chkrootkit says /sbin/init is infected, what does that mean?

security 10.04 rootkit

I recently ran chkrootkit and got the following line:

Searching for Suckit rootkit...                   Warning: /sbin/init INFECTED

What does this mean exactly? I heard this was a false positive, what is exactly happening.

Please and thank you.


Solution 1:

It's likely this is a false positive since there's a bug in chkrootkit (supposedly fixed in a later version 0.50-3ubuntu1). Apparently chkrootkit doesn't perform a rigorous enough check.

See: https://bugs.launchpad.net/ubuntu/+source/chkrootkit/+bug/454566

Additionally you could try rkhunter which is similar to chkrootkit.

Some more information: Fortunately, running file `which chkrootkit` shows us that chkrootkit is just a shell script so we can inspect it directly.

Searching for Suckit in the file /usr/sbin/chkrootkit we find:
   ### Suckit
   if [ -f ${ROOTDIR}sbin/init ]; then
      if [ "${QUIET}" != "t" ];then printn "Searching for Suckit rootkit... "; fi
      if [ ${SYSTEM} != "HP-UX" ] && ( ${strings} ${ROOTDIR}sbin/init | ${egrep} HOME  || \
              cat ${ROOTDIR}/proc/1/maps | ${egrep} "init." ) >/dev/null 2>&1
        then
        echo "Warning: ${ROOTDIR}sbin/init INFECTED"
      else
         if [ -d ${ROOTDIR}/dev/.golf ]; then
            echo "Warning: Suspect directory ${ROOTDIR}dev/.golf"
         else
            if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi
         fi
      fi
   fi

The key line is:

cat ${ROOTDIR}/proc/1/maps | ${egrep} "init."

Since recent versions of Ubuntu, running that command does produce some output (need to run as root or sudo) :

# sudo cat /proc/1/maps | egrep "init."
b78c2000-b78db000 r-xp 00000000 08:02 271571     /sbin/init (deleted)
b78db000-b78dc000 r--p 00019000 08:02 271571     /sbin/init (deleted)
b78dc000-b78dd000 rw-p 0001a000 08:02 271571     /sbin/init (deleted)

However, this is not an infection by a rootkit. I have also looked at the rkhunter code, and the checks are far more rigorous (testing for all sorts of additional files installed by the rootkit).

I have changed lines 1003,1004 in chkrootkit file not to check perform the check of /proc/1/maps (remember to take a copy first) 

if [ ${SYSTEM} != "HP-UX" ] && ( ${strings} ${ROOTDIR}sbin/init | ${egrep} HOME  ) \
             >/dev/null 2>&1

Solution 2:

On Kubuntu 13.04 as of 2013-07-31

Running:

cat /sbin/init | egrep HOME

Produces:

Binary file (standard input) matches

AND

Running:

cat /proc/1/maps | egrep "init."

Produces NO output.

Note: Removing the period produces output (changing "init." to "init")

b7768000-b779f000 r-xp 00000000 08:02 399192     /sbin/init
b779f000-b77a0000 r--p 00036000 08:02 399192     /sbin/init
b77a0000-b77a1000 rw-p 00037000 08:02 399192     /sbin/init

So it appears to me that the part checking HOME is the problem.

If one can make the assumption that rkhunter has a valid check, then perhaps the easy route is just to remove this section from chkrootkit and run both rkhunter and chkrootkit?

Related

How to apt-get install multiple packages without stopping (if not found)?
Is there an SD Card diagnostic utility?
What are the common maintenance tasks?
What is the "fontconfig" folder in my home directory? May I delete it?
How do I open GTK Inspector?
VirtualBox kernel modules do not match this version of VirtualBox
GDBus.Error when trying to enable second screen
Change the default editor when sudo visudo
How to change priorities of x-www-browser?
Ubuntu Server 16.04 installs on /sdc but fails to boot
What's in "standard system utilities" in the server install? [duplicate]
Terminal shortcut key