[Bug 454566] [NEW] False positive for SucKit
Lupe Christoph
lupe at lupe-christoph.de
Sun Oct 18 11:49:52 BST 2009
Public bug reported:
Binary package hint: chkrootkit
Searching for Suckit rootkit... Warning:
/sbin/init INFECTED
According to http://cc.jlab.org/docs/security/alerts/ this is an
indicator for a SucKit infection:
# ls -li /sbin/init /sbin/telinit
172240 -rwxr-xr-x 1 root root 199472 2009-10-15 21:19 /sbin/init
172791 -rwxr-xr-x 1 root root 96568 2009-10-15 21:19 /sbin/telinit
http://forums.gentoo.org/viewtopic-t-326062-highlight-suckit.html gives
some hints how to verify an infection. As I expected, they show no sign
of SucKit.
This false positive seems to be popping up since a few years. So I guess
the check for SucKit needs improvement...
ProblemType: Bug
Architecture: amd64
Date: Sun Oct 18 12:42:45 2009
DistroRelease: Ubuntu 9.10
NonfreeKernelModules: fglrx
Package: chkrootkit 0.48-10
ProcEnviron:
LANG=en_US.UTF-8
SHELL=/bin/bash
ProcVersionSignature: Ubuntu 2.6.31-13.44-generic
SourcePackage: chkrootkit
Uname: Linux 2.6.31-13-generic x86_64
** Affects: chkrootkit (Ubuntu)
Importance: Undecided
Status: New
** Tags: amd64 apport-bug
--
False positive for SucKit
https://bugs.launchpad.net/bugs/454566
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to chkrootkit in ubuntu.
More information about the Ubuntu-server-bugs
mailing list