Author |
Message |
Rocket
Joined: 02 Mar 2010 Posts: 15
|
Posted: Tue 02 Mar 2010, 03:48 Post subject:
chkrootkit says Stardust /sbin/init INFECTED with Suckit Subject description: What to do? |
|
I ran chkrootkit on Stardust Puppy and it found the following.
"Searching for Suckit rootkit... Warning: /sbin/init INFECTED"
Now I have to figure out what to do about it.
R
|
Back to top
|
|
 |
Lobster
Official Crustacean

Joined: 04 May 2005 Posts: 15550 Location: Paradox Realm
|
Posted: Tue 02 Mar 2010, 05:43 Post subject:
|
|
I suppose not running Stardust is a start
Is the rootkit on the CD or on your install?
Quote: | SucKIT is a rootkit presented in Phrack issue 58, article 0x07 ("Linux on-the-fly kernel patching without LKM", by sd & devik). This is a fully working rootkit that is loaded through /dev/kmem (i.e. it does not need a kernel with support for loadable kernel modules. It provides a password protected remote access connect-back shell initiated by a spoofed packet (bypassing most of firewall configurations), and can hide processes, files and connections. |
http://la-samhna.de/library/rootkits/list.html
Chkrootkit
http://en.wikipedia.org/wiki/Chkrootkit
Tin hats to maximum
Release the hounds . . .
Can someone confirm it is on CD?
_________________ Puppy on Raspberry Pi Release Candidate
Puppy Links Page http://www.smokey01.com/bruceb/puppy.html 
|
Back to top
|
|
 |
nooby
Joined: 29 Jun 2008 Posts: 10548 Location: SwedenEurope
|
Posted: Tue 02 Mar 2010, 07:03 Post subject:
|
|
Are you guys joking around or is this for real? My English often fails to know if people just tease each other or if it is a serious thing.
How do I test it on my machine? Does this chroot thing give false positives?
Have anybody told Zigbert?
How do I get rid of it if I ahve it?
_________________ I use Google Search on Puppy Forum
not an ideal solution though
|
Back to top
|
|
 |
nooby
Joined: 29 Jun 2008 Posts: 10548 Location: SwedenEurope
|
Posted: Tue 02 Mar 2010, 07:08 Post subject:
Re: Rootkit scan Subject description: chkrootkit results |
|
Rocket wrote: | I ran chkrootkit on Stardust Puppy and it found the following.
"Searching for Suckit rootkit... Warning: /sbin/init INFECTED"
Now I have to figure out what to do about it.
R |
By run it on Stardust do you mean that you pointed chkrootkit to the Stardust Puppy .iso file and it looked through it
or
have you installed Stardust Puppy in full install or frugal install or on DVD as a live user session and then activated the chkrootkit on Stardust Puppy?
Which other linux do you ahve installed now?
A rootkit is on the first sectors in root. Does that not mean it could have been there before you downloaded Star Dust?
I mean did you run chkrootkit on your machine before you downloaded the iso and which iso was it.
There are Stardust from 001 to 012 so very many to chose iso to test?
Quote: | There are inherent limitations to the reliability of any program that attempts to detect compromises (such as rootkits and computer viruses). Newer rootkits may specifically attempt to detect and compromise copies of the chkrootkit programs or take other measures to evade detection by them.[1] |
so if that is how you did it you have a CD or DVD and there executed the Chrootkit and it looked through your HD with Stardust on it?
_________________ I use Google Search on Puppy Forum
not an ideal solution though
|
Back to top
|
|
 |
nooby
Joined: 29 Jun 2008 Posts: 10548 Location: SwedenEurope
|
Posted: Tue 02 Mar 2010, 10:11 Post subject:
|
|
It can be a false positive!
https://bugs.launchpad.net/ubuntu/+source/chkrootkit/+bug/454566
Quote: |
False positive for SucKit
1. Ubuntu
2. “chkrootkit” package
3. Bugs
4. Bug #454566 |
If one run it with Rookit Hunter is does not find it.
So hopefully it is a false positive.
_________________ I use Google Search on Puppy Forum
not an ideal solution though
|
Back to top
|
|
 |
Eyes-Only

Joined: 10 Aug 2006 Posts: 1046 Location: La Confederation Abenaquaise
|
Posted: Tue 02 Mar 2010, 13:43 Post subject:
|
|
You folks will find some very fascinating reading, plus how to use the CLI/terminal to manually check for SuckIt, at this URL:
http://forums.gentoo.org/viewtopic-t-326062-highlight-suckit.html
And yes, that's brought to us from our good gentoo brethren. Thanks to them for the tips.
I hope this helped all involved? Did me!
Amicalement/Mazzel/Cheers!
Eyes-Only
"L'Peau-Rouge"
_________________ *~*~*~*~*~*
Proud user of LXpup and 3-Headed Dog.
*~*~*~*~*~*
|
Back to top
|
|
 |
nancy reagan
Joined: 22 Jan 2009 Posts: 549
|
Posted: Tue 02 Mar 2010, 13:50 Post subject:
... Rocket just landed stranded here today .. |
|
... Rocket just landed stranded here today .
Not being a tweaker, one must try one's other senses (if available) and I thought he just landed here today, so ??
fancy Reagan
[/u]
|
Back to top
|
|
 |
8-bit

