chkrootkit says Stardust /sbin/init INFECTED with Suckit

For discussions about security.
Post Reply
Message
Author
Rocket
Posts: 16
Joined: Tue 02 Mar 2010, 07:40

chkrootkit says Stardust /sbin/init INFECTED with Suckit

#1 Post by Rocket »

I ran chkrootkit on Stardust Puppy and it found the following.

"Searching for Suckit rootkit... Warning: /sbin/init INFECTED"

Now I have to figure out what to do about it.

R

User avatar
Lobster
Official Crustacean
Posts: 15522
Joined: Wed 04 May 2005, 06:06
Location: Paradox Realm
Contact:

#2 Post by Lobster »

I suppose not running Stardust is a start :wink:
Is the rootkit on the CD or on your install?
SucKIT is a rootkit presented in Phrack issue 58, article 0x07 ("Linux on-the-fly kernel patching without LKM", by sd & devik). This is a fully working rootkit that is loaded through /dev/kmem (i.e. it does not need a kernel with support for loadable kernel modules. It provides a password protected remote access connect-back shell initiated by a spoofed packet (bypassing most of firewall configurations), and can hide processes, files and connections.
http://la-samhna.de/library/rootkits/list.html

Chkrootkit
http://en.wikipedia.org/wiki/Chkrootkit

Tin hats to maximum
Release the hounds . . .


Can someone confirm it is on CD?
Puppy Raspup 8.2Final 8)
Puppy Links Page http://www.smokey01.com/bruceb/puppy.html :D

nooby
Posts: 10369
Joined: Sun 29 Jun 2008, 19:05
Location: SwedenEurope

#3 Post by nooby »

Are you guys joking around or is this for real? My English often fails to know if people just tease each other or if it is a serious thing.

How do I test it on my machine? Does this chroot thing give false positives?

Have anybody told Zigbert?

How do I get rid of it if I ahve it?
I use Google Search on Puppy Forum
not an ideal solution though

nooby
Posts: 10369
Joined: Sun 29 Jun 2008, 19:05
Location: SwedenEurope

Re: Rootkit scan

#4 Post by nooby »

Rocket wrote:I ran chkrootkit on Stardust Puppy and it found the following.

"Searching for Suckit rootkit... Warning: /sbin/init INFECTED"

Now I have to figure out what to do about it.

R
By run it on Stardust do you mean that you pointed chkrootkit to the Stardust Puppy .iso file and it looked through it

or

have you installed Stardust Puppy in full install or frugal install or on DVD as a live user session and then activated the chkrootkit on Stardust Puppy?

Which other linux do you ahve installed now?

A rootkit is on the first sectors in root. Does that not mean it could have been there before you downloaded Star Dust?

I mean did you run chkrootkit on your machine before you downloaded the iso and which iso was it.

There are Stardust from 001 to 012 so very many to chose iso to test?
There are inherent limitations to the reliability of any program that attempts to detect compromises (such as rootkits and computer viruses). Newer rootkits may specifically attempt to detect and compromise copies of the chkrootkit programs or take other measures to evade detection by them.[1]
so if that is how you did it you have a CD or DVD and there executed the Chrootkit and it looked through your HD with Stardust on it?
I use Google Search on Puppy Forum
not an ideal solution though

nooby
Posts: 10369
Joined: Sun 29 Jun 2008, 19:05
Location: SwedenEurope

#5 Post by nooby »

It can be a false positive!

https://bugs.launchpad.net/ubuntu/+sour ... bug/454566

[quote]
False positive for SucKit

1. Ubuntu
2. “chkrootkit
I use Google Search on Puppy Forum
not an ideal solution though

User avatar
Eyes-Only
Posts: 1043
Joined: Thu 10 Aug 2006, 06:32
Location: La Confederation Abenaquaise

#6 Post by Eyes-Only »

You folks will find some very fascinating reading, plus how to use the CLI/terminal to manually check for SuckIt, at this URL:

http://forums.gentoo.org/viewtopic-t-32 ... uckit.html

And yes, that's brought to us from our good gentoo brethren. Thanks to them for the tips. :)

I hope this helped all involved? Did me!

Amicalement/Mazzel/Cheers!

Eyes-Only
"L'Peau-Rouge"
*~*~*~*~*~*
Proud user of LXpup and 3-Headed Dog. 8)
*~*~*~*~*~*

nancy reagan
Posts: 544
Joined: Thu 22 Jan 2009, 14:20

... Rocket just landed stranded here today ..

