd|wc -l

Obviously, searching the "init" binary for "HOME" is an oversimplified detection of the Suckit rootkit. It may have been convenient enough for a few years instead of figuring out a safer signature of Suckit infection.

If you think the original check is still useful nowadays, you could conditionalize it, check whether /sbin/init is a symlink to systemd and either skip checking systemd or verify that /sbin/init contains systemd strings.

That won't help with detecting new rootkits (which chkrootkit doesn't do anyway) or systemd being infected/replaced with something, but would kill the false positive at least.

Btw, http://www.chkrootkit.org is gone for more than two years.

Comment 21 Michal Schmidt 2013-01-14 13:06:11 UTC
(In reply to comment #20)
> Btw, http://www.chkrootkit.org is gone for more than two years.

And the last release was more than 3 years ago. Time to EOL the package?

Comment 22 Fedora End Of Life 2013-04-03 20:08:51 UTC
This bug appears to have been reported against 'rawhide' during the Fedora 19 development cycle.
Changing version to '19'.

(As we did not run this process for some time, it could affect also pre-Fedora 19 development
cycle bugs. We are very sorry. It will help us with cleanup during Fedora 19 End Of Life. Thank you.)

More information and reason for this action is here:

Comment 23 Ryan 2013-07-12 06:17:28 UTC
still happening in Fedora 19...

Comment 24 John Morris 2013-12-28 05:39:29 UTC
Still broken with chkrootkit-0.49-8.fc20.x86_64

Comment 25 Igor Gnatenko 2014-08-27 17:01:05 UTC

Comment 26 Gwyn Ciesla 2014-08-27 17:14:33 UTC
Can this be reproduced with 0.50?

Comment 27 cornel panceac 2014-08-29 20:25:22 UTC

# chkrootkit | grep INFECT
Searching for Suckit rootkit... Warning: /sbin/init INFECTED

# rpm -q chkrootkit

Comment 28 wjhendrickson 2014-10-03 15:22:27 UTC
Created attachment 943753 [details]
Patch for 0.50 to address Suckit false postive (when /sbin/init = systemd)

Comment 29 wjhendrickson 2014-10-03 15:24:01 UTC
i know chkrootkit is not actively developed, etc., (and I also use rkhunter) but this still bugs me.  ergo, patch.


Comment 30 Neil 2014-10-21 08:10:53 UTC
If Fedora is gonna change, you guys should remove ancient packages like this, that just give false positives, making new enthusiast to don't trust their systems (not everybody knows about bugzilla.redhat).

Comment 31 Gwyn Ciesla 2014-10-21 15:02:21 UTC
Thanks for the patch, updates coming.

Duff, there are many alternatives to this package.  Not all ancient software is useless, there are games that haven't seen a commit in a decade that are heavily played.  Age!= irrelevance.  I appreciate your argument, but I'd rather fix things than throw the baby out with the bathwater, no matter how dirty the bathwater.

Comment 32 Fedora Update System 2014-10-21 15:36:08 UTC
chkrootkit-0.50-4.fc20 has been submitted as an update for Fedora 20.

Comment 33 Fedora Update System 2014-10-21 15:36:15 UTC
chkrootkit-0.50-4.fc21 has been submitted as an update for Fedora 21.

Comment 34 wjhendrickson 2014-10-21 16:14:25 UTC
I can confirm that the x86_64 package for Fedora 20 works for me.

If you really want to know, the SRPM built and ran just fine on an i386/Fedora 17 box, too.

Thanks for packaging.

Comment 35 Fedora Update System 2014-10-21 17:26:25 UTC
Package chkrootkit-0.50-4.fc21:
* should fix your issue,
* was pushed to the Fedora 21 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing chkrootkit-0.50-4.fc21'
as soon as you are able to.
Please go to the following url:
then log in and leave karma (feedback).

Comment 36 Dennis DeDonatis 2014-10-21 18:15:55 UTC
Any update for Fedora 19?

Comment 37 wjhendrickson 2014-10-21 18:29:27 UTC

While you wait, you can try recompiling the SRPM, which is what I did for Fedora 17:

> wget https://kojipkgs.fedoraproject.org//packages/chkrootkit/0.50/4.fc21/src/chkrootkit-0.50-4.fc21.src.rpm
> rpmbuild --rebuild chkrootkit-0.50-4.fc21.src.rpm
> sudo yum update /PATH/TO/chkrootkit-0.50-4.fc19.ARCH.rpm

NB: you might need to "sudo yum install rpm-build" first.

Comment 38 Gwyn Ciesla 2014-10-21 19:05:35 UTC
Sure, I'll get that out.

Comment 39 Fedora Update System 2014-10-21 19:24:59 UTC
chkrootkit-0.50-4.fc19 has been submitted as an update for Fedora 19.

Comment 40 Fedora Update System 2014-11-01 01:39:22 UTC
chkrootkit-0.50-4.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 41 Fedora Update System 2014-11-01 01:43:40 UTC
chkrootkit-0.50-4.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 42 Fedora Update System 2014-11-01 17:11:08 UTC
chkrootkit-0.50-4.fc21 has been pushed to the Fedora 21 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.