Fedora Linux Support Community & Resources Center

Go Back   FedoraForum.org > Fedora 19/20 > Security and Privacy
FedoraForum Search

Forgot Password? Join Us!

Security and Privacy Sadly, malware, spyware, hackers and privacy threats abound in today's world. Let's be paranoid and secure our penguins, and slam the doors on privacy exploits.

Reply
 
Thread Tools Search this Thread Display Modes
  #1  
Old 26th December 2011, 04:32 PM
infotechmike Offline
Registered User
 
Join Date: Dec 2011
Location: Buffalo, NY
Posts: 8
linuxfirefox
Chkrootkit finds Suckit rootkit in Fedora 16

Does anyone else have this problem?

I understand the "Searching for Suckit rootkit... Warning: /sbin/init INFECTED" warning has been a bug since Fedora 14: https://bugzilla.redhat.com/show_bug.cgi?id=636231

but what's going on here:

Checking `wted'... 5 deletion(s) between Thu Oct 20 09:13:57 2011 and Thu Oct 20 09:14:12 2011
5 deletion(s) between Thu Oct 20 09:17:57 2011 and Thu Oct 20 09:18:37 2011
5 deletion(s) between Thu Oct 20 09:20:00 2011 and Thu Oct 20 09:20:22 2011

I see several many more deletions at random times in groups of five up through today. I did remove a hidden ./java directory and an /opt/rrdtool-1.4.5 folder that I didn't install.

I think there's a for loop at work here but unhide, rkhunter, and clamav come back clean. Is this another bug or am I in trouble?

Last edited by infotechmike; 26th December 2011 at 05:08 PM. Reason: unhide, rkhunter and clamav scans do not return suckit warning
Reply With Quote
  #2  
Old 26th December 2011, 11:35 PM
mschwendt Offline
Registered User
 
Join Date: Jun 2010
Posts: 312
linuxfirefox
Re: Chkrootkit finds Suckit rootkit in Fedora 16

Quote:
Originally Posted by infotechmike View Post
Checking `wted'... 5 deletion(s) between Thu Oct 20 09:13:57 2011 and Thu Oct 20 09:14:12 2011
5 deletion(s) between Thu Oct 20 09:17:57 2011 and Thu Oct 20 09:18:37 2011
5 deletion(s) between Thu Oct 20 09:20:00 2011 and Thu Oct 20 09:20:22 2011
Could be a bug in the chkwtmp executable (on x86_64 that's /usr/lib64/chkrootkit-0.49/chkwtmp). If you run that executable manually (or with args -f /var/log/wtmp), it will print the same errors. Save a backup of /var/log/wtmp in any case.
Consider filing a bug report at http://bugz.fedoraproject.org/chkrootkit

Quote:
I did remove a hidden ./java directory and
Could have been a false positive. In several places chkrootkit simply warns about hidden directories.

Quote:
an /opt/rrdtool-1.4.5 folder that I didn't install.
That's weird. rrdtool in Fedora is 1.4.4 not 1.4.5, and it doesn't use /opt. My guess would be you've installed rrdtool from other sources.
Reply With Quote
  #3  
Old 27th December 2011, 12:23 AM
bob Offline
Administrator (yeah, back again)
 
Join Date: Jul 2004
Location: Colton, NY; Junction of Heaven & Earth (also Routes 56 & 68).
Age: 69
Posts: 22,207
linuxfirefox
Re: Chkrootkit finds Suckit rootkit in Fedora 16

Did you happen to see this article? http://www.signal11.eu/en/research/a...ure2004_en.pdf
__________________
Linux & Beer - That TOTALLY Computes!
Registered Linux User #362651


Don't use any of my solutions on working computers or near small children.
Reply With Quote
  #4  
Old 27th December 2011, 02:01 AM
mschwendt Offline
Registered User
 
Join Date: Jun 2010
Posts: 312
linuxfirefox
Arrow Re: Chkrootkit finds Suckit rootkit in Fedora 16

bob, it's a false positive. Please visit the bug report.
Reply With Quote
  #5  
Old 27th December 2011, 02:07 AM
bob Offline
Administrator (yeah, back again)
 
Join Date: Jul 2004
Location: Colton, NY; Junction of Heaven & Earth (also Routes 56 & 68).
Age: 69
Posts: 22,207
linuxfirefox
Re: Chkrootkit finds Suckit rootkit in Fedora 16

Ah.....well then, ignore my post. Probably always a good idea anyhow.
__________________
Linux & Beer - That TOTALLY Computes!
Registered Linux User #362651


