Ubuntu

False positive for SucKit

Reported by Lupe Christoph on 2009-10-18
184
This bug affects 40 people
Affects Status Importance Assigned to Milestone
Ubuntu Server papercuts
Undecided
Unassigned
chkrootkit (Ubuntu)
Medium
Unassigned

Bug Description

Binary package hint: chkrootkit

Searching for Suckit rootkit... Warning: /sbin/init INFECTED

According to http://cc.jlab.org/docs/security/alerts/ this is an indicator for a SucKit infection:

# ls -li /sbin/init /sbin/telinit
172240 -rwxr-xr-x 1 root root 199472 2009-10-15 21:19 /sbin/init
172791 -rwxr-xr-x 1 root root 96568 2009-10-15 21:19 /sbin/telinit

http://forums.gentoo.org/viewtopic-t-326062-highlight-suckit.html gives some hints how to verify an infection. As I expected, they show no sign of SucKit.

This false positive seems to be popping up since a few years. So I guess the check for SucKit needs improvement...

ProblemType: Bug
Architecture: amd64
Date: Sun Oct 18 12:42:45 2009
DistroRelease: Ubuntu 9.10
NonfreeKernelModules: fglrx
Package: chkrootkit 0.48-10
ProcEnviron:
 LANG=en_US.UTF-8
 SHELL=/bin/bash
ProcVersionSignature: Ubuntu 2.6.31-13.44-generic
SourcePackage: chkrootkit
Uname: Linux 2.6.31-13-generic x86_64

Lupe Christoph (lupe) wrote :
Chuck Short (zulcss) wrote :

Thanks for the bug report. I was wondering if you have any suggestion to improve it.

Thanks
chuck

Changed in chkrootkit (Ubuntu):
importance: Undecided → Low
status: New → Incomplete

On Monday, 2009-10-19 at 13:18:45 -0000, Chuck Short wrote:
> Thanks for the bug report. I was wondering if you have any suggestion to
> improve it.

Well, as there are some finer tests on the page I mentioned, what about
implementing them in chkrootkit?

Lupe Christoph
--
| There is no substitute for bad design except worse design. |
| /me |

Chuck Short (zulcss) wrote :

Thanks for the bug report. This will be looked at again for karmic+1.

Regards
chuck

Changed in chkrootkit (Ubuntu):
importance: Low → Wishlist
status: Incomplete → Confirmed
Ian MacGregor (ardchoille42) wrote :

Confirmed in Karmic. I posted this to the Ubuntu forums and was referred this bug report.
My forums post is here:http://ubuntuforums.org/showthread.php?t=1386791

Alex Muntada (alex.muntada) wrote :

Just tried on latest karmic and it does not fail:

ii chkrootkit 0.48-10
ii upstart 0.6.3-11

$ ls -li /sbin/init /sbin/telinit
444149 -rwxr-xr-x 1 root root 169676 2009-12-10 17:19 /sbin/init
448912 -rwxr-xr-x 1 root root 79312 2009-12-10 17:19 /sbin/telinit

Can you please confirm that this is been solved?

Changed in chkrootkit (Ubuntu):
status: Confirmed → Incomplete
Lupe Christoph (lupe) wrote :

I have seen this problem pop up a few times since I reported it and vanish again. Must be related to Phase of Moon. Right now it has disappeared:

Searching for Suckit rootkit... nothing found

chkrootkit:
  Installed: 0.48-10

The version of chkrootkit is still the same, only /sbin/init and /sbin/telinit have changed.

# ls -li /sbin/init /sbin/telinit
172201 -rwxr-xr-x 1 root root 199472 2009-12-10 18:00 /sbin/init
172637 -rwxr-xr-x 1 root root 96568 2009-12-10 18:00 /sbin/telinit

Looking at the code in chkrootkit, the difference is that /sbin/init does no longer contain the string "HOME". The changelog of the "upstart" package does not mention"HOME", so I can't tell if they fixed this intentionally. The only update since I created the bug report is 0.6.3-11, so this must have fixed it. The strange thing is that I see nothing in that update that would have deleted "HOME". http://launchpadlibrarian.net/36606433/upstart_0.6.3-10_0.6.3-11.diff.gz

I'd rather not rely on upstart taking care of problems in chkrootkit...

Alex Muntada (alex.muntada) wrote :

I don't think that chkrootkit alerting about this rootkit is related to upstart init changes, but the output from /proc/1/maps instead. Something like this should improve the test:

expertmode_output "${egrep} '^[^/]+${ROOTDIR}sbin/init.' ${ROOTDIR}proc/1/maps"

What do you think?

Lupe Christoph (lupe) wrote :

I'm pretty sure I saw the string "HOME" in /sbin/init, but I can't prove it anymore.

BTW, expertmode_output is just debugging:

expertmode_output() {
    echo "###"
    echo "### Output of: $1"
    echo "###"
    eval $1 2>&1
# cat <<EOF
#`$1 2>&1`
#EOF
    return 0
}

Thierry Carrez (ttx) wrote :

False positives with such tools come with the territory. Refused as a server papercut during 20100217 meeting.

Changed in server-papercuts:
status: New → Invalid
Chuck Short (zulcss) wrote :

can you try to reproduce this on lucid please?

chuck

Lupe Christoph (lupe) wrote :

On Wednesday, 2010-04-28 at 18:09:39 -0000, Chuck Short wrote:
> can you try to reproduce this on lucid please?

Searching for Suckit rootkit... nothing found

I believe the false positive was gone for quite a while, probably due to
changes in init.

Lupe Christoph
--
| There is no substitute for bad design except worse design. |
| /me |

I've got a reproduction here on a Lucid install.

Linux Neptune 2.6.32-24-generic #39-Ubuntu SMP Wed Jul 28 06:07:29 UTC 2010 i686 GNU/Linux

meskes@Neptune:/sbin$ sudo chkrootkit -V
chkrootkit version 0.49

Searching for Suckit rootkit... Warning: /sbin/init INFECTED

meskes@Neptune:/sbin$ lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 10.04.1 LTS
Release: 10.04
Codename: lucid
meskes@Neptune:/sbin$

------
Tried to include as much info about base software as possible. Tried the verification methods mentioned in the Gentoo doc and this system failed both, which is good since that means I have no infections. It also casts a false positive on Sun's Java as well as a few others which I will list here:
-------
Searching for suspicious files and dirs, it may take a while... The following suspicious files and directories were found:
/usr/lib/pymodules/python2.6/.path /usr/lib/firefox-3.6.8/.autoreg /usr/lib/jvm/.java-6-sun.jinfo /usr/lib/jvm/java-6-sun-1.6.0.20/.systemPrefs /usr/lib/xulrunner-1.9.2.8/.autoreg
-------

I know it doesn't matter all that much but I'm submitting since I can reproduce the event on Lucid and because Chuck asked for it so.. here is. If you guys would like any more info feel free to hit me up.

Matt

Maxime (max-accadia) wrote :

I can confirm the issue on Lucid. It's probably related to an upstart update to 0.6.5-7.

# lsb_release -d
Description: Ubuntu 10.04.1 LTS
# chkrootkit -V
chkrootkit version 0.49
# chkrootkit
[...]
Searching for Suckit rootkit... Warning: /sbin/init INFECTED
[...]

# strings /sbin/init | egrep HOME
# cat /proc/1/maps | egrep "init."
00e41000-00e5a000 r-xp 00000000 68:01 1572880 /sbin/init (deleted)
00e5a000-00e5b000 r--p 00019000 68:01 1572880 /sbin/init (deleted)
00e5b000-00e5c000 rw-p 0001a000 68:01 1572880 /sbin/init (deleted)

moojix (moojix) wrote :

i have exact the same behavior and output as Maxime wrote in #14.
This false positive happens on my box since 17.08.2010 after this update:

"Preparing to replace upstart 0.6.5-6 (using .../upstart_0.6.5-7_amd64.deb)"

Thierry Carrez (ttx) on 2010-08-25
Changed in chkrootkit (Ubuntu):
importance: Wishlist → Medium
status: Incomplete → Confirmed
windracer (windracer) wrote :

Same thing for me. After my Lucid box ran weekly updates I started seeing the "Searching for Suckit rootkit... Warning: /sbin/init INFECTED" message from chkrootkit.

Lupe Christoph (lupe) wrote :

On Thursday, 2010-08-19 at 08:02:45 -0000, Maxime wrote:
> I can confirm the issue on Lucid. It's probably related to an upstart
> update to 0.6.5-7.

> [...]
> Searching for Suckit rootkit... Warning: /sbin/init INFECTED
> [...]

