PDA

View Full Version : [ubuntu] Rootkit problem reporting



ardchoille42
January 21st, 2010, 10:28 AM
I just performed a fresh install of Ubuntu 9.10 from a livecd that I received from Ship It. The install went well and I ran chkrootkit and rkhunter before putting the system online. The following happened:

1. Ran rkhunter, showed no problems

2. Ran chkrootkit the report included this:

Searching for Suckit rootkit... Warning: /sbin/init INFECTED

3. Re-ran rkhunter and it reported this regarding Suckit and /sbin/init:

/sbin/init [ OK ]
Suckit Rootkit [ Not found ]

the rkhunter summary included this:

System checks summary
=====================

File properties checks...
Files checked: 130
Suspect files: 0

Rootkit checks...
Rootkits checked : 111
Possible rootkits: 0

The red text emphasis was added by me for readability. As I said, I installed from trusted media and then installed several apps from the Ubuntu software repositories, so I don't think I have a rootkit. What I think happened is chkrootkit reported a false positive but I don't remember this happening on Jaunty or previous installations of Karmic.

Has anyone else seen this problem?

iponeverything
January 21st, 2010, 12:51 PM
its a false positive


https://bugs.launchpad.net/ubuntu/+source/chkrootkit/+bug/454566

ardchoille42
January 21st, 2010, 03:17 PM
its a false positive


https://bugs.launchpad.net/ubuntu/+source/chkrootkit/+bug/454566

Yeah, I figured it was a false positive. Thank you very much for the bug report link.

cariboo907
January 21st, 2010, 08:21 PM
You can also use ubuntu-bug to report bugs, Press Alt-F2 and type:


ubuntu-bug <packagename>

In your case substitute rkhunter for <packagename>.

Note: This only works for Karmic and newer.

ardchoille42
January 22nd, 2010, 08:53 AM
You can also use ubuntu-bug to report bugs, Press Alt-F2 and type:


ubuntu-bug <packagename>

In your case substitute rkhunter for <packagename>.

Note: This only works for Karmic and newer.

Hey, I didn't know that.. very helpful. Thank you :)