Chkrootkit says rootkits detected? [SOLVED]

For discussions about security.
Post Reply
Message
Author
User avatar
yorkiesnorkie
Posts: 504
Joined: Mon 04 Jun 2007, 13:11
Location: George's Island

Chkrootkit says rootkits detected? [SOLVED]

#1 Post by yorkiesnorkie »

Hi,

I compiled and ran chkrootkit -0.49 (referred to in the discussion on PET files http://www.chkrootkit.org/) on my Puppy Linux 4.3.1 frugal install and it's coming back and telling me that it is infected. I note that the last release date of this software is 2009, or so it would appear from the website. I'd appreciate your thoughts, anyone?

Yorkie

Here's what I logged in rxvt:
ROOTDIR is `/'
Checking `amd'... not found
Checking `basename'... INFECTED
Checking `biff'... not found
Checking `chfn'... not found
Checking `chsh'... not found
Checking `cron'... not infected
Checking `crontab'... not infected
Checking `date'... not infected
Checking `du'... not infected
Checking `dirname'... INFECTED
Checking `echo'... INFECTED

Checking `egrep'... not infected
Checking `env'... INFECTED
Checking `find'... not infected
Checking `fingerd'... not found
Checking `gpm'... not found
Checking `grep'... not infected
Checking `hdparm'... not infected
Checking `su'... not infected
Checking `ifconfig'... not infected
Checking `inetd'... not tested
Checking `inetdconf'... not found
Checking `identd'... not found
Checking `init'... not infected
Checking `killall'... not infected
Checking `ldsopreload'... not infected
Checking `login'... INFECTED
Checking `ls'... not infected
Checking `lsof'... not found
Checking `mail'... not found
Checking `mingetty'... not found
Checking `netstat'... not infected
Checking `named'... not found
Checking `passwd'... INFECTED
Checking `pidof'... not infected
Checking `pop2'... not found
Checking `pop3'... not found
Checking `ps'... not infected
Checking `pstree'... not found
Checking `rpcinfo'... not infected
Checking `rlogind'... not found
Checking `rshd'... not found
Checking `slogin'... not infected
Checking `sendmail'... not found
Checking `sshd'... not infected
Checking `syslogd'... not infected
Checking `tar'... not infected
Checking `tcpd'... not infected
Checking `tcpdump'... not infected
Checking `top'... not infected
Checking `telnetd'... not found
Checking `timed'... not found
Checking `traceroute'... INFECTED
Checking `vdir'... not found
Checking `w'... not infected
Checking `write'... not infected
Checking `aliens'... no suspect files
Searching for sniffer's logs, it may take a while... nothing found
Searching for HiDrootkit's default dir... nothing found
Searching for t0rn's default files and dirs... nothing found
Searching for t0rn's v8 defaults... nothing found
Searching for Lion Worm default files and dirs... nothing found
Searching for RSHA's default files and dir... nothing found
Searching for RH-Sharpe's default files... nothing found
Searching for Ambient's rootkit (ark) default files and dirs... nothing found
Searching for suspicious files and dirs, it may take a while...
/usr/lib/perl5/5.8.8/i486-t2-linux-gnu/auto/Digest/SHA1/.packlist /usr/lib/perl5/5.8.8/i486-t2-linux-gnu/auto/HTML/Parser/.packlist /usr/lib/perl5/5.8.8/i486-t2-linux-gnu/auto/XML/Simple/.packlist /usr/lib/perl5/5.8.8/i486-t2-linux-gnu/auto/XML/Parser/.packlist /usr/lib/perl5/5.8.8/i486-t2-linux-gnu/auto/Compress/Zlib/.packlist /usr/lib/perl5/5.8.8/i486-t2-linux-gnu/auto/ExtUtils/Depends/.packlist /usr/lib/perl5/5.8.8/i486-t2-linux-gnu/auto/ExtUtils/PkgConfig/.packlist /usr/lib/perl5/5.8.8/i486-t2-linux-gnu/auto/URI/.packlist /usr/lib/perl5/5.8.8/i486-t2-linux-gnu/.packlist /usr/lib/perl5/site_perl/5.8.8/i486-t2-linux-gnu/auto/Git/.packlist

