ubuntu 10.04 /sbin/init infected by update (suckit)
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
upstart (Ubuntu) |
Invalid
|
Undecided
|
Unassigned |
Bug Description
After installing Mint9 Isadora, but Before updating, I installed and ran chkrootkit. All was clean.
I then ran MintUpdate which installed more than 300 updates.
After the update, I ran chkrootkit again and it flagged /sbin/init as infected with the Suckit Rootkit.
md5 of the infected file is: 9b20ed8c78442c8
md5 of /sbin/init on the live CD is: 3dc249a0bbfa449
It would appear that the update installed an infected version of /sbin/init
I moved the infected file to a safe location, and replaced it with the /sbin/init file from the live CD. Chkrootkit is happy with with it, and the system works flawlessly.
This file is served by Ubuntu via the package "upstart". Their repositories are signed so this would have to come either from the maintainer's machine, or from an attack on the repositories themselves, which is very unlikely.
visibility: | private → public |
The report mentions, that the rootkit comes from the package upstart, reassigning.