Linux Mint Forums

by **yeleek** on Mon Jan 17, 2011 4:17 pm

Hi,

New to LDME today, mix of sick of hearing about Unity and issues with smartcards on Ubuntu. Good news issues are resolved under LDME, however just ran rkhunter --update and then rkhunter -c and getting this:

Rootkit checks...
Rootkits checked : 242
Possible rootkits: 2
Rootkit names : Xzibit Rootkit, Xzibit Rootkit

https://bugs.launchpad.net/ubuntu/+sour ... bug/556455

Given i've only installed from official repositories or from http://www.opensc-project.org/opensc today its difficult to believe I've a rootkit.

Any thoughts?

THanks

by **Habitual** on Mon Jan 17, 2011 6:44 pm

This google search suggests is may be a false positive.
http://www.google.com/search?source=ig& ... h&aq=f&oq=

Did you run

Code: Select all: sudo rkhunter --update

before the scan?

can you post the output of this command?

Code: Select all: sudo grep 'Checking for string' /var/log/rkhunter.log

and

Code: Select all: rkhunter -V | head -1

<-- That's a capital Vee

by **yeleek** on Tue Jan 18, 2011 4:39 am

Code: Select all: ben@wopr:~$ sudo grep 'Checking for string' /var/log/rkhunter.log [08:35:04] Checking for string 'w0rm' [ Not found ] [08:35:24] Checking for string 'phalanx' [ Not found ] [08:35:24] Checking for string '/dev/proc/rainbows' [ Not found ] [08:35:24] Checking for string 'rainbows' [ Not found ] [08:35:24] Checking for string 'backdoor' [ Not found ] [08:35:24] Checking for string '/usr/bin/rcpc' [ Not found ] [08:35:24] Checking for string '/usr/sbin/login' [ Not found ] [08:35:24] Checking for string '/dev/ptyxx/.proc' [ Not found ] [08:35:24] Checking for string 'vt200' [ Not found ] [08:35:24] Checking for string '/usr/bin/xstat' [ Not found ] [08:35:24] Checking for string '/bin/envpc' [ Not found ] [08:35:24] Checking for string 'L4m3r0x' [ Not found ] [08:35:24] Checking for string '/lib/libext' [ Not found ] [08:35:24] Checking for string '/usr/sbin/login' [ Not found ] [08:35:24] Checking for string '/usr/lib/.tbd' [ Not found ] [08:35:24] Checking for string 'sendmail' [ Not found ] [08:35:24] Checking for string 'cocacola' [ Not found ] [08:35:24] Checking for string 'joao' [ Not found ] [08:35:24] Checking for string '/dev/ptyxx/.file' [ Not found ] [08:35:24] Checking for string '/dev/ptyxx/.file' [ Not found ] [08:35:24] Checking for string '/dev/sgk' [ Not found ] [08:35:24] Checking for string '/var/lock/subsys/...datafile...' [ Not found ] [08:35:24] Checking for string '/usr/lib/.tbd' [ Not found ] [08:35:24] Checking for string '/dev/proc/rainbows' [ Not found ] [08:35:24] Checking for string '/lib/.sso' [ Not found ] [08:35:24] Checking for string '/var/lock/subsys/...datafile...' [ Not found ] [08:35:24] Checking for string '/dev/caca' [ Not found ] [08:35:25] Checking for string '/dev/ttyoa' [ Not found ] [08:35:25] Checking for string '/usr/lib/ldlibns.so' [ Not found ] [08:35:25] Checking for string '/dev/ptyxx/.addr' [ Not found ] [08:35:25] Checking for string 'syg' [ Not found ] [08:35:25] Checking for string '/var/lock/subsys/...datafile...' [ Not found ] [08:35:25] Checking for string '/dev/pts/01' [ Not found ] [08:35:25] Checking for string 'tw33dl3' [ Not found ] [08:35:25] Checking for string 'psniff' [ Not found ] [08:35:25] Checking for string 'uconf.inv' [ Not found ] [08:35:25] Checking for string 'lib/ldlibps.so' [ Not found ] [08:35:25] Checking for string '/usr/lib/ldlibpst.so' [ Not found ] [08:35:25] Checking for string '/var/lock/subsys/...datafile...' [ Not found ] [08:35:25] Checking for string 'libproc.so.2.0.7' [ Not found ] [08:35:25] Checking for string '/dev/ptyxx/.proc' [ Not found ] [08:35:25] Checking for string '/dev/ptyxx/.proc' [ Not found ] [08:35:25] Checking for string 'libproc.so.2.0.7' [ Not found ] [08:35:25] Checking for string 'libproc.so.2.0.7' [ Not found ] [08:35:25] Checking for string '/bin/bash' [ Not found ] [08:35:25] Checking for string '/dev/xdta' [ Not found ] [08:35:25] Checking for string '/usr/lib/.tbd' [ Not found ] [08:35:25] Checking for string '/dev/ptyxx/.proc' [ Not found ] [08:35:26] Checking for string 'in.inetd' [ Not found ] [08:35:26] Checking for string '#<HIDE_.*>' [ Not found ] [08:35:26] Checking for string 'bin/xchk' [ Not found ] [08:35:26] Checking for string 'bin/xsf' [ Not found ] [08:35:26] Checking for string '/usr/bin/ssh2d' [ Not found ] [08:35:27] Checking for string '/usr/sbin/xntps' [ Not found ] [08:35:27] Checking for string 'ttyload' [ Not found ] [08:35:27] Checking for string '/etc/rc.d/init.d/init' [ Not found ] [08:35:27] Checking for string 'usr/bin/xfss' [ Not found ] [08:35:27] Checking for string '/usr/sbin/rpc.netinet' [ Not found ] [08:35:27] Checking for string '/usr/lib/.fx/cons.saver' [ Not found ] [08:35:28] Checking for string '/usr/lib/.fx/xs' [ Not found ] [08:35:28] Checking for string '/ssh2d' [ Not found ] [08:35:28] Checking for string '/dev/kmod' [ Not found ] [08:35:28] Checking for string '/crth.o' [ Not found ] [08:35:28] Checking for string '/crtz.o' [ Not found ] [08:35:29] Checking for string '/dev/dos' [ Not found ] [08:35:29] Checking for string '/lpq' [ Not found ] [08:35:29] Checking for string '/usr/sbin/rescue' [ Not found ] [08:35:29] Checking for string '/usr/lib/lpstart' [ Not found ] [08:35:29] Checking for string '/volc' [ Not found ] [08:35:30] Checking for string 'sourcemask' [ Not found ] [08:35:30] Checking for string '/bin/vobiscum' [ Not found ] [08:35:30] Checking for string '/usr/sbin/in.telnet' [ Not found ] [08:35:30] Checking for string 'hdparm' [ Warning ] [08:35:30] Checking for string '/lib/ldd.so/tkps' [ Not found ] [08:35:30] Checking for string 't0rnkit' [ Not found ] [08:35:30] Checking for string '/dev/proc/rainbows' [ Not found ] [08:35:30] Checking for string 'libproc.so.2.0.7' [ Not found ] [08:35:30] Checking for string 'libproc.so.2.0.7' [ Not found ] [08:35:30] Checking for string 'libproc.so.2.0.7' [ Not found ] [08:35:30] Checking for string '/usr/lib/ldlibct.so' [ Not found ] [08:35:31] Checking for string '/usr/lib/ldlibdu.so' [ Not found ] [08:35:31] Checking for string '/dev/ptyxx/.file' [ Not found ] [08:35:31] Checking for string 'libproc.so.2.0.7' [ Not found ] [08:35:31] Checking for string '/dev/ida/.inet' [ Not found ]

