rkhunter bug?

Questions about applications and software
Forum rules
Before you post please read how to get help

rkhunter bug?

Postby yeleek on Mon Jan 17, 2011 4:17 pm

Hi,

New to LDME today, mix of sick of hearing about Unity and issues with smartcards on Ubuntu. Good news issues are resolved under LDME, however just ran rkhunter --update and then rkhunter -c and getting this:


Rootkit checks...
Rootkits checked : 242
Possible rootkits: 2
Rootkit names : Xzibit Rootkit, Xzibit Rootkit

https://bugs.launchpad.net/ubuntu/+sour ... bug/556455

Given i've only installed from official repositories or from http://www.opensc-project.org/opensc today its difficult to believe I've a rootkit.

Any thoughts?

THanks
User avatar
yeleek
Level 1
Level 1
 
Posts: 5
Joined: Mon Jan 17, 2011 9:19 am

Linux Mint is funded by ads and donations.
 

Re: rkhunter bug?

Postby Habitual on Mon Jan 17, 2011 6:44 pm

This google search suggests is may be a false positive.
http://www.google.com/search?source=ig& ... h&aq=f&oq=

Did you run
Code: Select all
sudo rkhunter --update

before the scan?

can you post the output of this command?
Code: Select all
sudo grep 'Checking for string' /var/log/rkhunter.log


and
Code: Select all
rkhunter -V | head -1
<-- That's a capital Vee
What's a landing but a take off in reverse?
User avatar
Habitual
Level 8
Level 8
 
Posts: 2274
Joined: Sun Nov 21, 2010 8:31 pm
Location: LM17Q-Xfce

Re: rkhunter bug?

Postby yeleek on Tue Jan 18, 2011 4:39 am

Code: Select all
ben@wopr:~$ sudo grep 'Checking for string' /var/log/rkhunter.log
[08:35:04]   Checking for string 'w0rm'                      [ Not found ]
[08:35:24]     Checking for string 'phalanx'                 [ Not found ]
[08:35:24]     Checking for string '/dev/proc/rainbows'        [ Not found ]
[08:35:24]     Checking for string 'rainbows'                    [ Not found ]
[08:35:24]     Checking for string 'backdoor'                [ Not found ]
[08:35:24]     Checking for string '/usr/bin/rcpc'           [ Not found ]
[08:35:24]     Checking for string '/usr/sbin/login'         [ Not found ]
[08:35:24]     Checking for string '/dev/ptyxx/.proc'        [ Not found ]
[08:35:24]     Checking for string 'vt200'                   [ Not found ]
[08:35:24]     Checking for string '/usr/bin/xstat'          [ Not found ]
[08:35:24]     Checking for string '/bin/envpc'              [ Not found ]
[08:35:24]     Checking for string 'L4m3r0x'                 [ Not found ]
[08:35:24]     Checking for string '/lib/libext'             [ Not found ]
[08:35:24]     Checking for string '/usr/sbin/login'         [ Not found ]
[08:35:24]     Checking for string '/usr/lib/.tbd'           [ Not found ]
[08:35:24]     Checking for string 'sendmail'                [ Not found ]
[08:35:24]     Checking for string 'cocacola'                [ Not found ]
[08:35:24]     Checking for string 'joao'                    [ Not found ]
[08:35:24]     Checking for string '/dev/ptyxx/.file'        [ Not found ]
[08:35:24]     Checking for string '/dev/ptyxx/.file'        [ Not found ]
[08:35:24]     Checking for string '/dev/sgk'                [ Not found ]
[08:35:24]     Checking for string '/var/lock/subsys/...datafile...' [ Not found ]
[08:35:24]     Checking for string '/usr/lib/.tbd'           [ Not found ]
[08:35:24]     Checking for string '/dev/proc/rainbows'        [ Not found ]
[08:35:24]     Checking for string '/lib/.sso'               [ Not found ]
[08:35:24]     Checking for string '/var/lock/subsys/...datafile...' [ Not found ]
[08:35:24]     Checking for string '/dev/caca'               [ Not found ]
[08:35:25]     Checking for string '/dev/ttyoa'              [ Not found ]
[08:35:25]     Checking for string '/usr/lib/ldlibns.so'     [ Not found ]
[08:35:25]     Checking for string '/dev/ptyxx/.addr'        [ Not found ]
[08:35:25]     Checking for string 'syg'                     [ Not found ]
[08:35:25]     Checking for string '/var/lock/subsys/...datafile...' [ Not found ]
[08:35:25]     Checking for string '/dev/pts/01'             [ Not found ]
[08:35:25]     Checking for string 'tw33dl3'                 [ Not found ]
[08:35:25]     Checking for string 'psniff'                  [ Not found ]
[08:35:25]     Checking for string 'uconf.inv'               [ Not found ]
[08:35:25]     Checking for string 'lib/ldlibps.so'          [ Not found ]
[08:35:25]     Checking for string '/usr/lib/ldlibpst.so'    [ Not found ]
[08:35:25]     Checking for string '/var/lock/subsys/...datafile...' [ Not found ]
[08:35:25]     Checking for string 'libproc.so.2.0.7'        [ Not found ]
[08:35:25]     Checking for string '/dev/ptyxx/.proc'        [ Not found ]
[08:35:25]     Checking for string '/dev/ptyxx/.proc'        [ Not found ]
[08:35:25]     Checking for string 'libproc.so.2.0.7'        [ Not found ]
[08:35:25]     Checking for string 'libproc.so.2.0.7'        [ Not found ]
[08:35:25]     Checking for string '/bin/bash'               [ Not found ]
[08:35:25]     Checking for string '/dev/xdta'               [ Not found ]
[08:35:25]     Checking for string '/usr/lib/.tbd'           [ Not found ]
[08:35:25]     Checking for string '/dev/ptyxx/.proc'        [ Not found ]
[08:35:26]     Checking for string 'in.inetd'                [ Not found ]
[08:35:26]     Checking for string '#<HIDE_.*>'              [ Not found ]
[08:35:26]     Checking for string 'bin/xchk'                [ Not found ]
[08:35:26]     Checking for string 'bin/xsf'                 [ Not found ]
[08:35:26]     Checking for string '/usr/bin/ssh2d'          [ Not found ]
[08:35:27]     Checking for string '/usr/sbin/xntps'         [ Not found ]
[08:35:27]     Checking for string 'ttyload'                 [ Not found ]
[08:35:27]     Checking for string '/etc/rc.d/init.d/init'   [ Not found ]
[08:35:27]     Checking for string 'usr/bin/xfss'            [ Not found ]
[08:35:27]     Checking for string '/usr/sbin/rpc.netinet'   [ Not found ]
[08:35:27]     Checking for string '/usr/lib/.fx/cons.saver' [ Not found ]
[08:35:28]     Checking for string '/usr/lib/.fx/xs'         [ Not found ]
[08:35:28]     Checking for string '/ssh2d'                  [ Not found ]
[08:35:28]     Checking for string '/dev/kmod'               [ Not found ]
[08:35:28]     Checking for string '/crth.o'                 [ Not found ]
[08:35:28]     Checking for string '/crtz.o'                 [ Not found ]
[08:35:29]     Checking for string '/dev/dos'                [ Not found ]
[08:35:29]     Checking for string '/lpq'                    [ Not found ]
[08:35:29]     Checking for string '/usr/sbin/rescue'        [ Not found ]
[08:35:29]     Checking for string '/usr/lib/lpstart'        [ Not found ]
[08:35:29]     Checking for string '/volc'                   [ Not found ]
[08:35:30]     Checking for string 'sourcemask'              [ Not found ]
[08:35:30]     Checking for string '/bin/vobiscum'           [ Not found ]
[08:35:30]     Checking for string '/usr/sbin/in.telnet'     [ Not found ]
[08:35:30]     Checking for string 'hdparm'                  [ Warning ]
[08:35:30]     Checking for string '/lib/ldd.so/tkps'        [ Not found ]
[08:35:30]     Checking for string 't0rnkit'                 [ Not found ]
[08:35:30]     Checking for string '/dev/proc/rainbows'        [ Not found ]
[08:35:30]     Checking for string 'libproc.so.2.0.7'        [ Not found ]
[08:35:30]     Checking for string 'libproc.so.2.0.7'        [ Not found ]
[08:35:30]     Checking for string 'libproc.so.2.0.7'        [ Not found ]
[08:35:30]     Checking for string '/usr/lib/ldlibct.so'     [ Not found ]
[08:35:31]     Checking for string '/usr/lib/ldlibdu.so'     [ Not found ]
[08:35:31]     Checking for string '/dev/ptyxx/.file'        [ Not found ]
[08:35:31]     Checking for string 'libproc.so.2.0.7'        [ Not found ]
[08:35:31]     Checking for string '/dev/ida/.inet'          [ Not found ]