Searching for LPD Worm files and dirs... nothing found
Searching for Ramen Worm files and dirs... nothing found
Searching for Maniac files and dirs... nothing found
Searching for RK17 files and dirs... nothing found
Searching for Ducoci rootkit... nothing found
Searching for Adore Worm... nothing found
Searching for ShitC Worm... nothing found
Searching for Omega Worm... nothing found
Searching for Sadmind/IIS Worm... nothing found
Searching for MonKit... nothing found
Searching for Showtee... nothing found
Searching for OpticKit... nothing found
Searching for T.R.K... nothing found
Searching for Mithra... nothing found
Searching for LOC rootkit... nothing found
Searching for Romanian rootkit... nothing found
Searching for Suckit rootkit... Warning: /sbin/init INFECTED
Searching for Volc rootkit... nothing found
Searching for Gold2 rootkit... nothing found
Searching for TC2 Worm default files and dirs... nothing found
Searching for Anonoying rootkit default files and dirs... nothing found
Searching for ZK rootkit default files and dirs... nothing found
Searching for ShKit rootkit default files and dirs... nothing found
Searching for AjaKit rootkit default files and dirs... nothing found
Searching for zaRwT rootkit default files and dirs... nothing found
Searching for Madalin rootkit default files... nothing found
Searching for Fu rootkit default files... nothing found
Searching for ESRK rootkit default files... nothing found
Searching for rootedoor... nothing found
Searching for ENYELKM rootkit default files... nothing found
Searching for common ssh-scanners default files... nothing found
Searching for suspect PHP files... nothing found
Searching for anomalies in shell history files... nothing found
Checking `asp'... not infected
Checking `bindshell'... not infected
Checking `lkm'... chkproc: nothing detected
16 /usr/share
1 /usr/share/vala
1 /usr/share/kbd
2 /usr/share/kbd/keymaps
2 /usr/share/kbd/keymaps/i386
1 /usr/share/cups
2 /usr/share/ayttm
2 /usr/share/ayttm/smileys
1 /usr/share/pixmaps
3 /usr/share/doc
2 /usr/share/icons
14 /usr/share/icons/hicolor
1 /usr/share/icons/hicolor/64x64
2 /usr/share/icons/hicolor/24x24
3 /usr/share/icons/hicolor/22x22
2 /usr/share/icons/hicolor/48x48
2 /usr/share/icons/hicolor/scalable
2 /usr/share/icons/hicolor/32x32
1 /usr/share/icons/hicolor/128x128
3 /usr/share/icons/hicolor/16x16
1 /lib
2 /lib/modules
chkdirs: Warning: Possible LKM Trojan installed
Checking `rexedcs'... not found
Checking `sniffer'... wlan0: not promisc and no PF_PACKET sockets
Checking `w55808'... not infected
Checking `wted'... 1 deletion(s) between Wed Dec 31 20:00:00 1969 and Wed Mar 23 13:33:33 2011
Checking `scalper'... not infected
Checking `slapper'... not infected
Checking `z2'... Checking `chkutmp'... => possibly 1 deletion(s) detected in /var/run/utmp !
The tty of the following user process(es) were not found
in /var/run/utmp !
! RUID PID TTY CMD
! root 8909 tty1 /bin/sh /usr/bin/xwin
! root 8910 tty2 /sbin/getty 38400 tty2
! root 8916 tty3 /sbin/getty 38400 tty3
! root 9216 tty1 /usr/bin/xinit /root/.xinitrc -- -br -nolisten tcp
! root 9217 tty4 X :0 -br -nolisten tcp
! root 9237 tty1 jwm
! root 9289 tty1 /bin/ash /sbin/pup_event_frontend_d
! root 9321 tty1 /usr/local/apps/ROX-Filer/ROX-Filer -p /root/Choices/ROX-Filer/PuppyPin
! root 9322 tty1 [delayedrun] <defunct>
! root 9325 tty1 absvolume -bg #DCDAF5
! root 9370 tty1 xload -nolabel -bg #888888 -fg red -hl white
! root 9372 tty1 freememapplet
! root 9376 tty1 blinky -bg #DCDAD5
! root 9995 tty1 geany /root/my-documents/chkrootkit-0.49/README
! root 10164 tty1 rxvt
! root 10168 pts/0 bash
! root 10423 tty1 /usr/bin/inotifywait -e modify --format %w /tmp/pup_event_sizefreem
! root 14113 pts/0 /bin/sh ./chkrootkit
! root 14114 pts/0 tee rootkitlog.txt
! root 15496 tty1 sleep 2
! root 15519 pts/0 ./chkutmp
! root 15520 pts/0 ps-FULL ax -o tty,pid,ruser,args
chkutmp: nothing deleted
Checking `OSX_RSPLUG'... not infected
[/code]
Last edited by yorkiesnorkie on Wed 23 Mar 2011, 20:00, edited 1 time in total.
[url]http://www.busygamemaster.com[/url]

DPUP5520
Posts: 800
Joined: Wed 16 Feb 2011, 05:38

#2 Post by DPUP5520 »

