Chkrootkit shows infections, what next ?

[tasmod]

As part of overall testing of my system i turned off the firewall for a couple of days.

Today I downloaded and ran Chkrootkit on my system, it produced a list of files etc and then showed infections as follows:-

Code: Select all

# ./chkrootkit
ROOTDIR is `/'
Checking `amd'... not found
Checking `basename'... INFECTED
Checking `biff'... not found
Checking `chfn'... not found
Checking `chsh'... not found
Checking `cron'... not infected
Checking `crontab'... not infected
Checking `date'... not infected
Checking `du'... not infected
Checking `dirname'... INFECTED
Checking `echo'... INFECTED
Checking `egrep'... not infected
Checking `env'... INFECTED
Checking `find'... not infected
Checking `fingerd'... not found
Checking `gpm'... not found
Checking `grep'... not infected
Checking `hdparm'... not infected
Checking `su'... not infected
Checking `ifconfig'... not infected
Checking `inetd'... not tested
Checking `inetdconf'... not found
Checking `identd'... not found
Checking `init'... not infected
Checking `killall'... not infected
Checking `ldsopreload'... can't exec ./strings-static, not tested
Checking `login'... INFECTED
Checking `ls'... not infected
Checking `lsof'... not found
Checking `mail'... not found
Checking `mingetty'... not found
Checking `netstat'... not infected
Checking `named'... not found
Checking `passwd'... INFECTED
Checking `pidof'... not infected
Checking `pop2'... not found
Checking `pop3'... not found
Checking `ps'... not infected
Checking `pstree'... not found
Checking `rpcinfo'... not infected
Checking `rlogind'... not found
Checking `rshd'... not found
Checking `slogin'... not infected
Checking `sendmail'... not found
Checking `sshd'... not infected
Checking `syslogd'... not infected
Checking `tar'... not infected
Checking `tcpd'... not infected
Checking `tcpdump'... not infected
Checking `top'... not infected
Checking `telnetd'... not found
Checking `timed'... not found
Checking `traceroute'... INFECTED
Checking `vdir'... not found
Checking `w'... strings: w: No such file or directory
not infected
Checking `write'... strings: write: No such file or directory
/bin/ls: cannot access write: No such file or directory
not infected
Checking `aliens'... no suspect files
Searching for sniffer's logs, it may take a while... nothing found
Searching for HiDrootkit's default dir... nothing found
Searching for t0rn's default files and dirs... nothing found
Searching for t0rn's v8 defaults... nothing found
Searching for Lion Worm default files and dirs... nothing found
Searching for RSHA's default files and dir... nothing found
Searching for RH-Sharpe's default files... nothing found
Searching for Ambient's rootkit (ark) default files and dirs... nothing found
Searching for suspicious files and dirs, it may take a while... 
/usr/lib/perl5/5.8.8/i486-t2-linux-gnu/auto/Digest/SHA1/.packlist /usr/lib/perl5                                                                                                   /5.8.8/i486-t2-linux-gnu/auto/HTML/Parser/.packlist /usr/lib/perl5/5.8.8/i486-t2                                                                                                   -linux-gnu/auto/Compress/Zlib/.packlist /usr/lib/perl5/5.8.8/i486-t2-linux-gnu/a                                                                                                   uto/ExtUtils/Depends/.packlist /usr/lib/perl5/5.8.8/i486-t2-linux-gnu/auto/ExtUt                                                                                                   ils/PkgConfig/.packlist /usr/lib/perl5/5.8.8/i486-t2-linux-gnu/auto/URI/.packlis                                                                                                   t /usr/lib/perl5/5.8.8/i486-t2-linux-gnu/auto/XML/Parser/.packlist /usr/lib/perl                                                                                                   5/5.8.8/i486-t2-linux-gnu/auto/XML/Simple/.packlist /usr/lib/perl5/5.8.8/i486-t2                                                                                                   -linux-gnu/.packlist

