rkhunter bug?

[yeleek]

Hi,

New to LDME today, mix of sick of hearing about Unity and issues with smartcards on Ubuntu. Good news issues are resolved under LDME, however just ran rkhunter --update and then rkhunter -c and getting this:


Rootkit checks...
Rootkits checked : 242
Possible rootkits: 2
Rootkit names : Xzibit Rootkit, Xzibit Rootkit

https://bugs.launchpad.net/ubuntu/+sour ... bug/556455

Given i've only installed from official repositories or from http://www.opensc-project.org/opensc today its difficult to believe I've a rootkit.

Any thoughts?

THanks

[Habitual]

This google search suggests is may be a false positive.
http://www.google.com/search?source=ig& ... h&aq=f&oq=

Did you run

Code: Select all

sudo rkhunter --update

before the scan?

can you post the output of this command?

Code: Select all

sudo grep 'Checking for string' /var/log/rkhunter.log

and

Code: Select all

rkhunter -V | head -1

<-- That's a capital Vee

[yeleek]

Code: Select all

ben@wopr:~$ sudo grep 'Checking for string' /var/log/rkhunter.log
[08:35:04]   Checking for string 'w0rm'                      [ Not found ]
[08:35:24]     Checking for string 'phalanx'                 [ Not found ]
[08:35:24]     Checking for string '/dev/proc/rainbows'        [ Not found ]
[08:35:24]     Checking for string 'rainbows'                    [ Not found ]
[08:35:24]     Checking for string 'backdoor'                [ Not found ]
[08:35:24]     Checking for string '/usr/bin/rcpc'           [ Not found ]
[08:35:24]     Checking for string '/usr/sbin/login'         [ Not found ]
[08:35:24]     Checking for string '/dev/ptyxx/.proc'        [ Not found ]
[08:35:24]     Checking for string 'vt200'                   [ Not found ]
[08:35:24]     Checking for string '/usr/bin/xstat'          [ Not found ]
[08:35:24]     Checking for string '/bin/envpc'              [ Not found ]
[08:35:24]     Checking for string 'L4m3r0x'                 [ Not found ]
[08:35:24]     Checking for string '/lib/libext'             [ Not found ]
[08:35:24]     Checking for string '/usr/sbin/login'         [ Not found ]
[08:35:24]     Checking for string '/usr/lib/.tbd'           [ Not found ]
[08:35:24]     Checking for string 'sendmail'                [ Not found ]
[08:35:24]     Checking for string 'cocacola'                [ Not found ]
[08:35:24]     Checking for string 'joao'                    [ Not found ]
[08:35:24]     Checking for string '/dev/ptyxx/.file'        [ Not found ]
[08:35:24]     Checking for string '/dev/ptyxx/.file'        [ Not found ]
[08:35:24]     Checking for string '/dev/sgk'                [ Not found ]
[08:35:24]     Checking for string '/var/lock/subsys/...datafile...' [ Not found ]
[08:35:24]     Checking for string '/usr/lib/.tbd'           [ Not found ]
[08:35:24]     Checking for string '/dev/proc/rainbows'        [ Not found ]
[08:35:24]     Checking for string '/lib/.sso'               [ Not found ]
[08:35:24]     Checking for string '/var/lock/subsys/...datafile...' [ Not found ]
[08:35:24]     Checking for string '/dev/caca'               [ Not found ]
[08:35:25]     Checking for string '/dev/ttyoa'              [ Not found ]
[08:35:25]     Checking for string '/usr/lib/ldlibns.so'     [ Not found ]
[08:35:25]     Checking for string '/dev/ptyxx/.addr'        [ Not found ]
[08:35:25]     Checking for string 'syg'                     [ Not found ]
[08:35:25]     Checking for string '/var/lock/subsys/...datafile...' [ Not found ]
[08:35:25]     Checking for string '/dev/pts/01'             [ Not found ]
[08:35:25]     Checking for string 'tw33dl3'                 [ Not found ]
[08:35:25]     Checking for string 'psniff'                  [ Not found ]
[08:35:25]     Checking for string 'uconf.inv'               [ Not found ]
[08:35:25]     Checking for string 'lib/ldlibps.so'          [ Not found ]
[08:35:25]     Checking for string '/usr/lib/ldlibpst.so'    [ Not found ]
[08:35:25]     Checking for string '/var/lock/subsys/...datafile...' [ Not found ]
[08:35:25]     Checking for string 'libproc.so.2.0.7'        [ Not found ]
[08:35:25]     Checking for string '/dev/ptyxx/.proc'        [ Not found ]
[08:35:25]     Checking for string '/dev/ptyxx/.proc'        [ Not found ]
[08:35:25]     Checking for string 'libproc.so.2.0.7'        [ Not found ]
[08:35:25]     Checking for string 'libproc.so.2.0.7'        [ Not found ]
[08:35:25]     Checking for string '/bin/bash'               [ Not found ]
[08:35:25]     Checking for string '/dev/xdta'               [ Not found ]
[08:35:25]     Checking for string '/usr/lib/.tbd'           [ Not found ]
[08:35:25]     Checking for string '/dev/ptyxx/.proc'        [ Not found ]
[08:35:26]     Checking for string 'in.inetd'                [ Not found ]
[08:35:26]     Checking for string '#<HIDE_.*>'              [ Not found ]
[08:35:26]     Checking for string 'bin/xchk'                [ Not found ]
[08:35:26]     Checking for string 'bin/xsf'                 [ Not found ]
[08:35:26]     Checking for string '/usr/bin/ssh2d'          [ Not found ]
[08:35:27]     Checking for string '/usr/sbin/xntps'         [ Not found ]
[08:35:27]     Checking for string 'ttyload'                 [ Not found ]
[08:35:27]     Checking for string '/etc/rc.d/init.d/init'   [ Not found ]
[08:35:27]     Checking for string 'usr/bin/xfss'            [ Not found ]
[08:35:27]     Checking for string '/usr/sbin/rpc.netinet'   [ Not found ]
[08:35:27]     Checking for string '/usr/lib/.fx/cons.saver' [ Not found ]
[08:35:28]     Checking for string '/usr/lib/.fx/xs'         [ Not found ]
[08:35:28]     Checking for string '/ssh2d'                  [ Not found ]
[08:35:28]     Checking for string '/dev/kmod'               [ Not found ]
[08:35:28]     Checking for string '/crth.o'                 [ Not found ]
[08:35:28]     Checking for string '/crtz.o'                 [ Not found ]
[08:35:29]     Checking for string '/dev/dos'                [ Not found ]
[08:35:29]     Checking for string '/lpq'                    [ Not found ]
[08:35:29]     Checking for string '/usr/sbin/rescue'        [ Not found ]
[08:35:29]     Checking for string '/usr/lib/lpstart'        [ Not found ]
[08:35:29]     Checking for string '/volc'                   [ Not found ]
[08:35:30]     Checking for string 'sourcemask'              [ Not found ]
[08:35:30]     Checking for string '/bin/vobiscum'           [ Not found ]
[08:35:30]     Checking for string '/usr/sbin/in.telnet'     [ Not found ]
[08:35:30]     Checking for string 'hdparm'                  [ Warning ]
[08:35:30]     Checking for string '/lib/ldd.so/tkps'        [ Not found ]
[08:35:30]     Checking for string 't0rnkit'                 [ Not found ]
[08:35:30]     Checking for string '/dev/proc/rainbows'        [ Not found ]
[08:35:30]     Checking for string 'libproc.so.2.0.7'        [ Not found ]
[08:35:30]     Checking for string 'libproc.so.2.0.7'        [ Not found ]
[08:35:30]     Checking for string 'libproc.so.2.0.7'        [ Not found ]
[08:35:30]     Checking for string '/usr/lib/ldlibct.so'     [ Not found ]
[08:35:31]     Checking for string '/usr/lib/ldlibdu.so'     [ Not found ]
[08:35:31]     Checking for string '/dev/ptyxx/.file'        [ Not found ]
[08:35:31]     Checking for string 'libproc.so.2.0.7'        [ Not found ]
[08:35:31]     Checking for string '/dev/ida/.inet'          [ Not found ]

