LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 12-02-2011, 10:39 AM   #1
jlvoo
LQ Newbie
 
Registered: Mar 2007
Posts: 9

Rep: Reputation: 0
OSSEC warning Suckit rootkit


Hi,

I just bought a VPS provide by Linode yesterday. This VPS running on Centos 6.0, I've installed OSSEC in it, and today I got a mail warning:

Trojaned version of file '/proc/1/maps' detected. Signature used: 'init.' (Suckit rootkit).

So I install rkhunter and do a scan, the summary is

System checks summary
=====================

File properties checks...
Files checked: 138
Suspect files: 136

Rootkit checks...
Rootkits checked : 246
Possible rootkits: 0

Applications checks...
Applications checked: 4
Suspect applications: 2


Is it false alarm?


I'm attached rkhunter log in this post.
Attached Files
File Type: log rkhunter.log (164.0 KB, 6 views)
 
Old 12-02-2011, 11:12 AM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,285
Blog Entries: 54

Rep: Reputation: 2854Reputation: 2854Reputation: 2854Reputation: 2854Reputation: 2854Reputation: 2854Reputation: 2854Reputation: 2854Reputation: 2854Reputation: 2854Reputation: 2854
If it's rule 510 (part of rootcheck) then it probably is as false positives wrt OSSEC-HIDS have been posted. Please note 0) both Chkrootkit and the rootkit-checking part of OSSEC-HIDS aren't exactly updated often and 1) more importantly: please ensure you use multiple layers of security and take care of hardening and auditing before exposing a host to the IntarWEB.
 
Old 12-02-2011, 11:54 AM   #3
jlvoo
LQ Newbie
 
Registered: Mar 2007
Posts: 9

Original Poster
Rep: Reputation: 0
Thanks for the reply.
 
Old 12-08-2011, 08:21 AM   #4
Noway2
Senior Member
 
Registered: Jul 2007
Distribution: Ubuntu 10.10, Slackware 64-current
Posts: 2,124

Rep: Reputation: 776Reputation: 776Reputation: 776Reputation: 776Reputation: 776Reputation: 776Reputation: 776
Out of curiosity, did you perchance perform an update shortly before you saw this warning? I've noticed that these warnings most often occur as a result of updates and pieces being left in memory following an update and before a reboot, which clears the left over pieces.
 
Old 12-09-2011, 03:38 AM   #5
jlvoo
LQ Newbie
 
Registered: Mar 2007
Posts: 9

Original Poster
Rep: Reputation: 0
Yes, we did a yum update. It could be what you said is true, because next day we did another update and reboot the system, since then no more warning mail.
 
Old 12-10-2011, 06:23 AM   #6
Noway2
Senior Member
 
Registered: Jul 2007
Distribution: Ubuntu 10.10, Slackware 64-current
Posts: 2,124

Rep: Reputation: 776Reputation: 776Reputation: 776Reputation: 776Reputation: 776Reputation: 776Reputation: 776
I did a search on the terms '/proc/1/maps suckit rootkit and came up with this thread: http://ubuntuforums.org/archive/inde...t-1554553.html It turns out I saw the exact same issue with Ossec about a year and a half ago. The link also indicates a couple of easy diagnostics you can perform to verify that it is false.
 
Old 12-12-2011, 04:08 AM   #7
jlvoo
LQ Newbie
 
Registered: Mar 2007
Posts: 9

Original Poster
Rep: Reputation: 0
Thanks Noway2, very good piece of info.
I did what they suggested, so now I'm sure is false alarm.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
OSSEC says "Suckit" rootkit possibly detected FlGator81 Linux - Security 6 01-14-2010 11:09 AM
Restoring data after SucKIT rootkit hacking. How can I tell what if any is safe? mazinoz Linux - Security 15 05-14-2009 06:58 PM
rootkit hunter shows warning messages bhert Linux - Security 4 08-21-2008 12:34 PM
***Rootkit Exploit Caught in 10.2*** WARNING beachboy2 Linux - Software 1 02-16-2007 06:25 AM
server (Redhat) compromised by Suckit Rootkit! Thanks for help! a_whitecloud Linux - Security 5 07-14-2006 08:49 AM


All times are GMT -5. The time now is 01:16 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration