Hi,
New to LDME today, mix of sick of hearing about Unity and issues with smartcards on Ubuntu. Good news issues are resolved under LDME, however just ran rkhunter --update and then rkhunter -c and getting this:
Rootkit checks...
Rootkits checked : 242
Possible rootkits: 2
Rootkit names : Xzibit Rootkit, Xzibit Rootkit
https://bugs.launchpad.net/ubuntu/+sour ... bug/556455
Given i've only installed from official repositories or from http://www.opensc-project.org/opensc today its difficult to believe I've a rootkit.
Any thoughts?
THanks
rkhunter bug?
Forum rules
LMDE 2 has reached end of support as of 1-1-2019
LMDE 2 has reached end of support as of 1-1-2019
rkhunter bug?
Last edited by LockBot on Wed Dec 28, 2022 7:16 am, edited 1 time in total.
Reason: Topic automatically closed 6 months after creation. New replies are no longer allowed.
Reason: Topic automatically closed 6 months after creation. New replies are no longer allowed.
Re: rkhunter bug?
This google search suggests is may be a false positive.
http://www.google.com/search?source=ig& ... h&aq=f&oq=
Did you run
before the scan?
can you post the output of this command?
and
<-- That's a capital Vee
http://www.google.com/search?source=ig& ... h&aq=f&oq=
Did you run
Code: Select all
sudo rkhunter --update
can you post the output of this command?
Code: Select all
sudo grep 'Checking for string' /var/log/rkhunter.log
Code: Select all
rkhunter -V | head -1
Re: rkhunter bug?
Code: Select all
ben@wopr:~$ sudo grep 'Checking for string' /var/log/rkhunter.log
[08:35:04] Checking for string 'w0rm' [ Not found ]
[08:35:24] Checking for string 'phalanx' [ Not found ]
[08:35:24] Checking for string '/dev/proc/rainbows' [ Not found ]
[08:35:24] Checking for string 'rainbows' [ Not found ]
[08:35:24] Checking for string 'backdoor' [ Not found ]
[08:35:24] Checking for string '/usr/bin/rcpc' [ Not found ]
[08:35:24] Checking for string '/usr/sbin/login' [ Not found ]
[08:35:24] Checking for string '/dev/ptyxx/.proc' [ Not found ]
[08:35:24] Checking for string 'vt200' [ Not found ]
[08:35:24] Checking for string '/usr/bin/xstat' [ Not found ]
[08:35:24] Checking for string '/bin/envpc' [ Not found ]
[08:35:24] Checking for string 'L4m3r0x' [ Not found ]
[08:35:24] Checking for string '/lib/libext' [ Not found ]
[08:35:24] Checking for string '/usr/sbin/login' [ Not found ]
[08:35:24] Checking for string '/usr/lib/.tbd' [ Not found ]
[08:35:24] Checking for string 'sendmail' [ Not found ]
[08:35:24] Checking for string 'cocacola' [ Not found ]
[08:35:24] Checking for string 'joao' [ Not found ]
[08:35:24] Checking for string '/dev/ptyxx/.file' [ Not found ]
[08:35:24] Checking for string '/dev/ptyxx/.file' [ Not found ]
[08:35:24] Checking for string '/dev/sgk' [ Not found ]
[08:35:24] Checking for string '/var/lock/subsys/...datafile...' [ Not found ]
[08:35:24] Checking for string '/usr/lib/.tbd' [ Not found ]
[08:35:24] Checking for string '/dev/proc/rainbows' [ Not found ]
[08:35:24] Checking for string '/lib/.sso' [ Not found ]
[08:35:24] Checking for string '/var/lock/subsys/...datafile...' [ Not found ]
[08:35:24] Checking for string '/dev/caca' [ Not found ]
[08:35:25] Checking for string '/dev/ttyoa' [ Not found ]
[08:35:25] Checking for string '/usr/lib/ldlibns.so' [ Not found ]
[08:35:25] Checking for string '/dev/ptyxx/.addr' [ Not found ]
[08:35:25] Checking for string 'syg' [ Not found ]
[08:35:25] Checking for string '/var/lock/subsys/...datafile...' [ Not found ]
[08:35:25] Checking for string '/dev/pts/01' [ Not found ]
[08:35:25] Checking for string 'tw33dl3' [ Not found ]
[08:35:25] Checking for string 'psniff' [ Not found ]
[08:35:25] Checking for string 'uconf.inv' [ Not found ]
[08:35:25] Checking for string 'lib/ldlibps.so' [ Not found ]
[08:35:25] Checking for string '/usr/lib/ldlibpst.so' [ Not found ]
[08:35:25] Checking for string '/var/lock/subsys/...datafile...' [ Not found ]
[08:35:25] Checking for string 'libproc.so.2.0.7' [ Not found ]
[08:35:25] Checking for string '/dev/ptyxx/.proc' [ Not found ]
[08:35:25] Checking for string '/dev/ptyxx/.proc' [ Not found ]
[08:35:25] Checking for string 'libproc.so.2.0.7' [ Not found ]