Rootkit Hunter 1.3.6

It seems to be objecting to the string hdparm, but a google search suggests thats a perfectly valid package.

Code: Select all

 sudo grep 'hdparm' /var/log/rkhunter.log
[08:35:30]     Checking for string 'hdparm'                  [ Warning ]
[08:35:31]          Found string 'hdparm' in file '/etc/init.d/hdparm'. Possible rootkit: Xzibit Rootkit
[08:35:31]          Found string 'hdparm' in file '/etc/init.d/.depend.boot'. Possible rootkit: Xzibit Rootkit

Thanks

[Habitual]

I get the same warning about the same file.

try this (I did)

Code: Select all

sudo apt-get install --reinstall hdparm
sudo rkhunter --update
sudo md5sum  /sbin/hdparm

md5sum here is 5f74fb3bd3a1b50e803d139a7aa10695 and I still get warning.
However, a new scan shows me

Code: Select all

Xzibit Rootkit                                           [ Not found ]

but it does find a string that it identifies as being part of the rootkit. My conclusion is that the Xzibit rootkit uses hdparm or a function from it as part of its exploit.

In the future, you can always ask someone on the same OS/Release/platform to do an

Code: Select all

sudo md5sum  /sbin/hdparm

and compare the md5sum hash.

A google search suggests that this is an outstanding bug in rkhunter across multiple OS/distros and platforms.
I used http://www.google.com/search?num=100&hl ... =&aql=&oq=
to come to that conclusion.

I hope that helps.

[yeleek]

Thanks for the reply - yeah it does help knowing someone else thinks the same

[Habitual]

You are very welcome.