Bug 636231 - /sbin/init INFECTED - (systemd links /sbin/init->../bin/systemd)
/sbin/init INFECTED - (systemd links /sbin/init->../bin/systemd)
Status: CLOSED ERRATA
Product: Fedora
Classification: Fedora
Component: chkrootkit (Show other bugs)
20
All Linux
low Severity medium
: ---
: ---
Assigned To: Jon Ciesla
Fedora Extras Quality Assurance
:
: 693767 859574 (view as bug list)
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2010-09-21 13:32 EDT by Tom London
Modified: 2014-11-02 08:16 EST (History)
30 users (show)

See Also:
Fixed In Version: chkrootkit-0.50-4.fc21
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2014-10-31 21:39:22 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)
Patch for 0.50 to address Suckit false postive (when /sbin/init = systemd) (942 bytes, patch)
2014-10-03 11:22 EDT, wjhendrickson
no flags Details | Diff

  None (edit)
Description Tom London 2010-09-21 13:32:20 EDT
Description of problem:
Running chkrootkit on a Rawhide system (systemd, not upstart) shows:

Searching for HKRK rootkit... nothing found
Searching for Suckit rootkit... Warning: /sbin/init INFECTED
Searching for Volc rootkit... nothing found
Searching for Gold2 rootkit... nothing found

Probably (I hope!) due to systemd installing a link for /sbin/init:
lrwxrwxrwx. 1 root root 14 Sep 21 06:18 /sbin/init -> ../bin/systemd

Version-Release number of selected component (if applicable):
chkrootkit-0.49-1.fc14.x86_64

How reproducible:
Every time....

Steps to Reproduce:
1.
2.
3.
  
Actual results:


Expected results:


Additional info:
Comment 1 Michal Schmidt 2010-12-14 11:24:36 EST
It is a false positive, but the symlink is not the cause.
chkrootkit uses a too simple method to detect "Suckit":
strings /sbin/init | grep HOME
The systemd binary contains the string "HOME" and that's alright. chkrootkit should be fixed.
=> reassigning back to you, Jon!
Comment 2 Jon Ciesla 2010-12-14 11:29:23 EST
Ok, thanks for the clarification!
Comment 3 Michael Schwendt 2011-05-20 10:58:28 EDT
*** Bug 693767 has been marked as a duplicate of this bug. ***
Comment 4 g. artim 2011-06-27 18:07:05 EDT
got the same flag:
Searching for Suckit rootkit... Warning: /sbin/init INFECTED
on x86_64 systems, just upgraded to fc15 on about 3 servers,
all showing the suckit rootkit.
Comment 5 Michael S. Tsirkin 2011-10-02 17:56:04 EDT
This bug is still with us in F15.
Comment 6 David A. Wheeler 2011-10-03 10:38:07 EDT
This bug is still in Fedora 15 (chkrootkit still thinks that systemd is malicious).  Other distributions are seeing the same problem, so this is a general upstream problem in chkrootkit:

Ubuntu #454566:
https://bugs.launchpad.net/ubuntu/+source/chkrootkit/+bug/454566

Gentoo:
http://forums.gentoo.org/viewtopic-t-326062-highlight-suckit.html
Comment 7 Adam Williamson 2011-10-03 21:48:40 EDT
still valid in F16.
Comment 8 Mike 2012-01-11 11:15:05 EST
As mentioned in Comment 7, this is still valid with F16.  I'm adding this additional comment with the following lines because it took me a fair number of searches to come across this page.  Ossec (which I think uses chkrootkit) detects this too.  Hopefully this comment will help others discover the known issue (as a false positive) with less time. 


OSSEC will fire on rule 510: 

Rule: 510 fired (level 7) -> "Host-based anomaly detection event (rootcheck)."


Trojaned version of file '/sbin/init' detected. Signature used: 'bash|/dev/h|HOME' (Generic).

Trojaned version of file '/sbin/init' detected. Signature used: 'HOME' (Suckit rootkit).
Comment 9 Michael Stanton 2012-01-12 15:13:38 EST
I have this problem in F16 too, Bug 743696 - wtmp is being corrupted at shutdown. has more information. Perhaps these two bugs could be merged?
Comment 10 Michal Schmidt 2012-01-13 05:56:33 EST
No, bug 743696 is not related to this one.
Comment 11 Jos de Kloe 2012-08-23 05:17:57 EDT
the warning "Suckit rootkit... Warning: /sbin/init INFECTED"
still is present in Fedora 17.
Comment 12 Ray 2012-09-11 16:47:55 EDT
Fedora 17 user here. Just scanned with chkrootkit, and it found the Suckit rootkit /sbin/init INFECTED. After Googling, I learned this is (possibly) a false positive/bug which already exists in older Fedora versions. How come this is not fixed yet? It scared the hell out of me.

