You are not logged in.
Hi all,
today chkrootik informs me that /sbin/init is intected by Suckit rootkit; the strange thing is that I obtain the same message on 3 different machines: my laptop, my server and another dektop. I think that this is false positive, but I want to know if
anyone have the same message
Thanks,
Luca
P.S.: all start after the massive upgrade
Last edited by luca (2007-09-25 19:47:37)
Offline
i used chkrootkit a few minutes ago and it found nothing.
my system is up to date and i just run chkrootkit as root.
perhabs this message is not a false positive
Last edited by xsdnyd (2007-09-21 09:48:21)
We can't stop here! This is bat country!!
Offline
Thanks xsdnyd for your reply
I installed RootkitHunter and it doesn't find the rootkit
Offline
i forgot to mention that i am using arch64. perhabs this does matter
We can't stop here! This is bat country!!
Offline
Maybe,
all my systems are x86
Offline
32-bit here. Just ran a pacman -Syu to be sure everything is up-to-date. It is. Chkrootkit doesn't find anything.
/opt/chkrootkit/chkrootkit | grep -i "init"
Checking `init'... not infected
pacman -Qo /sbin/init
/sbin/init is owned by sysvinit 2.86-3
/opt/chkrootkit/chkrootkit -V
chkrootkit version 0.47
Offline
Hi MrWeatherbee,
did you reboot after the upgrade?
Offline
Hi MrWeatherbee,
did you reboot after the upgrade?
Well, the pacman -Syu I mentioned in my previous post didn't find anything to upgrade, so for that there was no reason to reboot. And though I'm pretty sure I rebooted after the last 'Syu' that did find upgrades, I went ahead and rebooted for you just now since I know that getting a positive result from chkrootkit can be stressful. But, after the reboot, I'm still getting the same results as previously posted.
Offline
Yeah I ran chkroot as root, and my init was infected, too. I haven't rebooted for a while though. I'll have to try later when I go back home.
~jnengland77
Offline
32-bit here as well... system is up-to-date and apparently clean:
Checking `init'... not infected
thayer williams ~ cinderwick.ca
Offline
You should post checksums for the file so we can see if they're actually different.
Offline
Hi jnengland77,
I can confirm that after a reboot chkrootkit doesn't show anymore the message about Suckit
I will do some test on another system (my server which has an uptime > 230 days) next monday
Offline
[luca@cagliostro ~]$ md5sum /sbin/init
654693084bf8faf23838ee50afb3676e /sbin/init
Offline
[luca@cagliostro ~]$ md5sum /sbin/init 654693084bf8faf23838ee50afb3676e /sbin/init
That md5sum matches mine for /sbin/init.
Offline
on arch64 the md5sum is:
d2cf7fa74328811e2930c0b0f7166e92
We can't stop here! This is bat country!!
Offline
The md5 is not different from a clean machine and the infected one
Offline
The md5 is not different from a clean machine and the infected one
Comfirmed.
$ md5sum /sbin/init
654693084bf8faf23838ee50afb3676e /sbin/init
I haven't rebooted yet though, but then again it looks like I don't have to.
Offline
Hi all,
after a reboot chkdsk doesn't show anymore the warning.
So it was a false positive
Thanks for your help
Offline