[08:35:25] Checking for string 'libproc.so.2.0.7' [ Not found ]
[08:35:25] Checking for string '/bin/bash' [ Not found ]
[08:35:25] Checking for string '/dev/xdta' [ Not found ]
[08:35:25] Checking for string '/usr/lib/.tbd' [ Not found ]
[08:35:25] Checking for string '/dev/ptyxx/.proc' [ Not found ]
[08:35:26] Checking for string 'in.inetd' [ Not found ]
[08:35:26] Checking for string '#<HIDE_.*>' [ Not found ]
[08:35:26] Checking for string 'bin/xchk' [ Not found ]
[08:35:26] Checking for string 'bin/xsf' [ Not found ]
[08:35:26] Checking for string '/usr/bin/ssh2d' [ Not found ]
[08:35:27] Checking for string '/usr/sbin/xntps' [ Not found ]
[08:35:27] Checking for string 'ttyload' [ Not found ]
[08:35:27] Checking for string '/etc/rc.d/init.d/init' [ Not found ]
[08:35:27] Checking for string 'usr/bin/xfss' [ Not found ]
[08:35:27] Checking for string '/usr/sbin/rpc.netinet' [ Not found ]
[08:35:27] Checking for string '/usr/lib/.fx/cons.saver' [ Not found ]
[08:35:28] Checking for string '/usr/lib/.fx/xs' [ Not found ]
[08:35:28] Checking for string '/ssh2d' [ Not found ]
[08:35:28] Checking for string '/dev/kmod' [ Not found ]
[08:35:28] Checking for string '/crth.o' [ Not found ]
[08:35:28] Checking for string '/crtz.o' [ Not found ]
[08:35:29] Checking for string '/dev/dos' [ Not found ]
[08:35:29] Checking for string '/lpq' [ Not found ]
[08:35:29] Checking for string '/usr/sbin/rescue' [ Not found ]
[08:35:29] Checking for string '/usr/lib/lpstart' [ Not found ]
[08:35:29] Checking for string '/volc' [ Not found ]
[08:35:30] Checking for string 'sourcemask' [ Not found ]
[08:35:30] Checking for string '/bin/vobiscum' [ Not found ]
[08:35:30] Checking for string '/usr/sbin/in.telnet' [ Not found ]
[08:35:30] Checking for string 'hdparm' [ Warning ]
[08:35:30] Checking for string '/lib/ldd.so/tkps' [ Not found ]
[08:35:30] Checking for string 't0rnkit' [ Not found ]
[08:35:30] Checking for string '/dev/proc/rainbows' [ Not found ]
[08:35:30] Checking for string 'libproc.so.2.0.7' [ Not found ]
[08:35:30] Checking for string 'libproc.so.2.0.7' [ Not found ]
[08:35:30] Checking for string 'libproc.so.2.0.7' [ Not found ]
[08:35:30] Checking for string '/usr/lib/ldlibct.so' [ Not found ]
[08:35:31] Checking for string '/usr/lib/ldlibdu.so' [ Not found ]
[08:35:31] Checking for string '/dev/ptyxx/.file' [ Not found ]
[08:35:31] Checking for string 'libproc.so.2.0.7' [ Not found ]
[08:35:31] Checking for string '/dev/ida/.inet' [ Not found ]
It seems to be objecting to the string hdparm, but a google search suggests thats a perfectly valid package.
Code: Select all
sudo grep 'hdparm' /var/log/rkhunter.log
[08:35:30] Checking for string 'hdparm' [ Warning ]
[08:35:31] Found string 'hdparm' in file '/etc/init.d/hdparm'. Possible rootkit: Xzibit Rootkit
[08:35:31] Found string 'hdparm' in file '/etc/init.d/.depend.boot'. Possible rootkit: Xzibit Rootkit
Re: rkhunter bug?
I get the same warning about the same file.
try this (I did)
md5sum here is 5f74fb3bd3a1b50e803d139a7aa10695 and I still get warning.
However, a new scan shows me
but it does find a string that it identifies as being part of the rootkit. My conclusion is that the Xzibit rootkit uses hdparm or a function from it as part of its exploit.
In the future, you can always ask someone on the same OS/Release/platform to do an
and compare the md5sum hash.
A google search suggests that this is an outstanding bug in rkhunter across multiple OS/distros and platforms.
I used http://www.google.com/search?num=100&hl ... =&aql=&oq=
to come to that conclusion.
I hope that helps.
try this (I did)
Code: Select all
sudo apt-get install --reinstall hdparm
sudo rkhunter --update
sudo md5sum /sbin/hdparm
However, a new scan shows me
Code: Select all
Xzibit Rootkit [ Not found ]
In the future, you can always ask someone on the same OS/Release/platform to do an
Code: Select all
sudo md5sum /sbin/hdparm
A google search suggests that this is an outstanding bug in rkhunter across multiple OS/distros and platforms.
I used http://www.google.com/search?num=100&hl ... =&aql=&oq=
to come to that conclusion.
I hope that helps.
Re: rkhunter bug?
Thanks for the reply - yeah it does help knowing someone else thinks the same