Did the check with ln / ls -l.
Comment 13 Joona Palaste 2012-09-16 09:06:05 EDT
I am also a Fedora 17 user and encountered this same bug. chkrootkit reports that it found the Suckit rootkit, but it looks like this is a false positive. It should get fixed.
Comment 14 Orion Caspar 2012-09-21 21:15:14 EDT
Still valid in F17. Reported a bug at:

https://bugzilla.redhat.com/show_bug.cgi?id=859574
Comment 15 Raj Upadhyaya 2012-10-25 23:09:18 EDT
Someone found a patch to fix this bug,  Check out this page.

http://askubuntu.com/questions/25176/chkrootkit-says-sbin-init-is-infected-what-does-that-mean

It involves changing two lines.

# diff chkrootkit chkrootkit.backup
983,986c983,984
< #     if [ ${SYSTEM} != "HP-UX" ] && ( ${strings} ${ROOTDIR}sbin/init | ${egrep} HOME  || \
< #	      cat ${ROOTDIR}/proc/1/maps | ${egrep} "init." ) >/dev/null 2>&1
<       if [ ${SYSTEM} != "HP-UX" ] && ( ${strings} ${ROOTDIR}sbin/init | ${egrep} HOME  ) \
<              >/dev/null 2>&1
---
>       if [ ${SYSTEM} != "HP-UX" ] && ( ${strings} ${ROOTDIR}sbin/init | ${egrep} HOME  || \
> 	      cat ${ROOTDIR}/proc/1/maps | ${egrep} "init." ) >/dev/null 2>&1
#
Comment 16 Jon Ciesla 2012-10-26 09:11:23 EDT
This doesn't seem to work for me, can you create a -U3 patch I can test that works for you?  I have:

--- chkrootkit.orig	2012-10-26 08:01:43.484215162 -0500
+++ chkrootkit	2012-10-26 08:08:05.254344231 -0500
@@ -980,8 +980,8 @@
    ### Suckit
    if [ -f ${ROOTDIR}sbin/init ]; then
       if [ "${QUIET}" != "t" ];then printn "Searching for Suckit rootkit... "; fi
-      if [ ${SYSTEM} != "HP-UX" ] && ( ${strings} ${ROOTDIR}sbin/init | ${egrep} HOME  || \
-	      cat ${ROOTDIR}/proc/1/maps | ${egrep} "init." ) >/dev/null 2>&1
+      if [ ${SYSTEM} != "HP-UX" ] && ( ${strings} ${ROOTDIR}sbin/init | ${egrep} HOME  ) \
+	           >/dev/null 2>&1
         then
         echo "Warning: ${ROOTDIR}sbin/init INFECTED"
       else
Comment 17 Michael Schwendt 2013-01-13 19:40:24 EST
*** Bug 859574 has been marked as a duplicate of this bug. ***
Comment 18 Michael Schwendt 2013-01-13 19:40:57 EST
The patch cannot work, see comment 1.
Comment 19 Raj Upadhyaya 2013-01-13 20:07:37 EST
Ok,
So the symlink patch will not work.  Any other ideas?  Info:  It is still a problem in Fedora 18.

Searching for Suckit rootkit... Warning: /sbin/init INFECTED
Comment 20 Michael Schwendt 2013-01-14 07:40:17 EST
Well, what's so difficult?

  $ file /sbin/init
  /sbin/init: symbolic link to `../lib/systemd/systemd'

  $ strings /sbin/init|grep systemd|wc -l
  192

Obviously, searching the "init" binary for "HOME" is an oversimplified detection of the Suckit rootkit. It may have been convenient enough for a few years instead of figuring out a safer signature of Suckit infection.

If you think the original check is still useful nowadays, you could conditionalize it, check whether /sbin/init is a symlink to systemd and either skip checking systemd or verify that /sbin/init contains systemd strings.

That won't help with detecting new rootkits (which chkrootkit doesn't do anyway) or systemd being infected/replaced with something, but would kill the false positive at least.

Btw, http://www.chkrootkit.org is gone for more than two years.
Comment 21 Michal Schmidt 2013-01-14 08:06:11 EST
(In reply to comment #20)
> Btw, http://www.chkrootkit.org is gone for more than two years.

And the last release was more than 3 years ago. Time to EOL the package?
Comment 22 Fedora End Of Life 2013-04-03 16:08:51 EDT
This bug appears to have been reported against 'rawhide' during the Fedora 19 development cycle.
Changing version to '19'.

