Puppy Linux Discussion Forum Forum Index Puppy Linux Discussion Forum
Puppy HOME page : puppylinux.com
"THE" alternative forum : puppylinux.info
 
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 

The time now is Sun 21 Sep 2014, 12:32
All times are UTC - 4
 Forum index » House Training » Users ( For the regulars )
Chkrootkit shows infections, what next ?
Moderators: Flash, Ian, JohnMurga
Post_new_topic   Reply_to_topic View_previous_topic :: View_next_topic
Page 1 of 1 Posts_count  
Author Message
tasmod


Joined: 04 Dec 2008
Posts: 1461
Location: North Lincolnshire. UK

PostPosted: Sat 07 Nov 2009, 06:19    Post_subject:  Chkrootkit shows infections, what next ?  

As part of overall testing of my system i turned off the firewall for a couple of days.

Today I downloaded and ran Chkrootkit on my system, it produced a list of files etc and then showed infections as follows:-



Code:
# ./chkrootkit
ROOTDIR is `/'
Checking `amd'... not found
Checking `basename'... INFECTED
Checking `biff'... not found
Checking `chfn'... not found
Checking `chsh'... not found
Checking `cron'... not infected
Checking `crontab'... not infected
Checking `date'... not infected
Checking `du'... not infected
Checking `dirname'... INFECTED
Checking `echo'... INFECTED
Checking `egrep'... not infected
Checking `env'... INFECTED
Checking `find'... not infected
Checking `fingerd'... not found
Checking `gpm'... not found
Checking `grep'... not infected
Checking `hdparm'... not infected
Checking `su'... not infected
Checking `ifconfig'... not infected
Checking `inetd'... not tested
Checking `inetdconf'... not found
Checking `identd'... not found
Checking `init'... not infected
Checking `killall'... not infected
Checking `ldsopreload'... can't exec ./strings-static, not tested
Checking `login'... INFECTED
Checking `ls'... not infected
Checking `lsof'... not found
Checking `mail'... not found
Checking `mingetty'... not found
Checking `netstat'... not infected
Checking `named'... not found
Checking `passwd'... INFECTED
Checking `pidof'... not infected
Checking `pop2'... not found
Checking `pop3'... not found
Checking `ps'... not infected
Checking `pstree'... not found
Checking `rpcinfo'... not infected
Checking `rlogind'... not found
Checking `rshd'... not found
Checking `slogin'... not infected
Checking `sendmail'... not found
Checking `sshd'... not infected
Checking `syslogd'... not infected
Checking `tar'... not infected
Checking `tcpd'... not infected
Checking `tcpdump'... not infected
Checking `top'... not infected
Checking `telnetd'... not found
Checking `timed'... not found
Checking `traceroute'... INFECTED
Checking `vdir'... not found
Checking `w'... strings: w: No such file or directory
not infected
Checking `write'... strings: write: No such file or directory
/bin/ls: cannot access write: No such file or directory
not infected
Checking `aliens'... no suspect files
Searching for sniffer's logs, it may take a while... nothing found
Searching for HiDrootkit's default dir... nothing found
Searching for t0rn's default files and dirs... nothing found
Searching for t0rn's v8 defaults... nothing found
Searching for Lion Worm default files and dirs... nothing found
Searching for RSHA's default files and dir... nothing found
Searching for RH-Sharpe's default files... nothing found
Searching for Ambient's rootkit (ark) default files and dirs... nothing found
Searching for suspicious files and dirs, it may take a while...
/usr/lib/perl5/5.8.8/i486-t2-linux-gnu/auto/Digest/SHA1/.packlist /usr/lib/perl5                                                                                                   /5.8.8/i486-t2-linux-gnu/auto/HTML/Parser/.packlist /usr/lib/perl5/5.8.8/i486-t2                                                                                                   -linux-gnu/auto/Compress/Zlib/.packlist /usr/lib/perl5/5.8.8/i486-t2-linux-gnu/a                                                                                                   uto/ExtUtils/Depends/.packlist /usr/lib/perl5/5.8.8/i486-t2-linux-gnu/auto/ExtUt                                                                                                   ils/PkgConfig/.packlist /usr/lib/perl5/5.8.8/i486-t2-linux-gnu/auto/URI/.packlis                                                                                                   t /usr/lib/perl5/5.8.8/i486-t2-linux-gnu/auto/XML/Parser/.packlist /usr/lib/perl                                                                                                   5/5.8.8/i486-t2-linux-gnu/auto/XML/Simple/.packlist /usr/lib/perl5/5.8.8/i486-t2                                                                                                   -linux-gnu/.packlist

