Results 1 to 7 of 7

Thread: Suckit rootkit detected after upgrade

  1. #1
    Join Date
    Oct 2006
    Beans
    Hidden!

    Suckit rootkit detected after upgrade

    I have upgraded to 13.04 desktop. I run rkhunter and chkrootkit once every couple weeks and have never had a rootkit. However, after upgrading, I am showing this:
    Searching for Suckit rootkit... Warning: /sbin/init INFECTED
    This is the output from chkrootkit. I have upgraded 3 computers and all show the same. Is this an error with chkrootkit or was there an infection from the Ubuntu upgrade directory? I have run rkhunter and it did not find any rootkits. My guess is that the chkrootkit is giving an error. Anyone else seeing this issue?


  2. #2
    Join Date
    Jun 2008
    Location
    Vancouver Canada
    Beans
    3,147
    Distro
    Xubuntu 14.04 Trusty Tahr

    Re: Suckit rootkit detected after upgrade

    Hi
    Maintech
    .
    It's been shown to be a false positve; at least with redhat.

    https://bugzilla.redhat.com/show_bug.cgi?id=636231
    I learn something ubuntu everyday.
    dell precision T7500 1Tb hdd x 2
    2.67 Ghz intel xeon X5550 cpu
    nvidia quadro fx 4800-1.5 Gb video card

  3. #3
    Join Date
    Feb 2010
    Location
    Summerwind
    Beans
    11,738
    Distro
    Ubuntu Development Release

    Re: Suckit rootkit detected after upgrade

    Not detected on my 13.04 clean installation. It still may be a false positive though

    Code:
      Performing check of known rootkit files and directories    55808 Trojan - Variant A                                 [ Not found ]
        ADM Worm                                                 [ Not found ]
        AjaKit Rootkit                                           [ Not found ]
        Adore Rootkit                                            [ Not found ]
        aPa Kit                                                  [ Not found ]
        Apache Worm                                              [ Not found ]
        Ambient (ark) Rootkit                                    [ Not found ]
        Balaur Rootkit                                           [ Not found ]
        BeastKit Rootkit                                         [ Not found ]
        beX2 Rootkit                                             [ Not found ]
        BOBKit Rootkit                                           [ Not found ]
        cb Rootkit                                               [ Not found ]
        CiNIK Worm (Slapper.B variant)                           [ Not found ]
        Danny-Boy's Abuse Kit                                    [ Not found ]
        Devil RootKit                                            [ Not found ]
        Dica-Kit Rootkit                                         [ Not found ]
        Dreams Rootkit                                           [ Not found ]
        Duarawkz Rootkit                                         [ Not found ]
        Enye LKM                                                 [ Not found ]
        Flea Linux Rootkit                                       [ Not found ]
        Fu Rootkit                                               [ Not found ]
        ****`it Rootkit                                          [ Not found ]
        GasKit Rootkit                                           [ Not found ]
        Heroin LKM                                               [ Not found ]
        HjC Kit                                                  [ Not found ]
        ignoKit Rootkit                                          [ Not found ]
        IntoXonia-NG Rootkit                                     [ Not found ]
        Irix Rootkit                                             [ Not found ]
        Jynx Rootkit                                             [ Not found ]
        KBeast Rootkit                                           [ Not found ]
        Kitko Rootkit                                            [ Not found ]
        Knark Rootkit                                            [ Not found ]
        ld-linuxv.so Rootkit                                     [ Not found ]
        Li0n Worm                                                [ Not found ]
        Lockit / LJK2 Rootkit                                    [ Not found ]
        Mood-NT Rootkit                                          [ Not found ]
        MRK Rootkit                                              [ Not found ]
        Ni0 Rootkit                                              [ Not found ]
        Ohhara Rootkit                                           [ Not found ]
        Optic Kit (Tux) Worm                                     [ Not found ]
        Oz Rootkit                                               [ Not found ]
        Phalanx Rootkit                                          [ Not found ]
        Phalanx2 Rootkit                                         [ Not found ]
        Phalanx2 Rootkit (extended tests)                        [ Not found ]
        Portacelo Rootkit                                        [ Not found ]
        R3dstorm Toolkit                                         [ Not found ]
        RH-Sharpe's Rootkit                                      [ Not found ]
        RSHA's Rootkit                                           [ Not found ]
        Scalper Worm                                             [ Not found ]
        Sebek LKM                                                [ Not found ]
        Shutdown Rootkit                                         [ Not found ]
        SHV4 Rootkit                                             [ Not found ]
        SHV5 Rootkit                                             [ Not found ]
        Sin Rootkit                                              [ Not found ]
        Slapper Worm                                             [ Not found ]
        Sneakin Rootkit                                          [ Not found ]
        'Spanish' Rootkit                                        [ Not found ]
        Suckit Rootkit                                           [ Not found ]
        Superkit Rootkit                                         [ Not found ]
        TBD (Telnet BackDoor)                                    [ Not found ]
        TeLeKiT Rootkit                                          [ Not found ]
        T0rn Rootkit                                             [ Not found ]
        trNkit Rootkit                                           [ Not found ]
        Trojanit Kit                                             [ Not found ]
        Tuxtendo Rootkit                                         [ Not found ]
        URK Rootkit                                              [ Not found ]
        Vampire Rootkit                                          [ Not found ]
        VcKit Rootkit                                            [ Not found ]
        Volc Rootkit                                             [ Not found ]
        Xzibit Rootkit                                           [ Not found ]
        zaRwT.KiT Rootkit                                        [ Not found ]
        ZK Rootkit                                               [ Not found ]
    
