rkhunter bug?

Archived topics about LMDE 1
Forum rules
User avatar
yeleek
Level 1
Level 1
Posts: 5
Joined: Mon Jan 17, 2011 9:19 am

rkhunter bug?

Postby yeleek » Mon Jan 17, 2011 4:17 pm

Hi,

New to LDME today, mix of sick of hearing about Unity and issues with smartcards on Ubuntu. Good news issues are resolved under LDME, however just ran rkhunter --update and then rkhunter -c and getting this:


Rootkit checks...
Rootkits checked : 242
Possible rootkits: 2
Rootkit names : Xzibit Rootkit, Xzibit Rootkit

https://bugs.launchpad.net/ubuntu/+sour ... bug/556455

Given i've only installed from official repositories or from http://www.opensc-project.org/opensc today its difficult to believe I've a rootkit.

Any thoughts?

THanks

Habitual
Level 13
Level 13
Posts: 4869
Joined: Sun Nov 21, 2010 8:31 pm

Re: rkhunter bug?

Postby Habitual » Mon Jan 17, 2011 6:44 pm

This google search suggests is may be a false positive.
http://www.google.com/search?source=ig& ... h&aq=f&oq=

Did you run

Code: Select all

sudo rkhunter --update

before the scan?

can you post the output of this command?

Code: Select all

sudo grep 'Checking for string' /var/log/rkhunter.log


and

Code: Select all

rkhunter -V | head -1
<-- That's a capital Vee
Image
rkhunter 1.4.3 Tutorial
“The single biggest problem in communication is the illusion that it has taken place.”

User avatar
yeleek
Level 1
Level 1
Posts: 5
Joined: Mon Jan 17, 2011 9:19 am

Re: rkhunter bug?

Postby yeleek » Tue Jan 18, 2011 4:39 am

Code: Select all

ben@wopr:~$ sudo grep 'Checking for string' /var/log/rkhunter.log
[08:35:04]   Checking for string 'w0rm'                      [ Not found ]
[08:35:24]     Checking for string 'phalanx'                 [ Not found ]
[08:35:24]     Checking for string '/dev/proc/rainbows'        [ Not found ]
[08:35:24]     Checking for string 'rainbows'                    [ Not found ]
[08:35:24]     Checking for string 'backdoor'                [ Not found ]
[08:35:24]     Checking for string '/usr/bin/rcpc'           [ Not found ]
[08:35:24]     Checking for string '/usr/sbin/login'         [ Not found ]
[08:35:24]     Checking for string '/dev/ptyxx/.proc'        [ Not found ]
[08:35:24]     Checking for string 'vt200'                   [ Not found ]
[08:35:24]     Checking for string '/usr/bin/xstat'          [ Not found ]
[08:35:24]     Checking for string '/bin/envpc'              [ Not found ]
[08:35:24]     Checking for string 'L4m3r0x'                 [ Not found ]
[08:35:24]     Checking for string '/lib/libext'             [ Not found ]
[08:35:24]     Checking for string '/usr/sbin/login'         [ Not found ]
[08:35:24]     Checking for string '/usr/lib/.tbd'           [ Not found ]
[08:35:24]     Checking for string 'sendmail'                [ Not found ]
[08:35:24]     Checking for string 'cocacola'                [ Not found ]
[08:35:24]     Checking for string 'joao'                    [ Not found ]
[08:35:24]     Checking for string '/dev/ptyxx/.file'        [ Not found ]
[08:35:24]     Checking for string '/dev/ptyxx/.file'        [ Not found ]
[08:35:24]     Checking for string '/dev/sgk'                [ Not found ]
[08:35:24]     Checking for string '/var/lock/subsys/...datafile...' [ Not found ]
[08:35:24]     Checking for string '/usr/lib/.tbd'           [ Not found ]
[08:35:24]     Checking for string '/dev/proc/rainbows'        [ Not found ]
[08:35:24]     Checking for string '/lib/.sso'               [ Not found ]
[08:35:24]     Checking for string '/var/lock/subsys/...datafile...' [ Not found ]
[08:35:24]     Checking for string '/dev/caca'               [ Not found ]
[08:35:25]     Checking for string '/dev/ttyoa'              [ Not found ]
[08:35:25]     Checking for string '/usr/lib/ldlibns.so'     [ Not found ]
[08:35:25]     Checking for string '/dev/ptyxx/.addr'        [ Not found ]
[08:35:25]     Checking for string 'syg'                     [ Not found ]
[08:35:25]     Checking for string '/var/lock/subsys/...datafile...' [ Not found ]
[08:35:25]     Checking for string '/dev/pts/01'             [ Not found ]
[08:35:25]     Checking for string 'tw33dl3'                 [ Not found ]
[08:35:25]     Checking for string 'psniff'                  [ Not found ]
[08:35:25]     Checking for string 'uconf.inv'               [ Not found ]
[08:35:25]     Checking for string 'lib/ldlibps.so'          [ Not found ]
[08:35:25]     Checking for string '/usr/lib/ldlibpst.so'    [ Not found ]
[08:35:25]     Checking for string '/var/lock/subsys/...datafile...' [ Not found ]
[08:35:25]     Checking for string 'libproc.so.2.0.7'        [ Not found ]
[08:35:25]     Checking for string '/dev/ptyxx/.proc'        [ Not found ]
[08:35:25]     Checking for string '/dev/ptyxx/.proc'        [ Not found ]
[08:35:25]     Checking for string 'libproc.so.2.0.7'        [ Not found ]
[08:35:25]     Checking for string 'libproc.so.2.0.7'        [ Not found ]
[08:35:25]     Checking for string '/bin/bash'               [ Not found ]
[08:35:25]     Checking for string '/dev/xdta'               [ Not found ]
[08:35:25]     Checking for string '/usr/lib/.tbd'           [ Not found ]
[08:35:25]     Checking for string '/dev/ptyxx/.proc'        [ Not found ]
[08:35:26]     Checking for string 'in.inetd'                [ Not found ]
[08:35:26]     Checking for string '#<HIDE_.*>'              [ Not found ]
[08:35:26]     Checking for string 'bin/xchk'                [ Not found ]
[08:35:26]     Checking for string 'bin/xsf'                 [ Not found ]
[08:35:26]     Checking for string '/usr/bin/ssh2d'          [ Not found ]
[08:35:27]     Checking for string '/usr/sbin/xntps'         [ Not found ]
[08:35:27]     Checking for string 'ttyload'                 [ Not found ]
[08:35:27]     Checking for string '/etc/rc.d/init.d/init'   [ Not found ]
[08:35:27]     Checking for string 'usr/bin/xfss'            [ Not found ]
[08:35:27]     Checking for string '/usr/sbin/rpc.netinet'   [ Not found ]
[08:35:27]     Checking for string '/usr/lib/.fx/cons.saver' [ Not found ]
[08:35:28]     Checking for string '/usr/lib/.fx/xs'         [ Not found ]
[08:35:28]     Checking for string '/ssh2d'                  [ Not found ]
[08:35:28]     Checking for string '/dev/kmod'               [ Not found ]
[08:35:28]     Checking for string '/crth.o'                 [ Not found ]
[08:35:28]     Checking for string '/crtz.o'                 [ Not found ]
[08:35:29]     Checking for string '/dev/dos'                [ Not found ]
[08:35:29]     Checking for string '/lpq'                    [ Not found ]
[08:35:29]     Checking for string '/usr/sbin/rescue'        [ Not found ]
[08:35:29]     Checking for string '/usr/lib/lpstart'        [ Not found ]
[08:35:29]     Checking for string '/volc'                   [ Not found ]
[08:35:30]     Checking for string 'sourcemask'              [ Not found ]
[08:35:30]     Checking for string '/bin/vobiscum'           [ Not found ]
[08:35:30]     Checking for string '/usr/sbin/in.telnet'     [ Not found ]
[08:35:30]     Checking for string 'hdparm'                  [ Warning ]
[08:35:30]     Checking for string '/lib/ldd.so/tkps'        [ Not found ]
[08:35:30]     Checking for string 't0rnkit'                 [ Not found ]
[08:35:30]     Checking for string '/dev/proc/rainbows'        [ Not found ]
[08:35:30]     Checking for string 'libproc.so.2.0.7'        [ Not found ]
[08:35:30]     Checking for string 'libproc.so.2.0.7'        [ Not found ]
[08:35:30]     Checking for string 'libproc.so.2.0.7'        [ Not found ]
[08:35:30]     Checking for string '/usr/lib/ldlibct.so'     [ Not found ]
[08:35:31]     Checking for string '/usr/lib/ldlibdu.so'     [ Not found ]
[08:35:31]     Checking for string '/dev/ptyxx/.file'        [ Not found ]
[08:35:31]     Checking for string 'libproc.so.2.0.7'        [ Not found ]
[08:35:31]     Checking for string '/dev/ida/.inet'          [ Not found ]


