Ubuntu
upstart package

ubuntu 10.04 /sbin/init infected by update (suckit)

Bug #676376 reported by U.Betcha
356
This bug affects 1 person
Affects Status Importance Assigned to Milestone
upstart (Ubuntu)
Invalid
Undecided
Unassigned

Bug Description

After installing Mint9 Isadora, but Before updating, I installed and ran chkrootkit. All was clean.
I then ran MintUpdate which installed more than 300 updates.
After the update, I ran chkrootkit again and it flagged /sbin/init as infected with the Suckit Rootkit.

md5 of the infected file is: 9b20ed8c78442c8659a6b0be491896a9
md5 of /sbin/init on the live CD is: 3dc249a0bbfa4498b0e0787aef62b46d

It would appear that the update installed an infected version of /sbin/init

I moved the infected file to a safe location, and replaced it with the /sbin/init file from the live CD. Chkrootkit is happy with with it, and the system works flawlessly.

This file is served by Ubuntu via the package "upstart". Their repositories are signed so this would have to come either from the maintainer's machine, or from an attack on the repositories themselves, which is very unlikely.

U.Betcha (mwm-generalmail)
visibility: private → public
Revision history for this message
Robert Roth (evfool) wrote :

The report mentions, that the rootkit comes from the package upstart, reassigning.

affects: ubuntu → upstart (Ubuntu)
visibility: public → private
Revision history for this message
Kees Cook (kees) wrote :

MintUpdate is not part of the Ubuntu archives. Can you isolate the specific package URL that you downloaded that chkrootkit is flagging?

visibility: private → public
Changed in upstart (Ubuntu):
status: New → Incomplete
Revision history for this message
U.Betcha (mwm-generalmail) wrote : Re: [Bug 676376] Re: ubuntu 10.04 /sbin/init infected by update (suckit)

UPSTART: event-based init daemon

*upstart *is a replacement for the /sbin/init daemon which handles
starting of tasks and services during boot, stopping them during
shutdown and supervising them while the system is running.

My machine has Ubuntu _upstart_ version 0.6.5-7, installed. My updates
are served from the Ubuntu Main server.

On 11/18/2010 04:10 AM, Kees Cook wrote:
> MintUpdate is not part of the Ubuntu archives. Can you isolate the
> specific package URL that you downloaded that chkrootkit is flagging?
>
> ** Visibility changed to: Public
>
> ** Changed in: upstart (Ubuntu)
> Status: New => Incomplete
>
>

Revision history for this message
U.Betcha (mwm-generalmail) wrote : Re: [Bug 676376] Re: ubuntu 10.04 /sbin/init infected by update (suckit)

I just did a re-install of "upstart", then ran chkrootkit and bingo, it
flags sbin/init as infected with the suckit rootkit. Is it really
infected? A false positive. Or is the newly installed 'upstart" package
installing a new infected init file, or infecting the existing init file?
The md5 of the newly infected file is:
9fc881364679290346cda8236563025e same as last infection.

I would appear that by updating the Ubuntu package "*upstart*", the file
/sbin/init becomes infected or is replaced with an infected version.

Hope this helps.
U.Betcha

On 11/18/2010 09:57 AM, U.Betcha wrote:
> UPSTART: event-based init daemon
>
> *upstart *is a replacement for the /sbin/init daemon which handles
> starting of tasks and services during boot, stopping them during
> shutdown and supervising them while the system is running.
>
> My machine has Ubuntu _upstart_ version 0.6.5-7, installed. My updates
> are served from the Ubuntu Main server.
>
>
> On 11/18/2010 04:10 AM, Kees Cook wrote:
>
>> MintUpdate is not part of the Ubuntu archives. Can you isolate the
>> specific package URL that you downloaded that chkrootkit is flagging?
>>
>> ** Visibility changed to: Public
>>
>> ** Changed in: upstart (Ubuntu)
>> Status: New => Incomplete
>>
>>
>>
>

Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

We need to know where you are getting your upstart package from.

The package in our achive does not match the md5 you pasted, and is not infected.

Either you are downloading the upstart package from a mirror which was compromised, in which case we would like to know about it, or a process on you system is infecting your init file once it's installed.

Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

We are closing this bug report because it lacks the information we need to investigate the problem, as described in the previous comments. Please reopen it if you can give us the missing information, and don't hesitate to submit bug reports in the future. To reopen the bug report you can click on the current status, under the Status column, and change the Status back to 'New'. Thanks again!

Changed in upstart (Ubuntu):
status: Incomplete → Invalid
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.