Don't use any of my solutions on working computers or near small children.
Reply With Quote
  #6  
Old 3rd January 2012, 12:49 AM
infotechmike Offline
Registered User
 
Join Date: Dec 2011
Location: Buffalo, NY
Posts: 8
windows_7firefox
Re: Chkrootkit finds Suckit rootkit in Fedora 16

Thanks to you both for the replies. I did read the rootkit research article suggested by bob. After poking around /sbin/init and confirming there's no /sbin/initsk12 or other curiosities, I dug a little deeper with a strings /sbin/init | grep root command but found no evil. I need to learn more about the chkwtmp executable, I wonder what's being deleted?
Reply With Quote
  #7  
Old 9th January 2012, 12:34 AM
mschwendt Offline
Registered User
 
Join Date: Jun 2010
Posts: 312
linuxfirefox
Arrow Re: Chkrootkit finds Suckit rootkit in Fedora 16

Quote:
Originally Posted by infotechmike View Post
I need to learn more about the chkwtmp executable, I wonder what's being deleted?
As mentioned in my earlier post, consider filing a bug report about it.
Reply With Quote
  #8  
Old 12th January 2012, 09:27 PM
infotechmike Offline
Registered User
 
Join Date: Dec 2011
Location: Buffalo, NY
Posts: 8
linuxfirefox
Re: Chkrootkit finds Suckit rootkit in Fedora 16

Done! Setup a Red Hat Bugzilla account and crossreferenced Bug 636231 - /sbin/init INFECTED - (systemd links /sbin/init->../bin/systemd) and Bug 743696 - wtmp is being corrupted at shutdown. Both bugs describe my problem so I think there's a connection.
Reply With Quote
  #9  
Old 13th January 2012, 11:11 AM
mschwendt Offline
Registered User
 
Join Date: Jun 2010
Posts: 312
linuxfirefox
Re: Chkrootkit finds Suckit rootkit in Fedora 16

It's good you've tracked down a ticket about wtmp corruption by systemd (with an active test-update for that even), but you are mistaken about the crossreferencing. In bug 636231, you can read the explanation in comment 1.
Reply With Quote
  #10  
Old 19th January 2012, 05:53 PM
infotechmike Offline
Registered User
 
Join Date: Dec 2011
Location: Buffalo, NY
Posts: 8
linuxfirefox
Re: Chkrootkit finds Suckit rootkit in Fedora 16

Thanks for explaining it's two problems, not one. The update for Bug 743696 - wtmp is being corrupted at shutdown has come through and and solved one issue. I will write off the other Bug 636231 - /sbin/init INFECTED as a false positive for now and wait for a fix.
Reply With Quote
  #11  
Old 9th May 2012, 11:38 AM
cowboy83 Offline
Registered User
 
Join Date: Apr 2012
Location: England, Uk
Posts: 2
linuxchrome
Re: Chkrootkit finds Suckit rootkit in Fedora 16

Hi.
Well I am also glad you guys know the ins & outs of this topic. Like other users I have found rkhunter and klamav all say clear-re: Suckit Rootkit, though chrootkit says infected with Suckit rootkit.

That's those issues out of way :-)
Now all I have to do is resolve the warnings about rpms being new rpms and tty being missing..... :-(
Great distro though & looking forward to 'final' Fedora 17 :-)

---------- Post added at 09:38 AM ---------- Previous post was at 09:38 AM ----------

Hi.
Well I am also glad you guys know the ins & outs of this topic. Like other users I have found rkhunter and klamav all say clear-re: Suckit Rootkit, though chrootkit says infected with Suckit rootkit.

That's those issues out of way :-)
Now all I have to do is resolve the warnings about rpms being new rpms and tty being missing..... :-(
Great distro though & looking forward to 'final' Fedora 17 :-)
Reply With Quote
  #12  
Old 18th August 2012, 04:19 AM
fureteur Offline
Registered User
 
Join Date: Aug 2012
Location: USA
Posts: 2
linuxfirefox
Re: Chkrootkit finds Suckit rootkit in Fedora 16

This has been an interesting thread to someone who has had the same experiences. I did a fresh installation of Fedora 16 and before either updating the installation or going on-line at all, I installed rkhunter and it told me exactly the same thing it had when run after the updates and a little on-line browsing. I felt it safe to conclude that I didn't have a rootkit installed but the "replaced" files warnings puzzled me, particularly as two of them were /sbin/ifup and /sbin/ifdown. Why rkhunter identified them as having been replaced is something I don't know but imagine that rkhunter ran an md5sum on the files and found that the resulting numbers were different than those in the installation database, declaring the files as having been replaced. Perhaps Red Hat could shed some light on the matter but at this point it seems a moot issue at this point..
Reply With Quote
  #13  
Old 18th August 2012, 12:51 PM
mschwendt Offline
Registered User
 
Join Date: Jun 2010
Posts: 312
linuxfirefox
Re: Chkrootkit finds Suckit rootkit in Fedora 16

rkhunter has nothing to do with chkrootkit, so this thread is not the right one.

