LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 05-01-2014, 10:45 PM   #1
TommyC7
Member
 
Registered: Mar 2012
Distribution: Slackware, CentOS, OpenBSD, FreeBSD
Posts: 528

Rep: Reputation: Disabled
rkhunter 1.4.2 volc rootkit found & then gone?


Hello.

I don't usually come here too often but rkhunter running via cron caught something weird today.

I forgot that running rkhunter more than once will overwrite the /var/log/rkhunter.log file (and I overwrote rkhunter.log.old as well), so unfortunately I don't have the necessary rkhunter logs.

This is on a Slackware system.

What I post next is from memory:

1. The rootkit "found" was called "Volc" rootkit and it mentioned something about "divine" (based on rkhunter.logs I'm assuming it was talking about /usr/lib/volc/backdoor/divine).

2. The rkhunter message given in the previous rkhunter.log (the one that caught the supposed rootkit) said to use:
Code:
lsof -i # or
netstat -an
and that irssi may have been the source of the problem.

So afterwards...

1. The output of "lsof -i" just gave me firefox and irssi connections.

2. Searching for the string "irssi" or "firefox" in the output of "netstat -an" didn't give any results.

3. I /quit out of irssi.

4. Re-scanning (twice, hence my lack of the necessary log) produced 0 rootkit results.

5.
Code:
netstat -plunt
Didn't list anything.

So I guess my question is, should I have investigated further and am I in the OK because I honestly can't tell if this was a false positive (and I realize without logs its hard to believe me)? What can/should I do further in case I am still affected (I went through the CERT checklist on archive.org) Irssi seems to be okay. Restarting it didn't pick it up as a problem, nor did a reinstall of irssi (with gpg key of the package verified) pick it up as a problem.
 
Old 05-02-2014, 11:30 AM   #2
TommyC7
Member
 
Registered: Mar 2012
Distribution: Slackware, CentOS, OpenBSD, FreeBSD
Posts: 528

Original Poster
Rep: Reputation: Disabled
I apologize for double posting (and not waiting the 24 hour bump limit).

After further investigation it seems like a false positive and below is why I believe it to be so (please correct me if I'm wrong):

I did some more research and came upon rkhunter's database files, most notably -- $install_root/var/lib/rkhunter/db/backdoorports.dat

This line in particular stood out
Code:
33369:Volc Rootkit SSH server (divine):TCP
Which produces this in rkhunter's log:
Code:
Warning: Network TCP port <port> is being used by <program>. Possible rootkit: Volc Rootkit SSH server (divine)
           Use the 'lsof -i' or 'netstat -an' command to check this.
The line from my memory.

For temporary testing I changed the line from port 33369 to something else that is currently in use and established. Lo and behold that program now becomes the "problem" and the possible rootkit is detected.

The Volc rootkit itself was not picked up by rkhunter, and if the system had been compromised (from http://sourceforge.net/apps/trac/rkhunter/wiki/SPRKH)
Code:
However, a scan on an existing install will still reveal rootkits.
Therefore, is it safe to assume that this was a false positive (and that I got an unlucky port)?

Last edited by TommyC7; 05-02-2014 at 11:31 AM.
 
Old 05-03-2014, 04:04 AM   #3
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600
Do note we're trying to enhance RKH with ClamAV signatures to be more effective scanning for "evidence". Right now is an ongoing effort anyone could help with. But as traditional rootkit threats dwindle I do not intend to spend much time creating kernel 2.4 or kernel 2.6-era rootkit signs though anyone could petition specific ones found right now via our Sourceforge bug tracker. So, if you didn't find evidence of file /usr/bin/volc and directory /usr/lib/volc but only the port then, yes, I'd mark that as a false positive.
 
1 members found this post helpful.
Old 05-03-2014, 03:45 PM   #4
TommyC7
Member
 
Registered: Mar 2012
Distribution: Slackware, CentOS, OpenBSD, FreeBSD
Posts: 528

Original Poster
Rep: Reputation: Disabled
Quote:
unSpawn:
But as traditional rootkit threats dwindle I do not intend to spend much time creating kernel 2.4 or kernel 2.6-era rootkit signs though anyone could petition specific ones found right now via our Sourceforge bug tracker.
Does the volc rootkit only affect Linux kernel versions 2.4 and 2.6? Otherwise I'm not quite sure why you brought those kernel versions up. If that is the case, I'm not on either of those kernel versions.

Quote:
So, if you didn't find evidence of file /usr/bin/volc and directory /usr/lib/volc but only the port then, yes, I'd mark that as a false positive.
I did not find evidence of either the file /usr/bin/volc or directory /usr/lib/volc by hand or via rkhunter.
 
Old 05-03-2014, 08:29 PM   #5
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600
Quote:
Originally Posted by TommyC7 View Post
Does the volc rootkit only affect Linux kernel versions 2.4 and 2.6?
The kit never was shared with me so I don't know. If I had to guesstimate then I'd doubt it would run on 2.6 and up.


Quote:
Originally Posted by TommyC7 View Post
I did not find evidence of either the file /usr/bin/volc or directory /usr/lib/volc by hand or via rkhunter.
Good.
 
1 members found this post helpful.
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
rkhunter reported RH-Sharpe's Rootkit masuch Linux - Security 2 02-28-2012 06:25 AM
rkhunter scan: 1 Rootkit & 6 Possible Suspect Files /var/log/rkhunter.log included Mollusc Linux - Security 10 09-29-2011 08:43 AM
X freezing, rkhunter warns about Adore Rootkit MTK358 Linux - Security 3 03-09-2010 12:01 AM
/var/log/rkhunter.log - rkhunter's (rootkit detection) logfile ahartman Linux - Security 1 07-04-2009 05:28 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 07:51 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration