chkrootkit says Stardust /sbin/init INFECTED with Suckit
chkrootkit says Stardust /sbin/init INFECTED with Suckit
I ran chkrootkit on Stardust Puppy and it found the following.
"Searching for Suckit rootkit... Warning: /sbin/init INFECTED"
Now I have to figure out what to do about it.
R
"Searching for Suckit rootkit... Warning: /sbin/init INFECTED"
Now I have to figure out what to do about it.
R
- Lobster
- Official Crustacean
- Posts: 15522
- Joined: Wed 04 May 2005, 06:06
- Location: Paradox Realm
- Contact:
I suppose not running Stardust is a start
Is the rootkit on the CD or on your install?
Chkrootkit
http://en.wikipedia.org/wiki/Chkrootkit
Tin hats to maximum
Release the hounds . . .
Can someone confirm it is on CD?
Is the rootkit on the CD or on your install?
http://la-samhna.de/library/rootkits/list.htmlSucKIT is a rootkit presented in Phrack issue 58, article 0x07 ("Linux on-the-fly kernel patching without LKM", by sd & devik). This is a fully working rootkit that is loaded through /dev/kmem (i.e. it does not need a kernel with support for loadable kernel modules. It provides a password protected remote access connect-back shell initiated by a spoofed packet (bypassing most of firewall configurations), and can hide processes, files and connections.
Chkrootkit
http://en.wikipedia.org/wiki/Chkrootkit
Tin hats to maximum
Release the hounds . . .
Can someone confirm it is on CD?
Are you guys joking around or is this for real? My English often fails to know if people just tease each other or if it is a serious thing.
How do I test it on my machine? Does this chroot thing give false positives?
Have anybody told Zigbert?
How do I get rid of it if I ahve it?
How do I test it on my machine? Does this chroot thing give false positives?
Have anybody told Zigbert?
How do I get rid of it if I ahve it?
I use Google Search on Puppy Forum
not an ideal solution though
not an ideal solution though
Re: Rootkit scan
By run it on Stardust do you mean that you pointed chkrootkit to the Stardust Puppy .iso file and it looked through itRocket wrote:I ran chkrootkit on Stardust Puppy and it found the following.
"Searching for Suckit rootkit... Warning: /sbin/init INFECTED"
Now I have to figure out what to do about it.
R
or
have you installed Stardust Puppy in full install or frugal install or on DVD as a live user session and then activated the chkrootkit on Stardust Puppy?
Which other linux do you ahve installed now?
A rootkit is on the first sectors in root. Does that not mean it could have been there before you downloaded Star Dust?
I mean did you run chkrootkit on your machine before you downloaded the iso and which iso was it.
There are Stardust from 001 to 012 so very many to chose iso to test?
so if that is how you did it you have a CD or DVD and there executed the Chrootkit and it looked through your HD with Stardust on it?There are inherent limitations to the reliability of any program that attempts to detect compromises (such as rootkits and computer viruses). Newer rootkits may specifically attempt to detect and compromise copies of the chkrootkit programs or take other measures to evade detection by them.[1]
I use Google Search on Puppy Forum
not an ideal solution though
not an ideal solution though
It can be a false positive!
https://bugs.launchpad.net/ubuntu/+sour ... bug/454566
[quote]
False positive for SucKit
1. Ubuntu
2. “chkrootkit
https://bugs.launchpad.net/ubuntu/+sour ... bug/454566
[quote]
False positive for SucKit
1. Ubuntu
2. “chkrootkit
I use Google Search on Puppy Forum
not an ideal solution though
not an ideal solution though
You folks will find some very fascinating reading, plus how to use the CLI/terminal to manually check for SuckIt, at this URL:
http://forums.gentoo.org/viewtopic-t-32 ... uckit.html
And yes, that's brought to us from our good gentoo brethren. Thanks to them for the tips.
I hope this helped all involved? Did me!
Amicalement/Mazzel/Cheers!
Eyes-Only
"L'Peau-Rouge"
http://forums.gentoo.org/viewtopic-t-32 ... uckit.html
And yes, that's brought to us from our good gentoo brethren. Thanks to them for the tips.
I hope this helped all involved? Did me!
Amicalement/Mazzel/Cheers!
Eyes-Only
"L'Peau-Rouge"
*~*~*~*~*~*
Proud user of LXpup and 3-Headed Dog.