Have you tried running it on a clean Live-cd and seeing if it came back with the same results? Could be false positives.
[url=http://www.murga-linux.com/puppy/viewtopic.php?t=69651][b][i]PupRescue 2.5[/i][/b][/url]
[url=http://www.murga-linux.com/puppy/viewtopic.php?t=72178][b][i]Puppy Crypt 528[/i][/b][/url]

User avatar
yorkiesnorkie
Posts: 504
Joined: Mon 04 Jun 2007, 13:11
Location: George's Island

#3 Post by yorkiesnorkie »

I found another post on the forum, which makes me think the application may not be that useful. http://murga-linux.com/puppy/viewtopic.php?t=10056. If it is reporting false positives how do you figure out which is correct?
[url]http://www.busygamemaster.com[/url]

User avatar
yorkiesnorkie
Posts: 504
Joined: Mon 04 Jun 2007, 13:11
Location: George's Island

#4 Post by yorkiesnorkie »

Looking at the other output, the result is very similar. This may not be a very reliable tool for a novice user. Your right, I should try running it on a live CD and see what turns up.

Yorkie
[url]http://www.busygamemaster.com[/url]

User avatar
yorkiesnorkie
Posts: 504
Joined: Mon 04 Jun 2007, 13:11
Location: George's Island

#5 Post by yorkiesnorkie »

Yeah, I just booted from the live cd, and I ran the same check with it and guess what, the same result. Its usefulness as a tool is debatable.
ROOTDIR is `/'
Checking `amd'... not found
Checking `basename'... INFECTED
Checking `biff'... not found
Checking `chfn'... not found
Checking `chsh'... not found
Checking `cron'... not infected
Checking `crontab'... not infected
Checking `date'... not infected
Checking `du'... not infected
Checking `dirname'... INFECTED
Checking `echo'... INFECTED

Checking `egrep'... not infected
Checking `env'... INFECTED
Checking `find'... not infected
Checking `fingerd'... not found
Checking `gpm'... not found
Checking `grep'... not infected
Checking `hdparm'... not infected
Checking `su'... not infected
Checking `ifconfig'... not infected
Checking `inetd'... not tested
Checking `inetdconf'... not found
Checking `identd'... not found
Checking `init'... not infected
Checking `killall'... not infected
Checking `ldsopreload'... not infected
Checking `login'... INFECTED
Checking `ls'... not infected
Checking `lsof'... not found
Checking `mail'... not found
Checking `mingetty'... not found
Checking `netstat'... not infected
Checking `named'... not found
Checking `passwd'... INFECTED
Checking `pidof'... not infected
Checking `pop2'... not found
Checking `pop3'... not found
Checking `ps'... not infected
Checking `pstree'... not found
Checking `rpcinfo'... not found
Checking `rlogind'... not found
Checking `rshd'... not found
Checking `slogin'... not infected
Checking `sendmail'... not found
Checking `sshd'... not infected
Checking `syslogd'... not infected
Checking `tar'... not infected
Checking `tcpd'... not infected
Checking `tcpdump'... not infected
Checking `top'... not infected
Checking `telnetd'... not found
Checking `timed'... not found
Checking `traceroute'... INFECTED
Checking `vdir'... not found
Checking `w'... not infected
Checking `write'... not infected
Checking `aliens'... no suspect files
Searching for sniffer's logs, it may take a while... nothing found
Searching for HiDrootkit's default dir... nothing found
Searching for t0rn's default files and dirs... nothing found
Searching for t0rn's v8 defaults... nothing found
Searching for Lion Worm default files and dirs... nothing found
Searching for RSHA's default files and dir... nothing found
Searching for RH-Sharpe's default files... nothing found
Searching for Ambient's rootkit (ark) default files and dirs... nothing found
Searching for suspicious files and dirs, it may take a while...
/usr/lib/perl5/5.8.8/i486-t2-linux-gnu/auto/Digest/SHA1/.packlist /usr/lib/perl5/5.8.8/i486-t2-linux-gnu/auto/HTML/Parser/.packlist /usr/lib/perl5/5.8.8/i486-t2-linux-gnu/auto/XML/Simple/.packlist