For Fedora 16, there have been various update of the "initscripts" package (which contains the ifup/ifdown scripts). It could be that the rkhunter checksum database covers the latest package, so you would have had to update initscripts before running rkhunter.
Reply With Quote
  #14  
Old 18th August 2012, 10:26 PM
fureteur Offline
Registered User
 
Join Date: Aug 2012
Location: USA
Posts: 2
linuxfirefox
Re: Chkrootkit finds Suckit rootkit in Fedora 16

Quote:
Originally Posted by mschwendt View Post
rkhunter has nothing to do with chkrootkit, so this thread is not the right one.

For Fedora 16, there have been various update of the "initscripts" package (which contains the ifup/ifdown scripts). It could be that the rkhunter checksum database covers the latest package, so you would have had to update initscripts before running rkhunter.
I appreciate the information and understand what you are telling me. Perhaps I should have made myself a little more clear but in addition to installing chkrootkit and running it with what appeared might be false postivies (the changed and missing files as well as the assertion that I had been infected with "Suckit"), I also installed and ran rkhunter which identified the same individual file problems but which affirmatively told me that I did not have Suckit. I then did a fresh reinstallation and ran both tests (chkrootkit and rkhunter) before doing any updates and then again after doing the updates and the results were identical.

In view of the contradiction between the two utilities concerning Suckit, I have tentatively decided that I do not have the rootkit however I am left to speculate about the missing and altered files. Chkrootkit told me that the MD5sum on the ifup and ifdown scripts was wrong and I don't know how those utilities would arrive at that but am assuming that the change is a legitimate result of the updates and probably nothing to worry about.

Thanks again for the information concerning those script files. I'm resting a little easier concerning the findings of both chkrootkit and rkhunter.
Reply With Quote
  #15  
Old 19th August 2012, 10:56 AM
mschwendt Offline
Registered User
 
Join Date: Jun 2010
Posts: 312
linuxfirefox
Re: Chkrootkit finds Suckit rootkit in Fedora 16

If rkhunter reproducibly reports issues with ifup/ifdown even after a full update of the installation, somebody may need to figure out the cause of it and/or report that: http://bugz.fedoraproject.org/rkhunter or possibly rkhunter upstream, where I think the checksums are provided (but I'm less familiar with rkhunter compared with chkrootkit).

Quote:
Originally Posted by fureteur View Post
Chkrootkit told me that the MD5sum on the ifup and ifdown scripts was wrong
chkrootkit does not perform such MD5 checks.
Reply With Quote
Reply

Tags
chkrootkit, fedora, finds, rootkit, suckit

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Fedora 14 finds networks, but won't connect Psycho Servers & Networking 0 19th May 2011 05:55 PM
Fedora core 6 finds only 3.5GB of 5GB RAM panakos Hardware & Laptops 11 15th November 2006 11:08 AM
Chkrootkit Rootkit Detection Warning gonzalo76 Security and Privacy 11 28th March 2006 09:06 AM
Fedora C3 finds soundcard, no sound though Kanuk Installation, Upgrades and Live Media 16 8th January 2005 01:09 PM
Severe Rootkit Vulnerability suspected in Fedora 2.91 / openssh-3.9p1-3 DeeplyWorried Security and Privacy 15 10th October 2004 07:10 PM


Current GMT-time: 11:46 (Thursday, 27-11-2014)

TopSubscribe to XML RSS for all Threads in all ForumsFedoraForumDotOrg Archive
logo

All trademarks, and forum posts in this site are property of their respective owner(s).
FedoraForum.org is privately owned and is not directly sponsored by the Fedora Project or Red Hat, Inc.

Privacy Policy | Term of Use | Posting Guidelines | Archive | Contact Us | Founding Members

Powered by vBulletin® Copyright ©2000 - 2012, vBulletin Solutions, Inc.

FedoraForum is Powered by RedHat
Lapis Spa at Fontainbleau Miami Beach - CITYBAR Photos - The Golden Temple Amritsar Instagram Photos