Rootkit Hunter 1.3.6

It seems to be objecting to the string hdparm, but a google search suggests thats a perfectly valid package.

Code: Select all

 sudo grep 'hdparm' /var/log/rkhunter.log
[08:35:30]     Checking for string 'hdparm'                  [ Warning ]
[08:35:31]          Found string 'hdparm' in file '/etc/init.d/hdparm'. Possible rootkit: Xzibit Rootkit
[08:35:31]          Found string 'hdparm' in file '/etc/init.d/.depend.boot'. Possible rootkit: Xzibit Rootkit


Thanks

Habitual
Level 13
Level 13
Posts: 4869
Joined: Sun Nov 21, 2010 8:31 pm

Re: rkhunter bug?

Postby Habitual » Tue Jan 18, 2011 10:38 am

I get the same warning about the same file.

try this (I did)

Code: Select all

sudo apt-get install --reinstall hdparm
sudo rkhunter --update
sudo md5sum  /sbin/hdparm


md5sum here is 5f74fb3bd3a1b50e803d139a7aa10695 and I still get warning.
However, a new scan shows me

Code: Select all

Xzibit Rootkit                                           [ Not found ]


but it does find a string that it identifies as being part of the rootkit. My conclusion is that the Xzibit rootkit uses hdparm or a function from it as part of its exploit.

In the future, you can always ask someone on the same OS/Release/platform to do an

Code: Select all

sudo md5sum  /sbin/hdparm

and compare the md5sum hash.

A google search suggests that this is an outstanding bug in rkhunter across multiple OS/distros and platforms.
I used http://www.google.com/search?num=100&hl ... =&aql=&oq=
to come to that conclusion.

I hope that helps.
Image
rkhunter 1.4.3 Tutorial
“The single biggest problem in communication is the illusion that it has taken place.”

User avatar
yeleek
Level 1
Level 1
Posts: 5
Joined: Mon Jan 17, 2011 9:19 am

Re: rkhunter bug?

Postby yeleek » Tue Jan 18, 2011 10:43 am

Thanks for the reply - yeah it does help knowing someone else thinks the same :)

Habitual
Level 13
Level 13
Posts: 4869
Joined: Sun Nov 21, 2010 8:31 pm

Re: rkhunter bug?

Postby Habitual » Tue Jan 18, 2011 10:49 am

You are very welcome.
Image
rkhunter 1.4.3 Tutorial
“The single biggest problem in communication is the illusion that it has taken place.”


Return to “Archive”

Who is online

Users browsing this forum: No registered users and 3 guests