    
    [Press <ENTER> to continue]
    
    
    
    
      Performing additional rootkit checks
        Suckit Rookit additional checks                          [ OK ]
        Checking for possible rootkit files and directories      [ None found ]
        Checking for possible rootkit strings                    [ None found ]
    Last edited by Frogs Hair; May 3rd, 2013 at 03:01 AM.
    “Start where you are. Use what you have. Do what you can."

    Ubuntu Documentation Search: Popular Pages
    Ubuntu: Security Basics
    Ubuntu: Manual

  4. #4
    Join Date
    Oct 2012
    Location
    here and there, they say.
    Beans
    Hidden!
    Distro
    Ubuntu 12.10 Quantal Quetzal

    Re: Suckit rootkit detected after upgrade

    Quote Originally Posted by hansdown View Post
    Hi
    Maintech
    .
    It's been shown to be a false positve; at least with redhat.

    https://bugzilla.redhat.com/show_bug.cgi?id=636231
    I'm seeing something similar, but in Mint 15. Luckily, I have it all isolated in VB.
    Here's my question to you, how does this response: "false positive ; at least with redhat" address the issue with the Ubuntu user - or any other non-redhat user?


    Quote Originally Posted by Frogs Hair View Post
    Not detected on my 13.04 clean installation. It still may be a false positive though

