On Thursday, 2010-08-19 at 08:02:45 -0000, Maxime wrote:
> I can confirm the issue on Lucid. It's probably related to an upstart
> update to 0.6.5-7.
> [...]
> Searching for Suckit rootkit... Warning:
> /sbin/init INFECTED
> [...]
> # strings /sbin/init | egrep HOME
> # cat /proc/1/maps | egrep "init."
> 00e41000-00e5a000 r-xp 00000000 68:01 1572880 /sbin/init (deleted)
> 00e5a000-00e5b000 r--p 00019000 68:01 1572880 /sbin/init (deleted)
> 00e5b000-00e5c000 rw-p 0001a000 68:01 1572880 /sbin/init (deleted)
I rechecked, and I get this, too:
# chkrootkit -q
Warning: /sbin/init INFECTED
Also the deleted /sbin/init. I rebooted the system, and now /sbin/init
isn't deleted anymore (surprise! ;-) and the INFECTED is gone, too.
So I suppose the cause of the INFECTED is that the running /sbin/init is
different from the one in the filesystem. Checking ... Jupp, here is the
line from chkrootkit:
expertmode_output "cat ${ROOTDIR}proc/1/maps | ${egrep} init."
This triggers when there is an entry in /proc/1/maps where "init" is not
at the end of the line.
Googling, I found this was discussed for Gentoo in
http://forums.gentoo.org/viewtopic-t-326062-highlight-suckit.html
... and for Ubuntu in http://ubuntuforums.org/showthread.php?p=9741505
Alas, I could not find out what /proc/1/maps looks like when a real
Suckit is on the machine. Quite possibly Suckit removes /sbin/init and
links its own version there. If it dows this only once, the " (deleted)"
will disappear after the first reboot, so it's not a good indicator, and
it reaps many more false positives. So I think chkrootit would be
better off without this test.
Lupe Christoph
--
False positive for SucKit
https://bugs.launchpad.net/bugs/454566
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