#7 Post by nancy reagan »

... Rocket just landed stranded here today .

Not being a tweaker, one must try one's other senses (if available) and I thought he just landed here today, so ??

fancy Reagan

[/u]

User avatar
8-bit
Posts: 3406
Joined: Wed 04 Apr 2007, 03:37
Location: Oregon

#8 Post by 8-bit »

I just ran "chkrootkit -q" on Puppy 431 frugal install and it returned:

Code: Select all

can't exec ./strings-static, Checking `login'... INFECTED
Checking `passwd'... INFECTED
Checking `traceroute'... INFECTED
strings: w: No such file or directory
strings: write: No such file or directory
/bin/ls: cannot access write: No such file or directory

/usr/lib/perl5/5.8.8/i486-t2-linux-gnu/auto/Compress/Zlib/.packlist /usr/lib/perl5/5.8.8/i486-t2-linux-gnu/auto/Digest/SHA1/.packlist /usr/lib/perl5/5.8.8/i486-t2-linux-gnu/auto/ExtUtils/Depends/.packlist /usr/lib/perl5/5.8.8/i486-t2-linux-gnu/auto/ExtUtils/PkgConfig/.packlist /usr/lib/perl5/5.8.8/i486-t2-linux-gnu/auto/URI/.packlist /usr/lib/perl5/5.8.8/i486-t2-linux-gnu/auto/HTML/Parser/.packlist /usr/lib/perl5/5.8.8/i486-t2-linux-gnu/auto/XML/Parser/.packlist /usr/lib/perl5/5.8.8/i486-t2-linux-gnu/auto/XML/Simple/.packlist /usr/lib/perl5/5.8.8/i486-t2-linux-gnu/.packlist /usr/lib/perl5/site_perl/5.8.8/i486-t2-linux-gnu/auto/Git/.packlist /usr/lib/seamonkey/.autoreg

Warning: /sbin/init INFECTED
find: /proc/8338/net: Invalid argument
not tested: can't exec 
not tested: can't exec ./ifpromisc
not tested: can't exec ./chkwtmp
not tested: can't exec ./chklastlog
not tested: can't exec ./chkutmp
So has anyone else had that output from it?
I do not keep any personal info on my PC, so I am not overly concerned.

User avatar
Lobster
Official Crustacean
Posts: 15522
Joined: Wed 04 May 2005, 06:06
Location: Paradox Realm
Contact:

#9 Post by Lobster »

:roll:

Stand down red alert
call back the hounds


Consolation for the tin hats . . .
http://freshmeat.net/projects/rkhunter

We await Positive falsies and other potential threats 8)
Are you guys joking around or is this for real?
'Why so serious' [Joker as played by the late Heath Ledger]
Somebody has said what a malware detector is reporting
We need to move from a position of ignorance to what and why this is happening.
. . . that is fun . . . :)

Rooting for Puppy
Puppy Raspup 8.2Final 8)
Puppy Links Page http://www.smokey01.com/bruceb/puppy.html :D

nooby
Posts: 10369
Joined: Sun 29 Jun 2008, 19:05
Location: SwedenEurope

#10 Post by nooby »

Yes one can joke about serious things too.

but as a newbie the solutions that was suggested was too technical to be followed by me at least. If any of you could use them maybe you can explain how one do it step by step?
I use Google Search on Puppy Forum
not an ideal solution though

User avatar
8-bit
Posts: 3406
Joined: Wed 04 Apr 2007, 03:37
Location: Oregon

#11 Post by 8-bit »

Both root kit checking programs have README files with them that tell you how to use them.
And neither one has to be installed to use them as per the README files.
I tried both, so I am speaking from experience.

nooby
Posts: 10369
Joined: Sun 29 Jun 2008, 19:05
Location: SwedenEurope

#12 Post by nooby »

I tested a third one that column writers did recommend at geek com something.

Rootkit Revealer and it run/ran for some 30 minutes or more and finally told me it had found some 409000 things that was not what it expected. I tried to look through them but had not knowledge enough to get what it was all about.

I maybe try the one named Gmer too and the Chroot one .

But seems one have to know much to have any usage of them.

For experts?
I use Google Search on Puppy Forum
not an ideal solution though

bugman

#13 Post by bugman »

i'm confused as on my system /sbin/init is a link

can a link be infected?

User avatar
8-bit
Posts: 3406
Joined: Wed 04 Apr 2007, 03:37
Location: Oregon

#14 Post by 8-bit »

When I ran the check root programs, it displayed a number of warnings on files. I do believe there were there because of Puppy's use of system links and scripts used to call some executables.
Since it is looking for an executable and finds a link or a script, it kicks back a warning.
Does that make sense?

User avatar
Pizzasgood
Posts: 6183
Joined: Wed 04 May 2005, 20:28
Location: Knoxville, TN, USA

#15 Post by Pizzasgood »

They are false alarms. Chkroot doesn't like busybox, which is what we use to provide several of the core utilities.

http://www.murga-linux.com/puppy/viewto ... 171#359171
Busybox is basically a bunch of programs combined into one very small package. So things that chkrootkit does not expect to see in, for example, 'echo', are there because of the other programs that busybox mimics.
[size=75]Between depriving a man of one hour from his life and depriving him of his life there exists only a difference of degree. --Muad'Dib[/size]
[img]http://www.browserloadofcoolness.com/sig.png[/img]

nooby
Posts: 10369
Joined: Sun 29 Jun 2008, 19:05
Location: SwedenEurope

#16 Post by nooby »

so which anti rootkit program would show least such false positives?

I tested Rootkit Revealer and it showed 406xxx that is fourhundredsixthousand things that it did not like.

Too much to go through to know if there is something to look deeper into.

what about Gmer is that only a remover and not teller of what it wants to remove before it do it?



Maybe the easiest thing for a newbie is to look for activity on the port 55 or something. Not that I know how to do this but that program is built into puppy from scratch I guess so easy to use of somebody tells how to get it going.
I use Google Search on Puppy Forum
not an ideal solution though

User avatar
tasmod
Posts: 1460
Joined: Thu 04 Dec 2008, 13:53
Location: North Lincolnshire. UK
Contact:

#17 Post by tasmod »

nooby,

If you visit this part of the forum be prepared to get paranoid about Puppy and security.

Ease off, it's never as bad as it seems. :wink:
Rob
-
The moment after you press "Post" is the moment you actually see the typso 8)

User avatar
Pizzasgood
Posts: 6183
Joined: Wed 04 May 2005, 20:28
Location: Knoxville, TN, USA

#18 Post by Pizzasgood »

If you trust Puppy as provided by Barry to be initially free from malware, you could create md5sums of all the files, store them on a read-only medium, and then verify them from time to time to make sure nothing changed. That would help you notice if any files changed.

It won't help you notice if new things are added without changing existing stuff. For example, scripts placed into /etc/init.d/, /etc/profile.d/, and /root/Startup will be run automatically as Puppy boots (and also whenever you open a terminal, in the case of profile.d). Also, files in /etc/udev/rules.d/ can execute commands when hardware is detected or removed.

If you don't add files to Puppy very often, you could do a remaster after it's set up and start from a fresh pup_save.2fs file. Then you could look at the contents of the pup_save.2fs file from time to time to see if there's anything suspicious in it. (If you frequently install or modify things this won't work because it will quickly fill up with a bunch of stuff that's legit.)
[size=75]Between depriving a man of one hour from his life and depriving him of his life there exists only a difference of degree. --Muad'Dib[/size]
[img]http://www.browserloadofcoolness.com/sig.png[/img]

nooby
Posts: 10369
Joined: Sun 29 Jun 2008, 19:05
Location: SwedenEurope

#19 Post by nooby »

I found this interesting text today searching for puppy and rootkits detection.

http://www.prevx.com/blog/139/Tdss-root ... e-net.html

one of the commentators wrote
# Randy on Dec 2 1:22, 2009

I wonder if one could just boot to a Linux boot CD like Puppy and remove the infected dll files.
Can one use pfind to look for known rootkit names or are the encrypted and don't show up?
I use Google Search on Puppy Forum
not an ideal solution though

User avatar
8-bit
Posts: 3406
Joined: Wed 04 Apr 2007, 03:37
Location: Oregon

#20 Post by 8-bit »

dll files are Windows ones and the key word here is infected.
Randomly going through windows and deleting DLL files that are supposedly infected may kill windows.
If one is concerned, do a backup of things you want to keep and reinstall windows.
The only dll files you would find in Puppy would be from an installation of wine.

Post Reply