Searching for LPD Worm files and dirs... nothing found
Searching for Ramen Worm files and dirs... nothing found
Searching for Maniac files and dirs... nothing found
Searching for RK17 files and dirs... nothing found
Searching for Ducoci rootkit... nothing found
Searching for Adore Worm... nothing found
Searching for ShitC Worm... nothing found
Searching for Omega Worm... nothing found
Searching for Sadmind/IIS Worm... nothing found
Searching for MonKit... nothing found
Searching for Showtee... nothing found
Searching for OpticKit... nothing found
Searching for T.R.K... nothing found
Searching for Mithra... nothing found
Searching for LOC rootkit... nothing found
Searching for Romanian rootkit... nothing found
Searching for Suckit rootkit... Warning: /sbin/init INFECTED
Searching for Volc rootkit... nothing found
Searching for Gold2 rootkit... nothing found
Searching for TC2 Worm default files and dirs... nothing found
Searching for Anonoying rootkit default files and dirs... nothing found
Searching for ZK rootkit default files and dirs... nothing found
Searching for ShKit rootkit default files and dirs... nothing found
Searching for AjaKit rootkit default files and dirs... nothing found
Searching for zaRwT rootkit default files and dirs... nothing found
Searching for Madalin rootkit default files... nothing found
Searching for Fu rootkit default files... nothing found
Searching for ESRK rootkit default files... nothing found
Searching for rootedoor... nothing found
Searching for ENYELKM rootkit default files... nothing found
Searching for common ssh-scanners default files... nothing found
Searching for suspect PHP files... nothing found
Searching for anomalies in shell history files... nothing found
Checking `asp'... not infected
Checking `bindshell'... not infected
Checking `lkm'... chkproc: nothing detected
1 /usr/share
1 /usr/share/icons
1 /lib
1 /lib/modules
chkdirs: Warning: Possible LKM Trojan installed
Checking `rexedcs'... not found
Checking `sniffer'... Checking `w55808'... not infected
Checking `wted'... 1 deletion(s) between Thu Jan 1 08:00:00 1970 and Wed Mar 23 16:51:20 2011
Checking `scalper'... not infected
Checking `slapper'... not infected
Checking `z2'... Checking `chkutmp'... => possibly 1 deletion(s) detected in /var/run/utmp !
The tty of the following user process(es) were not found
in /var/run/utmp !
! RUID PID TTY CMD
! root 8888 tty1 /bin/sh /usr/bin/xwin
! root 8889 tty2 /sbin/getty 38400 tty2
! root 8894 tty3 /sbin/getty 38400 tty3
! root 9118 tty1 /usr/bin/xinit /root/.xinitrc -- -br -nolisten tcp
! root 9119 tty4 X :0 -br -nolisten tcp
! root 9121 tty1 jwm
! root 9144 tty1 /bin/ash /sbin/pup_event_frontend_d
! root 9401 tty1 /usr/local/apps/ROX-Filer/ROX-Filer -p /root/Choices/ROX-Filer/PuppyPin
! root 9404 tty1 [delayedrun] <defunct>
! root 9407 tty1 absvolume -bg #DCDAF5
! root 9519 tty1 xload -nolabel -bg #888888 -fg red -hl white
! root 9521 tty1 freememapplet
! root 9525 tty1 blinky -bg #DCDAD5
! root 10079 tty1 /usr/bin/inotifywait -e modify --format %w /tmp/pup_event_sizefreem
! root 10141 tty1 geany /mnt/sda5/chkrootkit-0.49/README
! root 10506 tty1 rxvt
! root 10513 pts/0 bash
! root 10848 pts/0 /bin/sh ./chkrootkit
! root 10849 pts/0 tee frugallog.txt
! root 12022 tty1 sleep 2
! root 12076 pts/0 ./chkutmp
! root 12077 pts/0 ps-FULL ax -o tty,pid,ruser,args
chkutmp: nothing deleted
Checking `OSX_RSPLUG'... not infected
[url]http://www.busygamemaster.com[/url]

DPUP5520
Posts: 800
Joined: Wed 16 Feb 2011, 05:38

#6 Post by DPUP5520 »

Alot of the times it is not that a rootkit/antivirus/spyware checker is not useful just that a lot of times programs/sources use code that is similar to that which would have been thought to be malicious especially if the program you are using to check for infected file is out of date and hasn't been updated to ignore/be able to differentiate between the two.
[url=http://www.murga-linux.com/puppy/viewtopic.php?t=69651][b][i]PupRescue 2.5[/i][/b][/url]
[url=http://www.murga-linux.com/puppy/viewtopic.php?t=72178][b][i]Puppy Crypt 528[/i][/b][/url]

User avatar
yorkiesnorkie
Posts: 504
Joined: Mon 04 Jun 2007, 13:11
Location: George's Island

#7 Post by yorkiesnorkie »

This tool was suggested to me by someone here at the forum. I don't think we should be complacent about security but I think though that this particular tool is not a good one and should not be recommended to anyone for use with Puppy on the basis that it detects this many false positives. The last release date was 2009.
[url]http://www.busygamemaster.com[/url]

amigo
Posts: 2629
Joined: Mon 02 Apr 2007, 06:52

#8 Post by amigo »

Most of those are links to busybox utilities which chkrootkit gives the evil eye on, but I'm not sure what the lib/modules check might be complaining about.

Post Reply