Searching for LPD Worm files and dirs... nothing found
Searching for Ramen Worm files and dirs... nothing found
Searching for Maniac files and dirs... nothing found
Searching for RK17 files and dirs... nothing found
Searching for Ducoci rootkit... nothing found
Searching for Adore Worm... nothing found
Searching for ShitC Worm... nothing found
Searching for Omega Worm... nothing found
Searching for Sadmind/IIS Worm... nothing found
Searching for MonKit... nothing found
Searching for Showtee... nothing found
Searching for OpticKit... nothing found
Searching for T.R.K... nothing found
Searching for Mithra... nothing found
Searching for LOC rootkit... nothing found
Searching for Romanian rootkit... nothing found
Searching for Suckit rootkit... Warning: /sbin/init INFECTED
Searching for Volc rootkit... nothing found
Searching for Gold2 rootkit... nothing found
Searching for TC2 Worm default files and dirs... nothing found
Searching for Anonoying rootkit default files and dirs... nothing found
Searching for ZK rootkit default files and dirs... nothing found
Searching for ShKit rootkit default files and dirs... nothing found
Searching for AjaKit rootkit default files and dirs... nothing found
Searching for zaRwT rootkit default files and dirs... nothing found
Searching for Madalin rootkit default files... nothing found
Searching for Fu rootkit default files... nothing found
Searching for ESRK rootkit default files... nothing found
Searching for rootedoor... nothing found
Searching for ENYELKM rootkit default files... nothing found
Searching for common ssh-scanners default files... nothing found
Searching for suspect PHP files... nothing found
Searching for anomalies in shell history files... nothing found
Checking `asp'... not infected
Checking `bindshell'... not infected
Checking `lkm'... not tested: can't exec 
Checking `rexedcs'... not found
Checking `sniffer'... not tested: can't exec ./ifpromisc
Checking `w55808'... not infected
Checking `wted'... not tested: can't exec ./chkwtmp
Checking `scalper'... not infected
Checking `slapper'... not infected
Checking `z2'... not tested: can't exec ./chklastlog
Checking `chkutmp'... not tested: can't exec ./chkutmp
Checking `OSX_RSPLUG'... not infected
# 

What next ? I don't know where to go from here as I'm not familiar with chkrootkit, is it a real result or just a shadow?

[MU]

Puppy uses several replacements, so programs from the binutils are replaced with those from busybox.
This may confuse such utilities.

I am not familiar with your scanner, so you might need to read their documentation to see, which criteria it uses to identify something as infected.

You might run Puppy without a savefile, and check it again.
If you still get info about infections on those file, everything should be ok, as then they certainly are related to the busybox replacements.

Mark

[tasmod]

Thanks Mu,

I was more concerned with the actual files showing as infected.

They appear to be just the ones that would likely be infected, E.G. login, env, passwd, traceroute and the init

I'll check out the site for more info.

I also ran Xfprot anti-virus from the menu and updated it's definitions.

After a scan this showed one infection only in the report list, itself

[tasmod]

OK checked out the site and ran tests here, they are infected with Suckit rootkit.

It's a trojan key reporter.

I'm going to delete the frugal install and reinstall again, it's not a major problem but slightly annoying.

Couple of days without firewall and this is what happens.

So much for Linux being pointless to infect, the website reports that there are 65 infections possible with Linux that it checks for.

I hope it's all a mistake and false positives.

[Pizzasgood]

Probably false positives. I just tested with a pristine 4.3.1 iso that I just downloaded fresh, and it listed the same things as infected, and the Suckit rootkit. I downloaded it from the gatech repo (I can grab a Puppy in ~10s from that - I live nearly on top of the server ), and checked the md5sum with the one at ibiblio.

All files it told me are infected are actually symlinks to busybox. Which is probably why it's complaining.

Apparently what is triggering it is that the busybox executable contains the string 'HOME'.

Code: Select all

   ### Suckit
   if [ -f ${ROOTDIR}sbin/init ]; then
      if [ "${QUIET}" != "t" ];then printn "Searching for Suckit rootkit... "; fi
      if [ ${SYSTEM} != "HP-UX" ] && ( ${strings} ${ROOTDIR}sbin/init | ${egrep} HOME  || \
	      cat ${ROOTDIR}/proc/1/maps | ${egrep} "init." ) >/dev/null 2>&1
        then
        echo "Warning: ${ROOTDIR}sbin/init INFECTED"
      else
         if [ -d ${ROOTDIR}/dev/.golf ]; then
            echo "Warning: Suspect directory ${ROOTDIR}dev/.golf"
	 else
            if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi
	 fi
      fi
   fi

Busybox is basically a bunch of programs combined into one very small package. So things that chkrootkit does not expect to see in, for example, 'echo', are there because of the other programs that busybox mimics.

[tasmod]

Ahh, thanks Pizzagood, mind put at rest.

I considered false positives but site details were adamant it was correct.

I haven't had time to check anything yet so this saves me messing up a perfectly good install.

Rob

[PaulBx1]

If these are busybox items, couldn't tasmod just verify that busybox exists only in /initrd./pup_ro2, and not in /initrd/pup_rw? (Since the latter is the only place a new file such as a rootkit or trojan can appear?)

[Pizzasgood]

Yeah, that works. If you assume the pup_xxx.sfs file hasn't been swapped out from under his feet anyway. That would indicated an attack targeted at Puppy, or at least at him, as opposed to an attack against Linux in general.

[alienjeff]

What next ?

ZOMG PANIC! THAT'S WHAT'S NEXT!