Rootkit Hunter 1.3.6

It seems to be objecting to the string hdparm, but a google search suggests thats a perfectly valid package.

Code: Select all
 sudo grep 'hdparm' /var/log/rkhunter.log
[08:35:30]     Checking for string 'hdparm'                  [ Warning ]
[08:35:31]          Found string 'hdparm' in file '/etc/init.d/hdparm'. Possible rootkit: Xzibit Rootkit
[08:35:31]          Found string 'hdparm' in file '/etc/init.d/.depend.boot'. Possible rootkit: Xzibit Rootkit


Thanks
User avatar
yeleek
Level 1
Level 1
 
Posts: 5
Joined: Mon Jan 17, 2011 9:19 am

Re: rkhunter bug?

Postby Habitual on Tue Jan 18, 2011 10:38 am

I get the same warning about the same file.

try this (I did)

Code: Select all
sudo apt-get install --reinstall hdparm
sudo rkhunter --update
sudo md5sum  /sbin/hdparm


md5sum here is 5f74fb3bd3a1b50e803d139a7aa10695 and I still get warning.
However, a new scan shows me
Code: Select all
Xzibit Rootkit                                           [ Not found ]


but it does find a string that it identifies as being part of the rootkit. My conclusion is that the Xzibit rootkit uses hdparm or a function from it as part of its exploit.

In the future, you can always ask someone on the same OS/Release/platform to do an
Code: Select all
sudo md5sum  /sbin/hdparm

and compare the md5sum hash.

A google search suggests that this is an outstanding bug in rkhunter across multiple OS/distros and platforms.
I used http://www.google.com/search?num=100&hl ... =&aql=&oq=
to come to that conclusion.

I hope that helps.
What's a landing but a take off in reverse?
User avatar
Habitual
Level 8
Level 8
 
Posts: 2274
Joined: Sun Nov 21, 2010 8:31 pm
Location: LM17Q-Xfce

Re: rkhunter bug?

Postby yeleek on Tue Jan 18, 2011 10:43 am

Thanks for the reply - yeah it does help knowing someone else thinks the same :)
User avatar
yeleek
Level 1
Level 1
 
Posts: 5
Joined: Mon Jan 17, 2011 9:19 am

Re: rkhunter bug?

Postby Habitual on Tue Jan 18, 2011 10:49 am

You are very welcome.
What's a landing but a take off in reverse?
User avatar
Habitual
Level 8
Level 8
 
Posts: 2274
Joined: Sun Nov 21, 2010 8:31 pm
Location: LM17Q-Xfce


Return to Software & Applications

Who is online

Users browsing this forum: No registered users and 6 guests