Searching for LPD Worm files and dirs... nothing found
Searching for Ramen Worm files and dirs... nothing found
Searching for Maniac files and dirs... nothing found
Searching for RK17 files and dirs... nothing found
Searching for Ducoci rootkit... nothing found
Searching for Adore Worm... nothing found
Searching for ShitC Worm... nothing found
Searching for Omega Worm... nothing found
Searching for Sadmind/IIS Worm... nothing found
Searching for MonKit... nothing found
Searching for Showtee... nothing found
Searching for OpticKit... nothing found
Searching for T.R.K... nothing found
Searching for Mithra... nothing found
Searching for LOC rootkit... nothing found
Searching for Romanian rootkit... nothing found
Searching for Suckit rootkit... Warning: /sbin/init INFECTED
Searching for Volc rootkit... nothing found
Searching for Gold2 rootkit... nothing found
Searching for TC2 Worm default files and dirs... nothing found
Searching for Anonoying rootkit default files and dirs... nothing found
Searching for ZK rootkit default files and dirs... nothing found
Searching for ShKit rootkit default files and dirs... nothing found
Searching for AjaKit rootkit default files and dirs... nothing found
Searching for zaRwT rootkit default files and dirs... nothing found
Searching for Madalin rootkit default files... nothing found
Searching for Fu rootkit default files... nothing found
Searching for ESRK rootkit default files... nothing found
Searching for rootedoor... nothing found
Searching for ENYELKM rootkit default files... nothing found
Searching for common ssh-scanners default files... nothing found
Searching for suspect PHP files... nothing found
Searching for anomalies in shell history files... nothing found
Checking `asp'... not infected
Checking `bindshell'... not infected
Checking `lkm'... not tested: can't exec
Checking `rexedcs'... not found
Checking `sniffer'... not tested: can't exec ./ifpromisc
Checking `w55808'... not infected
Checking `wted'... not tested: can't exec ./chkwtmp
Checking `scalper'... not infected
Checking `slapper'... not infected
Checking `z2'... not tested: can't exec ./chklastlog
Checking `chkutmp'... not tested: can't exec ./chkutmp
Checking `OSX_RSPLUG'... not infected
#


What next ? I don't know where to go from here as I'm not familiar with chkrootkit, is it a real result or just a shadow?

_________________
Rob
-
The moment after you press "Post" is the moment you actually see the typso Cool
Back to top
View user's profile Send_private_message Visit_website 
MU


Joined: 24 Aug 2005
Posts: 13642
Location: Karlsruhe, Germany

PostPosted: Sat 07 Nov 2009, 06:38    Post_subject:  

Puppy uses several replacements, so programs from the binutils are replaced with those from busybox.
This may confuse such utilities.

I am not familiar with your scanner, so you might need to read their documentation to see, which criteria it uses to identify something as infected.

You might run Puppy without a savefile, and check it again.
If you still get info about infections on those file, everything should be ok, as then they certainly are related to the busybox replacements.

Mark

_________________
my recommended links
Back to top
View user's profile Send_private_message Visit_website 
tasmod


Joined: 04 Dec 2008
Posts: 1461
Location: North Lincolnshire. UK

PostPosted: Sat 07 Nov 2009, 06:48    Post_subject:  

Thanks Mu,

I was more concerned with the actual files showing as infected.

They appear to be just the ones that would likely be infected, E.G. login, env, passwd, traceroute and the init

I'll check out the site for more info.

I also ran Xfprot anti-virus from the menu and updated it's definitions.

After a scan this showed one infection only in the report list, itself Laughing

_________________
Rob
-
The moment after you press "Post" is the moment you actually see the typso Cool
Back to top
View user's profile Send_private_message Visit_website 
tasmod


Joined: 04 Dec 2008
Posts: 1461
Location: North Lincolnshire. UK

PostPosted: Sat 07 Nov 2009, 13:45    Post_subject:
Sub_title: Infections can happen !!
 

OK checked out the site and ran tests here, they are infected with Suckit rootkit.

It's a trojan key reporter.

I'm going to delete the frugal install and reinstall again, it's not a major problem but slightly annoying.

Couple of days without firewall and this is what happens.

So much for Linux being pointless to infect, the website reports that there are 65 infections possible with Linux that it checks for.

I hope it's all a mistake and false positives.