(As we did not run this process for some time, it could affect also pre-Fedora 19 development
cycle bugs. We are very sorry. It will help us with cleanup during Fedora 19 End Of Life. Thank you.)

More information and reason for this action is here:
https://fedoraproject.org/wiki/BugZappers/HouseKeeping/Fedora19
Comment 23 Ryan 2013-07-12 02:17:28 EDT
still happening in Fedora 19...
Comment 24 John Morris 2013-12-28 00:39:29 EST
Still broken with chkrootkit-0.49-8.fc20.x86_64
Comment 25 Igor Gnatenko 2014-08-27 13:01:05 EDT
Ping?
Comment 26 Jon Ciesla 2014-08-27 13:14:33 EDT
Can this be reproduced with 0.50?
Comment 27 cornel panceac 2014-08-29 16:25:22 EDT
yes

# chkrootkit | grep INFECT
Searching for Suckit rootkit... Warning: /sbin/init INFECTED

# rpm -q chkrootkit
chkrootkit-0.50-3.fc21.i686
Comment 28 wjhendrickson 2014-10-03 11:22:27 EDT
Created attachment 943753 [details]
Patch for 0.50 to address Suckit false postive (when /sbin/init = systemd)
Comment 29 wjhendrickson 2014-10-03 11:24:01 EDT
i know chkrootkit is not actively developed, etc., (and I also use rkhunter) but this still bugs me.  ergo, patch.

-b
Comment 30 Neil 2014-10-21 04:10:53 EDT
If Fedora is gonna change, you guys should remove ancient packages like this, that just give false positives, making new enthusiast to don't trust their systems (not everybody knows about bugzilla.redhat).
Comment 31 Jon Ciesla 2014-10-21 11:02:21 EDT
Thanks for the patch, updates coming.

Duff, there are many alternatives to this package.  Not all ancient software is useless, there are games that haven't seen a commit in a decade that are heavily played.  Age!= irrelevance.  I appreciate your argument, but I'd rather fix things than throw the baby out with the bathwater, no matter how dirty the bathwater.
Comment 32 Fedora Update System 2014-10-21 11:36:08 EDT
chkrootkit-0.50-4.fc20 has been submitted as an update for Fedora 20.
https://admin.fedoraproject.org/updates/chkrootkit-0.50-4.fc20
Comment 33 Fedora Update System 2014-10-21 11:36:15 EDT
chkrootkit-0.50-4.fc21 has been submitted as an update for Fedora 21.
https://admin.fedoraproject.org/updates/chkrootkit-0.50-4.fc21
Comment 34 wjhendrickson 2014-10-21 12:14:25 EDT
I can confirm that the x86_64 package for Fedora 20 works for me.

If you really want to know, the SRPM built and ran just fine on an i386/Fedora 17 box, too.

Thanks for packaging.
Comment 35 Fedora Update System 2014-10-21 13:26:25 EDT
Package chkrootkit-0.50-4.fc21:
* should fix your issue,
* was pushed to the Fedora 21 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing chkrootkit-0.50-4.fc21'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2014-13427/chkrootkit-0.50-4.fc21
then log in and leave karma (feedback).
Comment 36 Dennis DeDonatis 2014-10-21 14:15:55 EDT
Any update for Fedora 19?
Comment 37 wjhendrickson 2014-10-21 14:29:27 EDT
@Dennis,

While you wait, you can try recompiling the SRPM, which is what I did for Fedora 17:

> wget https://kojipkgs.fedoraproject.org//packages/chkrootkit/0.50/4.fc21/src/chkrootkit-0.50-4.fc21.src.rpm
> rpmbuild --rebuild chkrootkit-0.50-4.fc21.src.rpm
> sudo yum update /PATH/TO/chkrootkit-0.50-4.fc19.ARCH.rpm

NB: you might need to "sudo yum install rpm-build" first.
Comment 38 Jon Ciesla 2014-10-21 15:05:35 EDT
Sure, I'll get that out.
Comment 39 Fedora Update System 2014-10-21 15:24:59 EDT
chkrootkit-0.50-4.fc19 has been submitted as an update for Fedora 19.
https://admin.fedoraproject.org/updates/chkrootkit-0.50-4.fc19
Comment 40 Fedora Update System 2014-10-31 21:39:22 EDT
chkrootkit-0.50-4.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 41 Fedora Update System 2014-10-31 21:43:40 EDT
chkrootkit-0.50-4.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 42 Fedora Update System 2014-11-01 13:11:08 EDT
chkrootkit-0.50-4.fc21 has been pushed to the Fedora 21 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.