*~*~*~*~*~*
Proud user of LXpup and 3-Headed Dog.
*~*~*~*~*~*
-
- Posts: 544
- Joined: Thu 22 Jan 2009, 14:20
... Rocket just landed stranded here today ..
... Rocket just landed stranded here today .
Not being a tweaker, one must try one's other senses (if available) and I thought he just landed here today, so ??
fancy Reagan
[/u]
Not being a tweaker, one must try one's other senses (if available) and I thought he just landed here today, so ??
fancy Reagan
[/u]
I just ran "chkrootkit -q" on Puppy 431 frugal install and it returned:
So has anyone else had that output from it?
I do not keep any personal info on my PC, so I am not overly concerned.
Code: Select all
can't exec ./strings-static, Checking `login'... INFECTED
Checking `passwd'... INFECTED
Checking `traceroute'... INFECTED
strings: w: No such file or directory
strings: write: No such file or directory
/bin/ls: cannot access write: No such file or directory
/usr/lib/perl5/5.8.8/i486-t2-linux-gnu/auto/Compress/Zlib/.packlist /usr/lib/perl5/5.8.8/i486-t2-linux-gnu/auto/Digest/SHA1/.packlist /usr/lib/perl5/5.8.8/i486-t2-linux-gnu/auto/ExtUtils/Depends/.packlist /usr/lib/perl5/5.8.8/i486-t2-linux-gnu/auto/ExtUtils/PkgConfig/.packlist /usr/lib/perl5/5.8.8/i486-t2-linux-gnu/auto/URI/.packlist /usr/lib/perl5/5.8.8/i486-t2-linux-gnu/auto/HTML/Parser/.packlist /usr/lib/perl5/5.8.8/i486-t2-linux-gnu/auto/XML/Parser/.packlist /usr/lib/perl5/5.8.8/i486-t2-linux-gnu/auto/XML/Simple/.packlist /usr/lib/perl5/5.8.8/i486-t2-linux-gnu/.packlist /usr/lib/perl5/site_perl/5.8.8/i486-t2-linux-gnu/auto/Git/.packlist /usr/lib/seamonkey/.autoreg
Warning: /sbin/init INFECTED
find: /proc/8338/net: Invalid argument
not tested: can't exec
not tested: can't exec ./ifpromisc
not tested: can't exec ./chkwtmp
not tested: can't exec ./chklastlog
not tested: can't exec ./chkutmp
I do not keep any personal info on my PC, so I am not overly concerned.
- Lobster
- Official Crustacean
- Posts: 15522
- Joined: Wed 04 May 2005, 06:06
- Location: Paradox Realm
- Contact:
Stand down red alert
call back the hounds
Consolation for the tin hats . . .
http://freshmeat.net/projects/rkhunter
We await Positive falsies and other potential threats
'Why so serious' [Joker as played by the late Heath Ledger]Are you guys joking around or is this for real?
Somebody has said what a malware detector is reporting
We need to move from a position of ignorance to what and why this is happening.
. . . that is fun . . .
Rooting for Puppy
I tested a third one that column writers did recommend at geek com something.
Rootkit Revealer and it run/ran for some 30 minutes or more and finally told me it had found some 409000 things that was not what it expected. I tried to look through them but had not knowledge enough to get what it was all about.
I maybe try the one named Gmer too and the Chroot one .
But seems one have to know much to have any usage of them.
For experts?
Rootkit Revealer and it run/ran for some 30 minutes or more and finally told me it had found some 409000 things that was not what it expected. I tried to look through them but had not knowledge enough to get what it was all about.
I maybe try the one named Gmer too and the Chroot one .
But seems one have to know much to have any usage of them.
For experts?
I use Google Search on Puppy Forum
not an ideal solution though
not an ideal solution though
When I ran the check root programs, it displayed a number of warnings on files. I do believe there were there because of Puppy's use of system links and scripts used to call some executables.
Since it is looking for an executable and finds a link or a script, it kicks back a warning.
Does that make sense?
Since it is looking for an executable and finds a link or a script, it kicks back a warning.
Does that make sense?
- Pizzasgood
- Posts: 6183
- Joined: Wed 04 May 2005, 20:28
- Location: Knoxville, TN, USA
They are false alarms. Chkroot doesn't like busybox, which is what we use to provide several of the core utilities.
http://www.murga-linux.com/puppy/viewto ... 171#359171
http://www.murga-linux.com/puppy/viewto ... 171#359171
Busybox is basically a bunch of programs combined into one very small package. So things that chkrootkit does not expect to see in, for example, 'echo', are there because of the other programs that busybox mimics.
