Also the deleted /sbin/init. I rebooted the system, and now /sbin/init
isn't deleted anymore (surprise! ;-) and the INFECTED is gone, too.
So I suppose the cause of the INFECTED is that the running /sbin/init is
different from the one in the filesystem. Checking ... Jupp, here is the
line from chkrootkit:
Alas, I could not find out what /proc/1/maps looks like when a real
Suckit is on the machine. Quite possibly Suckit removes /sbin/init and
links its own version there. If it dows this only once, the " (deleted)"
will disappear after the first reboot, so it's not a good indicator, and
it reaps many more false positives. So I think chkrootit would be
better off without this test.
On Thursday, 2010-08-19 at 08:02:45 -0000, Maxime wrote:
> I can confirm the issue on Lucid. It's probably related to an upstart
> update to 0.6.5-7.
> [...]
> Searching for Suckit rootkit... Warning: /sbin/init INFECTED
> [...]
> # strings /sbin/init | egrep HOME
> # cat /proc/1/maps | egrep "init."
> 00e41000-00e5a000 r-xp 00000000 68:01 1572880 /sbin/init (deleted)
> 00e5a000-00e5b000 r--p 00019000 68:01 1572880 /sbin/init (deleted)
> 00e5b000-00e5c000 rw-p 0001a000 68:01 1572880 /sbin/init (deleted)
I rechecked, and I get this, too:
# chkrootkit -q
Warning: /sbin/init INFECTED
Also the deleted /sbin/init. I rebooted the system, and now /sbin/init
isn't deleted anymore (surprise! ;-) and the INFECTED is gone, too.
So I suppose the cause of the INFECTED is that the running /sbin/init is
different from the one in the filesystem. Checking ... Jupp, here is the
line from chkrootkit:
expertmod e_output "cat ${ROOTDIR} proc/1/ maps | ${egrep} init."
This triggers when there is an entry in /proc/1/maps where "init" is not
at the end of the line.
Googling, I found this was discussed for Gentoo in forums. gentoo. org/viewtopic- t-326062- highlight- suckit. html ubuntuforums. org/showthread. php?p=9741505
http://
... and for Ubuntu in http://
Alas, I could not find out what /proc/1/maps looks like when a real
Suckit is on the machine. Quite possibly Suckit removes /sbin/init and
links its own version there. If it dows this only once, the " (deleted)"
will disappear after the first reboot, so it's not a good indicator, and
it reaps many more false positives. So I think chkrootit would be
better off without this test.
Lupe Christoph