_________________
Rob
-
The moment after you press "Post" is the moment you actually see the typso Cool
Back to top
View user's profile Send_private_message Visit_website 
Pizzasgood


Joined: 04 May 2005
Posts: 6270
Location: Knoxville, TN, USA

PostPosted: Sat 07 Nov 2009, 14:28    Post_subject:  

Probably false positives. I just tested with a pristine 4.3.1 iso that I just downloaded fresh, and it listed the same things as infected, and the Suckit rootkit. I downloaded it from the gatech repo (I can grab a Puppy in ~10s from that - I live nearly on top of the server Smile), and checked the md5sum with the one at ibiblio.

All files it told me are infected are actually symlinks to busybox. Which is probably why it's complaining.

Apparently what is triggering it is that the busybox executable contains the string 'HOME'.
Code:
   ### Suckit
   if [ -f ${ROOTDIR}sbin/init ]; then
      if [ "${QUIET}" != "t" ];then printn "Searching for Suckit rootkit... "; fi
      if [ ${SYSTEM} != "HP-UX" ] && ( ${strings} ${ROOTDIR}sbin/init | ${egrep} HOME  || \
         cat ${ROOTDIR}/proc/1/maps | ${egrep} "init." ) >/dev/null 2>&1
        then
        echo "Warning: ${ROOTDIR}sbin/init INFECTED"
      else
         if [ -d ${ROOTDIR}/dev/.golf ]; then
            echo "Warning: Suspect directory ${ROOTDIR}dev/.golf"
    else
            if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi
    fi
      fi
   fi

Busybox is basically a bunch of programs combined into one very small package. So things that chkrootkit does not expect to see in, for example, 'echo', are there because of the other programs that busybox mimics.

_________________
Between depriving a man of one hour from his life and depriving him of his life there exists only a difference of degree. --Muad'Dib

Back to top
View user's profile Send_private_message Visit_website 
tasmod


Joined: 04 Dec 2008
Posts: 1461
Location: North Lincolnshire. UK

PostPosted: Sun 08 Nov 2009, 03:07    Post_subject:  

Ahh, thanks Pizzagood, mind put at rest.

I considered false positives but site details were adamant it was correct.

I haven't had time to check anything yet so this saves me messing up a perfectly good install. Very Happy Very Happy

Rob

_________________
Rob
-
The moment after you press "Post" is the moment you actually see the typso Cool
Back to top
View user's profile Send_private_message Visit_website 
PaulBx1

Joined: 16 Jun 2006
Posts: 2308
Location: Wyoming, USA

PostPosted: Tue 10 Nov 2009, 20:51    Post_subject:  

If these are busybox items, couldn't tasmod just verify that busybox exists only in /initrd./pup_ro2, and not in /initrd/pup_rw? (Since the latter is the only place a new file such as a rootkit or trojan can appear?)
Back to top
View user's profile Send_private_message 
Pizzasgood


Joined: 04 May 2005
Posts: 6270
Location: Knoxville, TN, USA

PostPosted: Wed 11 Nov 2009, 16:27    Post_subject:  

Yeah, that works. If you assume the pup_xxx.sfs file hasn't been swapped out from under his feet anyway. That would indicated an attack targeted at Puppy, or at least at him, as opposed to an attack against Linux in general.
_________________
Between depriving a man of one hour from his life and depriving him of his life there exists only a difference of degree. --Muad'Dib

Back to top
View user's profile Send_private_message Visit_website 
alienjeff


Joined: 08 Jul 2006
Posts: 2291
Location: Winsted, CT - USA

PostPosted: Wed 11 Nov 2009, 18:24    Post_subject: Re: Chkrootkit shows infections, what next ?  

tasmod wrote:

What next ?




ZOMG PANIC! THAT'S WHAT'S NEXT!


_________________
hangout: ##b0rked on irc.freenode.net
diversion: http://alienjeff.net - visit The Fringe
quote: "The foundation of authority is based upon the consent of the people." - Thomas Hooker

Back to top
View user's profile Send_private_message 
Display_posts:   Sort by:   
Page 1 of 1 Posts_count  
Post_new_topic   Reply_to_topic View_previous_topic :: View_next_topic
 Forum index » House Training » Users ( For the regulars )
Jump to:  

Rules_post_cannot
Rules_reply_cannot
Rules_edit_cannot
Rules_delete_cannot
Rules_vote_cannot
You cannot attach files in this forum
You can download files in this forum


Powered by phpBB © 2001, 2005 phpBB Group
[ Time: 0.0865s ][ Queries: 12 (0.0038s) ][ GZIP on ]