Joined: 03 Apr 2007 Posts: 3425 Location: Oregon
|
Posted: Tue 02 Mar 2010, 14:27 Post subject:
|
|
I just ran "chkrootkit -q" on Puppy 431 frugal install and it returned:
Code: |
can't exec ./strings-static, Checking `login'... INFECTED
Checking `passwd'... INFECTED
Checking `traceroute'... INFECTED
strings: w: No such file or directory
strings: write: No such file or directory
/bin/ls: cannot access write: No such file or directory
/usr/lib/perl5/5.8.8/i486-t2-linux-gnu/auto/Compress/Zlib/.packlist /usr/lib/perl5/5.8.8/i486-t2-linux-gnu/auto/Digest/SHA1/.packlist /usr/lib/perl5/5.8.8/i486-t2-linux-gnu/auto/ExtUtils/Depends/.packlist /usr/lib/perl5/5.8.8/i486-t2-linux-gnu/auto/ExtUtils/PkgConfig/.packlist /usr/lib/perl5/5.8.8/i486-t2-linux-gnu/auto/URI/.packlist /usr/lib/perl5/5.8.8/i486-t2-linux-gnu/auto/HTML/Parser/.packlist /usr/lib/perl5/5.8.8/i486-t2-linux-gnu/auto/XML/Parser/.packlist /usr/lib/perl5/5.8.8/i486-t2-linux-gnu/auto/XML/Simple/.packlist /usr/lib/perl5/5.8.8/i486-t2-linux-gnu/.packlist /usr/lib/perl5/site_perl/5.8.8/i486-t2-linux-gnu/auto/Git/.packlist /usr/lib/seamonkey/.autoreg
Warning: /sbin/init INFECTED
find: /proc/8338/net: Invalid argument
not tested: can't exec
not tested: can't exec ./ifpromisc
not tested: can't exec ./chkwtmp
not tested: can't exec ./chklastlog
not tested: can't exec ./chkutmp
|
So has anyone else had that output from it?
I do not keep any personal info on my PC, so I am not overly concerned.
|
Back to top
|
|
 |
Lobster
Official Crustacean

Joined: 04 May 2005 Posts: 15550 Location: Paradox Realm
|
Posted: Tue 02 Mar 2010, 23:11 Post subject:
|
|
Stand down red alert
call back the hounds
Consolation for the tin hats . . .
http://freshmeat.net/projects/rkhunter
We await Positive falsies and other potential threats
Quote: | Are you guys joking around or is this for real? |
'Why so serious' [Joker as played by the late Heath Ledger]
Somebody has said what a malware detector is reporting
We need to move from a position of ignorance to what and why this is happening.
. . . that is fun . . .
Rooting for Puppy
_________________ Puppy on Raspberry Pi Release Candidate
Puppy Links Page http://www.smokey01.com/bruceb/puppy.html 
|
Back to top
|
|
 |
nooby
Joined: 29 Jun 2008 Posts: 10548 Location: SwedenEurope
|
Posted: Wed 03 Mar 2010, 04:57 Post subject:
|
|
Yes one can joke about serious things too.
but as a newbie the solutions that was suggested was too technical to be followed by me at least. If any of you could use them maybe you can explain how one do it step by step?
_________________ I use Google Search on Puppy Forum
not an ideal solution though
|
Back to top
|
|
 |
8-bit

Joined: 03 Apr 2007 Posts: 3425 Location: Oregon
|
Posted: Wed 03 Mar 2010, 12:51 Post subject:
|
|
Both root kit checking programs have README files with them that tell you how to use them.
And neither one has to be installed to use them as per the README files.
I tried both, so I am speaking from experience.
|
Back to top
|
|
 |
nooby
Joined: 29 Jun 2008 Posts: 10548 Location: SwedenEurope
|
Posted: Thu 04 Mar 2010, 08:53 Post subject:
|
|
I tested a third one that column writers did recommend at geek com something.
Rootkit Revealer and it run/ran for some 30 minutes or more and finally told me it had found some 409000 things that was not what it expected. I tried to look through them but had not knowledge enough to get what it was all about.
I maybe try the one named Gmer too and the Chroot one .
But seems one have to know much to have any usage of them.
For experts?
_________________ I use Google Search on Puppy Forum
not an ideal solution though
|
Back to top
|
|
 |
bugman

Joined: 20 Dec 2005 Posts: 2131 Location: buffalo commons
|
Posted: Thu 04 Mar 2010, 09:20 Post subject:
|
|
i'm confused as on my system /sbin/init is a link
can a link be infected?
_________________ . . . the machines are clean
and the machines are not corrupted
- lee "scratch" perry
|
Back to top
|
|
 |
8-bit

Joined: 03 Apr 2007 Posts: 3425 Location: Oregon
|
Posted: Thu 04 Mar 2010, 15:20 Post subject:
|
|
When I ran the check root programs, it displayed a number of warnings on files. I do believe there were there because of Puppy's use of system links and scripts used to call some executables.
Since it is looking for an executable and finds a link or a script, it kicks back a warning.
Does that make sense?
|
Back to top
|
|
 |
Pizzasgood

Joined: 04 May 2005 Posts: 6266 Location: Knoxville, TN, USA
|
Posted: Fri 05 Mar 2010, 04:18 Post subject:
|
|
They are false alarms. Chkroot doesn't like busybox, which is what we use to provide several of the core utilities.
http://www.murga-linux.com/puppy/viewtopic.php?p=359171#359171
Quote: | Busybox is basically a bunch of programs combined into one very small package. So things that chkrootkit does not expect to see in, for example, 'echo', are there because of the other programs that busybox mimics. |
_________________ Between depriving a man of one hour from his life and depriving him of his life there exists only a difference of degree. --Muad'Dib

|
Back to top
|
|
 |
|