> # strings /sbin/init | egrep HOME
> # cat /proc/1/maps | egrep "init."
> 00e41000-00e5a000 r-xp 00000000 68:01 1572880 /sbin/init (deleted)
> 00e5a000-00e5b000 r--p 00019000 68:01 1572880 /sbin/init (deleted)
> 00e5b000-00e5c000 rw-p 0001a000 68:01 1572880 /sbin/init (deleted)

I rechecked, and I get this, too:

# chkrootkit -q

Warning: /sbin/init INFECTED

Also the deleted /sbin/init. I rebooted the system, and now /sbin/init
isn't deleted anymore (surprise! ;-) and the INFECTED is gone, too.

So I suppose the cause of the INFECTED is that the running /sbin/init is
different from the one in the filesystem. Checking ... Jupp, here is the
line from chkrootkit:

      expertmode_output "cat ${ROOTDIR}proc/1/maps | ${egrep} init."

This triggers when there is an entry in /proc/1/maps where "init" is not
at the end of the line.

Googling, I found this was discussed for Gentoo in
http://forums.gentoo.org/viewtopic-t-326062-highlight-suckit.html
... and for Ubuntu in http://ubuntuforums.org/showthread.php?p=9741505

Alas, I could not find out what /proc/1/maps looks like when a real
Suckit is on the machine. Quite possibly Suckit removes /sbin/init and
links its own version there. If it dows this only once, the " (deleted)"
will disappear after the first reboot, so it's not a good indicator, and
it reaps many more false positives. So I think chkrootit would be
better off without this test.

Lupe Christoph

Brownout (brownout) wrote :

Confirmed on Maverick.

Boyd Stephen Smith Jr. (bss03) wrote :

+1 on Maverick after installing upstart 0.6.6-4 on 2011-02-11.

Oliver (oliver-assarbad) wrote :

Same here, also a falsepos (conclusion after doing the other usual tests for Suckit). The problem exists in Lucid Lynx:

$ lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 10.04.2 LTS
Release: 10.04
Codename: lucid

$ apt-cache show chkrootkit
Package: chkrootkit
Priority: optional
Section: misc
Installed-Size: 920
Maintainer: Ubuntu Developers <email address hidden>
Original-Maintainer: Giuseppe Iuculano <email address hidden>
Architecture: amd64
Version: 0.49-3
Depends: libc6 (>= 2.7), debconf (>= 0.5) | debconf-2.0, binutils, net-tools, debconf, procps
Filename: pool/main/c/chkrootkit/chkrootkit_0.49-3_amd64.deb
Size: 339634
MD5sum: 9b369491740acda76ec586c535f5da98
SHA1: 1bf2e3f1738403aa07f682b82fea1db135ae0e09
SHA256: f0b970901ecc72494adbf6317df53a485c101f4a54311a6e3e1be838a57b859c
Description: rootkit detector
 The chkrootkit security scanner searches the local system for signs
 that it is infected with a 'rootkit'. Rootkits are set of programs
 and hacks designed to take control of a target machine by using known
 security flaws.
 .
 Types that chkrootkit can identify are listed on the project's home page.
 .
 Please note that where chkrootkit detects no intrusions, this does
 not guarantee that the system is uncompromised. In addition to
 running chkrootkit, more specific tests should always be performed.
Homepage: http://www.chkrootkit.org/
Bugs: https://bugs.launchpad.net/ubuntu/+filebug
Origin: Ubuntu
Supported: 5y

Jay Gates (cowb0y) wrote :

For those similarly affected: I recently reinstalled the upstart package (0.6.5-8) on Lucid (10.04.4) and then received the Suckit [false] flag from chkrootkit 0.49-3 (as well as the version in Debian Wheezy (0.49-4.1)). After restarting the server, the flag disappeared. So, it appears to be sufficient that init is replaced on disk (even by the same version) to trigger the false positive, and that restarting the system will resolve it.

Adam Funk (a-funk) wrote :

This went away in 12.10 and reappared when I upgraded to 13.04.

chrisfaron (chrisfaron) wrote :

Yes same for me with a fresh install of 13.04 this bug still shows

Problem still exists on 13.10 / amd64. I've dumped /sbin/init with debugfs, compared it with the one from the package and they are identical. /sbin/init seems to match 'HOME' and /proc/1/maps does not match 'init.'

UBUCATZ (ubucatz) wrote :

PROBLEM STILL EXISTS ON 14.04 LTS!!!

please either fix chkrootkit or change /sbin/init - I hope in a more security aware post snowden era this will now trigger some more action - certainly many users will be very irritated about this.

This does not happen on other distros. Must be fixed before release.

Galen Thurber (godfree2) wrote :

exits in
xubuntu 13.10 32bit
and you may get egrep not found error as well

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers