Puppy Linux Discussion Forum Forum Index Puppy Linux Discussion Forum
Puppy HOME page : puppylinux.com
"THE" alternative forum : puppylinux.info
 
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 

The time now is Sat 20 Dec 2014, 23:22
All times are UTC - 4
 Forum index » Off-Topic Area » Security
chkrootkit says Stardust /sbin/init INFECTED with Suckit
Post new topic   Reply to topic View previous topic :: View next topic
Page 1 of 2 [20 Posts]   Goto page: 1, 2 Next
Author Message
Rocket

Joined: 02 Mar 2010
Posts: 8

PostPosted: Tue 02 Mar 2010, 03:48    Post subject:  chkrootkit says Stardust /sbin/init INFECTED with Suckit
Subject description: What to do?
 

I ran chkrootkit on Stardust Puppy and it found the following.

"Searching for Suckit rootkit... Warning: /sbin/init INFECTED"

Now I have to figure out what to do about it.

R
Back to top
View user's profile Send private message 
Lobster
Official Crustacean


Joined: 04 May 2005
Posts: 15122
Location: Paradox Realm

PostPosted: Tue 02 Mar 2010, 05:43    Post subject:  

I suppose not running Stardust is a start Wink
Is the rootkit on the CD or on your install?

Quote:
SucKIT is a rootkit presented in Phrack issue 58, article 0x07 ("Linux on-the-fly kernel patching without LKM", by sd & devik). This is a fully working rootkit that is loaded through /dev/kmem (i.e. it does not need a kernel with support for loadable kernel modules. It provides a password protected remote access connect-back shell initiated by a spoofed packet (bypassing most of firewall configurations), and can hide processes, files and connections.

http://la-samhna.de/library/rootkits/list.html

Chkrootkit
http://en.wikipedia.org/wiki/Chkrootkit

Tin hats to maximum
Release the hounds . . .


Can someone confirm it is on CD?

_________________
Puppy WIKI
Back to top
View user's profile Send private message Visit poster's website 
nooby

Joined: 29 Jun 2008
Posts: 10557
Location: SwedenEurope

PostPosted: Tue 02 Mar 2010, 07:03    Post subject:  

Are you guys joking around or is this for real? My English often fails to know if people just tease each other or if it is a serious thing.

How do I test it on my machine? Does this chroot thing give false positives?

Have anybody told Zigbert?

How do I get rid of it if I ahve it?

_________________
I use Google Search on Puppy Forum
not an ideal solution though
Back to top
View user's profile Send private message 
nooby

Joined: 29 Jun 2008
Posts: 10557
Location: SwedenEurope

PostPosted: Tue 02 Mar 2010, 07:08    Post subject: Re: Rootkit scan
Subject description: chkrootkit results
 

Rocket wrote:
I ran chkrootkit on Stardust Puppy and it found the following.

"Searching for Suckit rootkit... Warning: /sbin/init INFECTED"

Now I have to figure out what to do about it.

R


By run it on Stardust do you mean that you pointed chkrootkit to the Stardust Puppy .iso file and it looked through it

or

have you installed Stardust Puppy in full install or frugal install or on DVD as a live user session and then activated the chkrootkit on Stardust Puppy?

Which other linux do you ahve installed now?

A rootkit is on the first sectors in root. Does that not mean it could have been there before you downloaded Star Dust?

I mean did you run chkrootkit on your machine before you downloaded the iso and which iso was it.

There are Stardust from 001 to 012 so very many to chose iso to test?

Quote:
There are inherent limitations to the reliability of any program that attempts to detect compromises (such as rootkits and computer viruses). Newer rootkits may specifically attempt to detect and compromise copies of the chkrootkit programs or take other measures to evade detection by them.[1]


so if that is how you did it you have a CD or DVD and there executed the Chrootkit and it looked through your HD with Stardust on it?

_________________
I use Google Search on Puppy Forum
not an ideal solution though
Back to top
View user's profile Send private message 
nooby

Joined: 29 Jun 2008
Posts: 10557
Location: SwedenEurope

PostPosted: Tue 02 Mar 2010, 10:11    Post subject:  

It can be a false positive!

https://bugs.launchpad.net/ubuntu/+source/chkrootkit/+bug/454566

Quote:

False positive for SucKit

1. Ubuntu
2. “chkrootkit” package
3. Bugs
4. Bug #454566


If one run it with Rookit Hunter is does not find it.

So hopefully it is a false positive.

_________________
I use Google Search on Puppy Forum
not an ideal solution though
Back to top
View user's profile Send private message 
Eyes-Only


Joined: 10 Aug 2006
Posts: 1046
Location: La Confederation Abenaquaise

PostPosted: Tue 02 Mar 2010, 13:43    Post subject:  

You folks will find some very fascinating reading, plus how to use the CLI/terminal to manually check for SuckIt, at this URL:

http://forums.gentoo.org/viewtopic-t-326062-highlight-suckit.html

And yes, that's brought to us from our good gentoo brethren. Thanks to them for the tips. Smile

I hope this helped all involved? Did me!

Amicalement/Mazzel/Cheers!

Eyes-Only
"L'Peau-Rouge"

_________________
*~*~*~*~*~*
Proud user of LXpup and 3-Headed Dog. Cool
*~*~*~*~*~*
Back to top
View user's profile Send private message 
nancy reagan

Joined: 22 Jan 2009
Posts: 518

PostPosted: Tue 02 Mar 2010, 13:50    Post subject: ... Rocket just landed stranded here today ..  

... Rocket just landed stranded here today .

Not being a tweaker, one must try one's other senses (if available) and I thought he just landed here today, so ??

fancy Reagan

[/u]
Back to top
View user's profile Send private message 
8-bit


Joined: 03 Apr 2007
Posts: 3398
Location: Oregon

PostPosted: Tue 02 Mar 2010, 14:27    Post subject:  

I just ran "chkrootkit -q" on Puppy 431 frugal install and it returned:

Code:

can't exec ./strings-static, Checking `login'... INFECTED
Checking `passwd'... INFECTED
Checking `traceroute'... INFECTED
strings: w: No such file or directory
strings: write: No such file or directory
/bin/ls: cannot access write: No such file or directory

/usr/lib/perl5/5.8.8/i486-t2-linux-gnu/auto/Compress/Zlib/.packlist /usr/lib/perl5/5.8.8/i486-t2-linux-gnu/auto/Digest/SHA1/.packlist /usr/lib/perl5/5.8.8/i486-t2-linux-gnu/auto/ExtUtils/Depends/.packlist /usr/lib/perl5/5.8.8/i486-t2-linux-gnu/auto/ExtUtils/PkgConfig/.packlist /usr/lib/perl5/5.8.8/i486-t2-linux-gnu/auto/URI/.packlist /usr/lib/perl5/5.8.8/i486-t2-linux-gnu/auto/HTML/Parser/.packlist /usr/lib/perl5/5.8.8/i486-t2-linux-gnu/auto/XML/Parser/.packlist /usr/lib/perl5/5.8.8/i486-t2-linux-gnu/auto/XML/Simple/.packlist /usr/lib/perl5/5.8.8/i486-t2-linux-gnu/.packlist /usr/lib/perl5/site_perl/5.8.8/i486-t2-linux-gnu/auto/Git/.packlist /usr/lib/seamonkey/.autoreg

Warning: /sbin/init INFECTED
find: /proc/8338/net: Invalid argument
not tested: can't exec
not tested: can't exec ./ifpromisc
not tested: can't exec ./chkwtmp
not tested: can't exec ./chklastlog
not tested: can't exec ./chkutmp


So has anyone else had that output from it?
I do not keep any personal info on my PC, so I am not overly concerned.
Back to top
View user's profile Send private message 
Lobster
Official Crustacean


Joined: 04 May 2005
Posts: 15122
Location: Paradox Realm

PostPosted: Tue 02 Mar 2010, 23:11    Post subject:  

Rolling Eyes

Stand down red alert
call back the hounds


Consolation for the tin hats . . .
http://freshmeat.net/projects/rkhunter

We await Positive falsies and other potential threats Cool

Quote:
Are you guys joking around or is this for real?

'Why so serious' [Joker as played by the late Heath Ledger]
Somebody has said what a malware detector is reporting
We need to move from a position of ignorance to what and why this is happening.
. . . that is fun . . . Smile

Rooting for Puppy

_________________
Puppy WIKI
Back to top
View user's profile Send private message Visit poster's website 
nooby

Joined: 29 Jun 2008
Posts: 10557
Location: SwedenEurope

PostPosted: Wed 03 Mar 2010, 04:57    Post subject:  

Yes one can joke about serious things too.

but as a newbie the solutions that was suggested was too technical to be followed by me at least. If any of you could use them maybe you can explain how one do it step by step?

_________________
I use Google Search on Puppy Forum
not an ideal solution though
Back to top
View user's profile Send private message 
8-bit


Joined: 03 Apr 2007
Posts: 3398
Location: Oregon

PostPosted: Wed 03 Mar 2010, 12:51    Post subject:  

Both root kit checking programs have README files with them that tell you how to use them.
And neither one has to be installed to use them as per the README files.
I tried both, so I am speaking from experience.
Back to top
View user's profile Send private message 
nooby

Joined: 29 Jun 2008
Posts: 10557
Location: SwedenEurope

PostPosted: Thu 04 Mar 2010, 08:53    Post subject:  

I tested a third one that column writers did recommend at geek com something.

Rootkit Revealer and it run/ran for some 30 minutes or more and finally told me it had found some 409000 things that was not what it expected. I tried to look through them but had not knowledge enough to get what it was all about.

I maybe try the one named Gmer too and the Chroot one .

But seems one have to know much to have any usage of them.

For experts?

_________________
I use Google Search on Puppy Forum
not an ideal solution though
Back to top
View user's profile Send private message 
bugman


Joined: 20 Dec 2005
Posts: 2131
Location: buffalo commons

PostPosted: Thu 04 Mar 2010, 09:20    Post subject:  

i'm confused as on my system /sbin/init is a link

can a link be infected?

_________________
. . . the machines are clean
and the machines are not corrupted


- lee "scratch" perry
Back to top
View user's profile Send private message Visit poster's website 
8-bit


Joined: 03 Apr 2007
Posts: 3398
Location: Oregon

PostPosted: Thu 04 Mar 2010, 15:20    Post subject:  

When I ran the check root programs, it displayed a number of warnings on files. I do believe there were there because of Puppy's use of system links and scripts used to call some executables.
Since it is looking for an executable and finds a link or a script, it kicks back a warning.
Does that make sense?
Back to top
View user's profile Send private message 
Pizzasgood


Joined: 04 May 2005
Posts: 6270
Location: Knoxville, TN, USA

PostPosted: Fri 05 Mar 2010, 04:18    Post subject:  

They are false alarms. Chkroot doesn't like busybox, which is what we use to provide several of the core utilities.

http://www.murga-linux.com/puppy/viewtopic.php?p=359171#359171
Quote:
Busybox is basically a bunch of programs combined into one very small package. So things that chkrootkit does not expect to see in, for example, 'echo', are there because of the other programs that busybox mimics.

_________________
Between depriving a man of one hour from his life and depriving him of his life there exists only a difference of degree. --Muad'Dib

Back to top
View user's profile Send private message Visit poster's website 
Display posts from previous:   Sort by:   
Page 1 of 2 [20 Posts]   Goto page: 1, 2 Next
Post new topic   Reply to topic View previous topic :: View next topic
 Forum index » Off-Topic Area » Security
Jump to:  

You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Powered by phpBB © 2001, 2005 phpBB Group
[ Time: 0.0863s ][ Queries: 12 (0.0062s) ][ GZIP on ]