chkrootkit: tcpd
When I run chkrootkit, it reports:
Checking `tcpd'... INFECTED I reinstalled the tcpip package from the Slackware DVD but chkrootkit still returns the same output. |
If you really have a rootkit, you'll probably need to reinstall your system.
unSpawn is our resident security expert (and maintainer of rkhunter, which you may want to try as well) and can probably tell you a lot more than I can. |
What version of Chkrootkit? Please run Chkrootkit with the "-x" and "-d" flags, output to file, then post the relevant part of output between BB code tags. If you have any doubt use the Intruder Detection Checklist (CERT): http://www.cert.org/tech_tips/intrud...checklist.html to get assurance. If you have more than a hunch run checks from a Live CD like Hlix, KNOPPIX-(STD), Fire or equiv.
|
Quote:
|
"-d" basically is "set -x", which should show what it reacts on and "-x" dumps all output which could come in handy to see if it's a simple FP based on say a bad anchored grep. You'll find tcpd starting near line 20000, look for "thing=tcpd", continue until the next thing= line, aprox 300 lines of output. Posting the relevant part of the output file looks way too large to post to me so cut out the part, compress it and provide a D/L location if you can or maybe post the lines in some pastebin on teh intarweb and provide a URI?
|
My chkrootkit is version 0.46 .
Code:
# chkrootkit -x -d &> rootkitlog |
This last command returns nothing.
Uh. It's not like I told you to do *that*, didn't I? |
Quote:
|
OK, BTW it's at version 0.47 now. Remembering it can do separate tests, what does "chkrootkit -d tcpd" say?
|
Code:
bash-3.1# chkrootkit tcpd Code:
bash-3.1# chkrootkit -d tcpd |
Checking `tcpd'... not infected
Bummer. Opportunity gone. |
Quote:
|
OK. Let's cut this short, then, dragging on for too long. First upgrade to version 0.47. Then run "chkrootkit -x -d 2>&1>/tmp/logfile", bzip it and post the D/L URI.
|
Did what you said:
http://wilma.vub.ac.be/~lddekeyz/logfile.bz2 |
OK, I read your log:
Code:
wc -l mylog yourlog To summarise: - you replaced the binary from a "known good" source (or so I hope), - running only "tcpd" test does not return INFECTED status, - running with debug and expert flags does not show INFECTED status for tcpd, - Chkrootkit mailing list archives show no relevant threads on this subject, - a diff between version 0.46a and 0.47 shows no differences I can relate to tcpd. I suggest you first make certain (not guess or "assume") your system is clean. If unsure run test from a Live CD like Helix, KNOPPIX(-STD) or equivalent. If it is clean, attach your bzipped log and get on their mailing list or send it to Nelson directly with as much details as you can. I would appreciate it if you post back their findings. Sorry I couldn't be of more help. |
Quote:
I'll run the test from such a LiveCD as fast as I can. However, my ISP has set download limits, which I've almost reached. |
I've downloaded KNOPPIX-STD and booted with it. I mounted my harddisk partitions under /mnt/hd , and ran:
Code:
chkrootkit -r /mnt/hd/ Code:
Checking `find'... INFECTED |
Does this give you any new insights?
No. Talking about errors ain't gonna help. Posting them might. Make sure you use "-p" to execute commands from CD instead. |
The output of
Code:
chkrootkit -r /mnt/FAKEROOT -p /sbin:/bin:/usr/sbin:/usr/bin The one of Code:
chkrootkit -r /mnt/FAKEROOT -p /sbin:/bin:/usr/sbin:/usr/bin -x -d The version of chkrootkit on the KNOPPIX-STD CD is 0.46. |
BTW, did you verify your binaries using your distro's package management tools earlier on by any chance?
The version of chkrootkit on the KNOPPIX-STD CD is 0.46 Hmm. I don't like that... Shouldn't be hard th D/L the latest unless you're on problematic Wifi ;-p but OK... Anyway. I isolated the output of running "strings" on find from chkrk2 and I can't see anything there that could trigger the "infected" flag. Besides that it's odd it was tcpd then and find now. There isn't anything else you need to mention about this specific system, right? If none, then if you ran the test with the "safe" binaries from CDR (as you indicated you did) and didn't by accident boot the kernel from disk instead, then the only thing I can do is *suggest* you chalk it up as a false positive. I don't know everything but I am pretty sure there aren't any methods to make a "dead" system influence checks as shown and I *still* suggest you get on the mailing list or mail Nelson for a second opinion. |
BTW, did you verify your binaries using your distro's package management tools earlier on by any chance?
I'm not sure I understand what you mean here. I just installed those binaries which are said to be 'infected' from the Slackware 11 DVD. Haven't upgraded them since. There isn't anything else you need to mention about this specific system, right? Just a regular Slackware install, but I use pkgsrc as package manager. I *still* suggest you get on the mailing list or mail Nelson for a second opinion. I'll certainly do this, and keep you informed. Thanks for the help. |
I received following mail from Nelson today:
I found the error, I will fix it in the next version. Thanks a lot for your help. If you want emergencial workaround please add this line, after chk_tcpd () {: CMD="" |
Well done for getting him to fix it and thanks for posting back, I appreciate it.
|
FINALLY figured this one out
Sorry to refresh a 10 year old thread, but since this comes up as one of the top searches for this issue...
The reason that calling the full script returns "tcpd infected" yet running a single/expert test for tcpd by itself returns "not found" or "not infected" (whichever your case might be), is because of a bug in the main script: /usr/sbin/chkrootkit The function in question: Code:
chk_tcpd () { By modifying the function to: Code:
chk_tcpd () { I've reported the bug to the ckrootkit devs, but if anyone else finds this via search, this is the problem. |
All times are GMT -5. The time now is 06:02 AM. |