    Code:
      Performing check of known rootkit files and directories    55808 Trojan - Variant A                                 [ Not found ]
        ADM Worm                                                 [ Not found ]
        AjaKit Rootkit                                           [ Not found ]
        Adore Rootkit                                            [ Not found ]
        aPa Kit                                                  [ Not found ]
        Apache Worm                                              [ Not found ]
        Ambient (ark) Rootkit                                    [ Not found ]
        Balaur Rootkit                                           [ Not found ]
        BeastKit Rootkit                                         [ Not found ]
        beX2 Rootkit                                             [ Not found ]
        BOBKit Rootkit                                           [ Not found ]
        cb Rootkit                                               [ Not found ]
        CiNIK Worm (Slapper.B variant)                           [ Not found ]
        Danny-Boy's Abuse Kit                                    [ Not found ]
        Devil RootKit                                            [ Not found ]
        Dica-Kit Rootkit                                         [ Not found ]
        Dreams Rootkit                                           [ Not found ]
        Duarawkz Rootkit                                         [ Not found ]
        Enye LKM                                                 [ Not found ]
        Flea Linux Rootkit                                       [ Not found ]
        Fu Rootkit                                               [ Not found ]
        ****`it Rootkit                                          [ Not found ]
        GasKit Rootkit                                           [ Not found ]
        Heroin LKM                                               [ Not found ]
        HjC Kit                                                  [ Not found ]
        ignoKit Rootkit                                          [ Not found ]
        IntoXonia-NG Rootkit                                     [ Not found ]
        Irix Rootkit                                             [ Not found ]
        Jynx Rootkit                                             [ Not found ]
        KBeast Rootkit                                           [ Not found ]
        Kitko Rootkit                                            [ Not found ]
        Knark Rootkit                                            [ Not found ]
        ld-linuxv.so Rootkit                                     [ Not found ]
        Li0n Worm                                                [ Not found ]
        Lockit / LJK2 Rootkit                                    [ Not found ]
        Mood-NT Rootkit                                          [ Not found ]
        MRK Rootkit                                              [ Not found ]
        Ni0 Rootkit                                              [ Not found ]
        Ohhara Rootkit                                           [ Not found ]
        Optic Kit (Tux) Worm                                     [ Not found ]
        Oz Rootkit                                               [ Not found ]
        Phalanx Rootkit                                          [ Not found ]
        Phalanx2 Rootkit                                         [ Not found ]
        Phalanx2 Rootkit (extended tests)                        [ Not found ]
        Portacelo Rootkit                                        [ Not found ]
        R3dstorm Toolkit                                         [ Not found ]
        RH-Sharpe's Rootkit                                      [ Not found ]
        RSHA's Rootkit                                           [ Not found ]
        Scalper Worm                                             [ Not found ]
        Sebek LKM                                                [ Not found ]
        Shutdown Rootkit                                         [ Not found ]
        SHV4 Rootkit                                             [ Not found ]
        SHV5 Rootkit                                             [ Not found ]
        Sin Rootkit                                              [ Not found ]
        Slapper Worm                                             [ Not found ]
        Sneakin Rootkit                                          [ Not found ]
        'Spanish' Rootkit                                        [ Not found ]
        Suckit Rootkit                                           [ Not found ]
        Superkit Rootkit                                         [ Not found ]
        TBD (Telnet BackDoor)                                    [ Not found ]
        TeLeKiT Rootkit                                          [ Not found ]
        T0rn Rootkit                                             [ Not found ]
        trNkit Rootkit                                           [ Not found ]
        Trojanit Kit                                             [ Not found ]
        Tuxtendo Rootkit                                         [ Not found ]
        URK Rootkit                                              [ Not found ]
        Vampire Rootkit                                          [ Not found ]
        VcKit Rootkit                                            [ Not found ]
        Volc Rootkit                                             [ Not found ]
        Xzibit Rootkit                                           [ Not found ]
        zaRwT.KiT Rootkit                                        [ Not found ]
        ZK Rootkit                                               [ Not found ]
    
    
    [Press <ENTER> to continue]
    
    
    
    
      Performing additional rootkit checks
        Suckit Rookit additional checks                          [ OK ]
        Checking for possible rootkit files and directories      [ None found ]
        Checking for possible rootkit strings                    [ None found ]
    I'm genuinely curious how your throwing your results helps OP address his/her issue.

  5. #5
    Join Date
    Feb 2010
    Location
    Summerwind
    Beans
    11,738
    Distro
    Ubuntu Development Release

    Re: Suckit rootkit detected after upgrade

    I'm genuinely curious how your throwing your results helps OP address his/her issue.
    Simply demonstrates that was no variation in the findings from rk hunter on both of our computers . The OP has not responded since May 1st and either the question is open or was resolved elsewhere. The thread is owned by the original poster and it is for him or her to determine the value or relevance any responses.


    Old Bug :https://bugs.launchpad.net/ubuntu/+s...it/+bug/454566
    Last edited by Frogs Hair; June 17th, 2013 at 05:47 PM.
    “Start where you are. Use what you have. Do what you can."

    Ubuntu Documentation Search: Popular Pages
    Ubuntu: Security Basics
    Ubuntu: Manual

  6. #6
    Join Date
    Aug 2009
    Beans
    Hidden!
    Also note that while some may choose to port it to newer releases of their distribution essentially Chkrootkit v0.49 was last released four years ago. So chances any issue gets resolved at the source are about nill and the web site pointing to an old copy of their portugese site since somewhere 2012 doesn't spell much good either. And while the same may be said to some extent about RKH (after all v1.4.0 was released May 2012) at least the development tar ball contains all updates since the last release.I'd be happy to provide a patch for it if possible but then somebody should attach or pastebin the expert mode log as plain text.

  7. #7
    Join Date
    Oct 2005
    Location
    Al Ain
    Beans
    8,658

    Re: Suckit rootkit detected after upgrade

    Howdy,

    As alluded to above, tools like chrootkit are mostly useless and a waste of time. Rather use nmap to scan your system for unusual open ports and then use tcpdump or wireshark to keep an eye on network traffic.

Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •