chkrootkit shows "tcpd" as INFECTED. Is it a false positive?

security malware tcpdump rootkit chkrootkit

Scan by chkrootkit shows "tcpd" as being INFECTED. Although a scan by rkhunter shows ok,(except for regular false positives)

Shall I be worried? (I'm on Ubuntu 16.10 with 4.8.0-37-generic)


Solution 1:

In this Ubuntu Forums post, user kpatz tested this in a fresh 16.10 VM and chkrootkit still complained, making this a false positive. You can always check if a file has been tampered by comparing the md5sum from the package:

$ dpkg -S /usr/sbin/tcpd
tcpd: /usr/sbin/tcpd
$ (cd /; md5sum -c /var/lib/dpkg/info/tcpd.md5sums)
usr/sbin/safe_finger: OK
usr/sbin/tcpd: OK
usr/sbin/tcpdchk: OK
usr/sbin/tcpdmatch: OK
usr/sbin/try-from: OK
usr/share/man/man8/safe_finger.8.gz: OK
usr/share/man/man8/tcpd.8.gz: OK
usr/share/man/man8/tcpdchk.8.gz: OK
usr/share/man/man8/tcpdmatch.8.gz: OK
usr/share/man/man8/try-from.8.gz: OK

Of course, the md5sums file itself maybe tampered, (and so could md5sum itself and so on...).

Solution 2:

This is a false positive caused by a bug in the main chkrootkit script. I tried to post the fix here, but was downvoted. I reported the issue to the chkrootkit devs, but if you'd like to fix the issue so that it actually works, you might want to check out: https://www.linuxquestions.org/questions/linux-security-4/chkrootkit-tcpd-521683/page2.html#post5788733

Related

R 3.5.0 for Ubuntu
Iptables reload/restart on Ubuntu 18.04
How to find history of shell commands since machine was created?
How to force any program to close?
bash: set -x logs to file
DNS not working after upgrade 17.04 to 17.10
Is Vim safe to use in combination with sudo?
Is there an alternative for Scrivener (a tool for writers to arrange ideas?)?
How do I use the HUD?
How to install SqlPlus?
dconf change a string key
Eye strain after using Ubuntu for some time