[size=75]Between depriving a man of one hour from his life and depriving him of his life there exists only a difference of degree. --Muad'Dib[/size]
[img]http://www.browserloadofcoolness.com/sig.png[/img]
[img]http://www.browserloadofcoolness.com/sig.png[/img]
so which anti rootkit program would show least such false positives?
I tested Rootkit Revealer and it showed 406xxx that is fourhundredsixthousand things that it did not like.
Too much to go through to know if there is something to look deeper into.
what about Gmer is that only a remover and not teller of what it wants to remove before it do it?
Maybe the easiest thing for a newbie is to look for activity on the port 55 or something. Not that I know how to do this but that program is built into puppy from scratch I guess so easy to use of somebody tells how to get it going.
I tested Rootkit Revealer and it showed 406xxx that is fourhundredsixthousand things that it did not like.
Too much to go through to know if there is something to look deeper into.
what about Gmer is that only a remover and not teller of what it wants to remove before it do it?
Maybe the easiest thing for a newbie is to look for activity on the port 55 or something. Not that I know how to do this but that program is built into puppy from scratch I guess so easy to use of somebody tells how to get it going.
I use Google Search on Puppy Forum
not an ideal solution though
not an ideal solution though
- Pizzasgood
- Posts: 6183
- Joined: Wed 04 May 2005, 20:28
- Location: Knoxville, TN, USA
If you trust Puppy as provided by Barry to be initially free from malware, you could create md5sums of all the files, store them on a read-only medium, and then verify them from time to time to make sure nothing changed. That would help you notice if any files changed.
It won't help you notice if new things are added without changing existing stuff. For example, scripts placed into /etc/init.d/, /etc/profile.d/, and /root/Startup will be run automatically as Puppy boots (and also whenever you open a terminal, in the case of profile.d). Also, files in /etc/udev/rules.d/ can execute commands when hardware is detected or removed.
If you don't add files to Puppy very often, you could do a remaster after it's set up and start from a fresh pup_save.2fs file. Then you could look at the contents of the pup_save.2fs file from time to time to see if there's anything suspicious in it. (If you frequently install or modify things this won't work because it will quickly fill up with a bunch of stuff that's legit.)
It won't help you notice if new things are added without changing existing stuff. For example, scripts placed into /etc/init.d/, /etc/profile.d/, and /root/Startup will be run automatically as Puppy boots (and also whenever you open a terminal, in the case of profile.d). Also, files in /etc/udev/rules.d/ can execute commands when hardware is detected or removed.
If you don't add files to Puppy very often, you could do a remaster after it's set up and start from a fresh pup_save.2fs file. Then you could look at the contents of the pup_save.2fs file from time to time to see if there's anything suspicious in it. (If you frequently install or modify things this won't work because it will quickly fill up with a bunch of stuff that's legit.)
[size=75]Between depriving a man of one hour from his life and depriving him of his life there exists only a difference of degree. --Muad'Dib[/size]
[img]http://www.browserloadofcoolness.com/sig.png[/img]
[img]http://www.browserloadofcoolness.com/sig.png[/img]
I found this interesting text today searching for puppy and rootkits detection.
http://www.prevx.com/blog/139/Tdss-root ... e-net.html
one of the commentators wrote
http://www.prevx.com/blog/139/Tdss-root ... e-net.html
one of the commentators wrote
Can one use pfind to look for known rootkit names or are the encrypted and don't show up?# Randy on Dec 2 1:22, 2009
I wonder if one could just boot to a Linux boot CD like Puppy and remove the infected dll files.
I use Google Search on Puppy Forum
not an ideal solution though
not an ideal solution though
dll files are Windows ones and the key word here is infected.
Randomly going through windows and deleting DLL files that are supposedly infected may kill windows.
If one is concerned, do a backup of things you want to keep and reinstall windows.
The only dll files you would find in Puppy would be from an installation of wine.
Randomly going through windows and deleting DLL files that are supposedly infected may kill windows.
If one is concerned, do a backup of things you want to keep and reinstall windows.
The only dll files you would find in Puppy would be from an installation of wine.