Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Hi there,
On my Server (rhel3), #chkrootkit -q returns:
Quote:
Searching for Suckit rootkit... Warning: /sbin/init INFECTED
I also ran rkhunter-1.2.7 and it didn't return anything.
I want to find out somehow if chrrootkit return a false positive or not because formatting / reinstalling the whole server is not such a easy work( the server is used as PDC in the company and this means that I should spend a night or two reinstalling the server of paralyzing the activity for one day ...)
I want to do this kind of stuff only after I get other evidence and info about this rootkit or chkrootkit (0.46a) false positive. I also maintain a AIDE checksum - database (offsite). /sbin/init was really changed on 2005-09-30 but that was a date when I did an update of the server (with redhat network). - On that day a lot of files were changed/added/removed so it could be a false positive:
Quote:
AIDE found differences between database and filesystem!!
Start timestamp: 2005-09-30 22:02:12
Summary:
Total number of files=152943,added files=14585,removed files=14602,changed files=16098
Please, I really need some help. Does anyone know something more about SuckIT, how can I find it for sure if it is really on my system? is there a database of checksums with different versions of linux binaries (like /sbin/init) to compare against my /sbin/init hash?
I am not so happy with this situation
I've read those links but I couldn't find for sure if this rootkit is on my server.
I've tried:
Quote:
for i in *; do test -f $i/cmdline && (cat $i/cmdline; echo $i); done
and
Quote:
for i in `seq 1 33000`; do test -f $i/cmdline && (cat $i/cmdline; echo $i); done
and there is no sk binary. Now I don't know if I can trust cat, echo and the other binaries. Only chkrootkit reports /sbin/init as infected (rkhunter says it is ok). Could it be only a false positive?
I am really worried because this is an enterprise server and I should take a decision quickly.
Now I'm going to read more about SuckIT, and eventually look in the source code of chkrootkit where it checks for this rootkit.
Anyway, my only open ports on the Internet are: ssh (only key auth, no root login, and so on), imaps (all patches installed) and openvpn.
How was it installed? Is it more probably that it came from the inside? (this worries me a lot).
Any feedback on this topic is really really appreciated.
This is a known thing with RHEL3 - it happened to us after we updated to update 6. It seems to go away after a while (maybe they had an update to chkrootkit, I can't remember). Anyway you can assure yourself by rebooting off the resuce CD and doing a sha1sum on /sbin/init, and then comparing that to a system which doesn't flag as being infected by chkrootkit.
Although you should still be careful (just in case its no a false positive) I'd definately put my money on it being a false positive in your case, after what happened to us.
Try verifying the integrity of the binary using rpm -V SysVinit. If it's clean, it should produce no output. Did rebooting (as per the link you posted) help?
rpm -V SysVinit produces no output.
I didn't restart the server yet (as I said it is an enterprise server and I should wait for the others to finish they work). Maybe tonight...
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.