You are not logged in.
- Topics: Active | Unanswered
#1 2007-09-21 09:29:58
- luca
- Member
- From: Rome
- Registered: 2005-10-30
- Posts: 280
[Solved] Chkrootkit and Suckit
Hi all,
today chkrootik informs me that /sbin/init is intected by Suckit rootkit; the strange thing is that I obtain the same message on 3 different machines: my laptop, my server and another dektop. I think that this is false positive, but I want to know if
anyone have the same message
Thanks,
Luca
P.S.: all start after the massive upgrade
Last edited by luca (2007-09-25 19:47:37)
Offline
#2 2007-09-21 09:48:08
- xsdnyd
- Member
- Registered: 2007-04-28
- Posts: 110
Re: [Solved] Chkrootkit and Suckit
i used chkrootkit a few minutes ago and it found nothing.
my system is up to date and i just run chkrootkit as root.
perhabs this message is not a false positive
Last edited by xsdnyd (2007-09-21 09:48:21)
We can't stop here! This is bat country!!
Offline
#3 2007-09-21 10:17:58
- luca
- Member
- From: Rome
- Registered: 2005-10-30
- Posts: 280
Re: [Solved] Chkrootkit and Suckit
Thanks xsdnyd for your reply
I installed RootkitHunter and it doesn't find the rootkit
Offline
#4 2007-09-21 10:25:56
- xsdnyd
- Member
- Registered: 2007-04-28
- Posts: 110
Re: [Solved] Chkrootkit and Suckit
i forgot to mention that i am using arch64. perhabs this does matter
We can't stop here! This is bat country!!
Offline
#5 2007-09-21 10:27:02
- luca
- Member
- From: Rome
- Registered: 2005-10-30
- Posts: 280
Re: [Solved] Chkrootkit and Suckit
Maybe,
all my systems are x86
Offline
#6 2007-09-21 15:55:21
- MrWeatherbee
- Member
- Registered: 2007-08-01
- Posts: 277
Re: [Solved] Chkrootkit and Suckit
32-bit here. Just ran a pacman -Syu to be sure everything is up-to-date. It is. Chkrootkit doesn't find anything.
/opt/chkrootkit/chkrootkit | grep -i "init"
Checking `init'... not infectedpacman -Qo /sbin/init
/sbin/init is owned by sysvinit 2.86-3/opt/chkrootkit/chkrootkit -V
chkrootkit version 0.47Offline
#7 2007-09-21 16:31:50
- luca
- Member
- From: Rome
- Registered: 2005-10-30
- Posts: 280
Re: [Solved] Chkrootkit and Suckit
Hi MrWeatherbee,
did you reboot after the upgrade?
Offline
#8 2007-09-21 16:45:35
- MrWeatherbee
- Member
- Registered: 2007-08-01
- Posts: 277
Re: [Solved] Chkrootkit and Suckit
Hi MrWeatherbee,
did you reboot after the upgrade?
Well, the pacman -Syu I mentioned in my previous post didn't find anything to upgrade, so for that there was no reason to reboot. And though I'm pretty sure I rebooted after the last 'Syu' that did find upgrades, I went ahead and rebooted for you just now since I know that getting a positive result from chkrootkit can be stressful. But, after the reboot, I'm still getting the same results as previously posted.
Offline
#9 2007-09-21 16:57:15
- jnengland77
- Member
- From: Black Hills, USA
- Registered: 2005-05-06
- Posts: 111
Re: [Solved] Chkrootkit and Suckit
Yeah I ran chkroot as root, and my init was infected, too. I haven't rebooted for a while though. I'll have to try later when I go back home.
~jnengland77
Offline
#10 2007-09-21 17:13:28
- thayer
- Fellow
- From: Vancouver, BC
- Registered: 2007-05-20
- Posts: 1,560
- Website
Re: [Solved] Chkrootkit and Suckit
32-bit here as well... system is up-to-date and apparently clean:
Checking `init'... not infectedthayer williams ~ cinderwick.ca
Offline
#11 2007-09-21 17:31:46
- ataraxia
- Member
- From: Pittsburgh
- Registered: 2007-05-06
- Posts: 1,553
Re: [Solved] Chkrootkit and Suckit
You should post checksums for the file so we can see if they're actually different.
Offline
#12 2007-09-21 17:32:30
- luca
- Member
- From: Rome
- Registered: 2005-10-30
- Posts: 280
Re: [Solved] Chkrootkit and Suckit
Hi jnengland77,
I can confirm that after a reboot chkrootkit doesn't show anymore the message about Suckit
I will do some test on another system (my server which has an uptime > 230 days) next monday
Offline
#13 2007-09-21 17:35:43
- luca
- Member
- From: Rome
- Registered: 2005-10-30
- Posts: 280
Re: [Solved] Chkrootkit and Suckit
[luca@cagliostro ~]$ md5sum /sbin/init
654693084bf8faf23838ee50afb3676e /sbin/initOffline
#14 2007-09-21 17:55:25
- MrWeatherbee
- Member
- Registered: 2007-08-01
- Posts: 277
Re: [Solved] Chkrootkit and Suckit
[luca@cagliostro ~]$ md5sum /sbin/init 654693084bf8faf23838ee50afb3676e /sbin/init
That md5sum matches mine for /sbin/init.
Offline
#15 2007-09-21 17:59:51
- xsdnyd
- Member
- Registered: 2007-04-28
- Posts: 110
Re: [Solved] Chkrootkit and Suckit
on arch64 the md5sum is:
d2cf7fa74328811e2930c0b0f7166e92
We can't stop here! This is bat country!!
Offline
#16 2007-09-21 18:50:04
- luca
- Member
- From: Rome
- Registered: 2005-10-30
- Posts: 280
Re: [Solved] Chkrootkit and Suckit
The md5 is not different from a clean machine and the infected one
Offline
#17 2007-09-21 23:34:23
- jnengland77
- Member
- From: Black Hills, USA
- Registered: 2005-05-06
- Posts: 111
Re: [Solved] Chkrootkit and Suckit
The md5 is not different from a clean machine and the infected one
Comfirmed.
$ md5sum /sbin/init
654693084bf8faf23838ee50afb3676e /sbin/init
I haven't rebooted yet though, but then again it looks like I don't have to.
Offline
#18 2007-09-25 19:46:25
- luca
- Member
- From: Rome
- Registered: 2005-10-30
- Posts: 280
Re: [Solved] Chkrootkit and Suckit
Hi all,
after a reboot chkdsk doesn't show anymore the warning.
So it was a false positive
Thanks for your help
Offline