Rootkit Hunter 1.3.6

It seems to be objecting to the string hdparm, but a google search suggests thats a perfectly valid package.

Code: Select all: sudo grep 'hdparm' /var/log/rkhunter.log [08:35:30] Checking for string 'hdparm' [ Warning ] [08:35:31] Found string 'hdparm' in file '/etc/init.d/hdparm'. Possible rootkit: Xzibit Rootkit [08:35:31] Found string 'hdparm' in file '/etc/init.d/.depend.boot'. Possible rootkit: Xzibit Rootkit

Thanks

by **Habitual** on Tue Jan 18, 2011 10:38 am

I get the same warning about the same file.

try this (I did)

Code: Select all: sudo apt-get install --reinstall hdparm sudo rkhunter --update sudo md5sum /sbin/hdparm

md5sum here is 5f74fb3bd3a1b50e803d139a7aa10695 and I still get warning.
However, a new scan shows me

Code: Select all: Xzibit Rootkit [ Not found ]

but it does find a string that it identifies as being part of the rootkit. My conclusion is that the Xzibit rootkit uses hdparm or a function from it as part of its exploit.

In the future, you can always ask someone on the same OS/Release/platform to do an

Code: Select all: sudo md5sum /sbin/hdparm

and compare the md5sum hash.

A google search suggests that this is an outstanding bug in rkhunter across multiple OS/distros and platforms.
I used http://www.google.com/search?num=100&hl ... =&aql=&oq=
to come to that conclusion.

I hope that helps.

by **yeleek** on Tue Jan 18, 2011 10:43 am

Thanks for the reply - yeah it does help knowing someone else thinks the same

by **Habitual** on Tue Jan 18, 2011 10:49 am

You are very welcome.

Linux Mint Forums

rkhunter bug?

rkhunter bug?

Re: rkhunter bug?

Re: rkhunter bug?

Re: rkhunter bug?

Re: rkhunter bug?

Re: rkhunter bug?

Who is online