30

I recently ran chkrootkit and got the following line:

Searching for Suckit rootkit...                   Warning: /sbin/init INFECTED

What does this mean exactly? I heard this was a false positive, what is exactly happening.

Please and thank you.

myusuf3
  • 34,189

2 Answers2

35

It's likely this is a false positive since there's a bug in chkrootkit (supposedly fixed in a later version 0.50-3ubuntu1). Apparently chkrootkit doesn't perform a rigorous enough check.

See: https://bugs.launchpad.net/ubuntu/+source/chkrootkit/+bug/454566

Additionally you could try rkhunter which is similar to chkrootkit.

Some more information: Fortunately, running file `which chkrootkit` shows us that chkrootkit is just a shell script so we can inspect it directly.

Searching for Suckit in the file /usr/sbin/chkrootkit we find:
   ### Suckit
   if [ -f ${ROOTDIR}sbin/init ]; then
      if [ "${QUIET}" != "t" ];then printn "Searching for Suckit rootkit... "; fi
      if [ ${SYSTEM} != "HP-UX" ] && ( ${strings} ${ROOTDIR}sbin/init | ${egrep} HOME  || \
              cat ${ROOTDIR}/proc/1/maps | ${egrep} "init." ) >/dev/null 2>&1
        then
        echo "Warning: ${ROOTDIR}sbin/init INFECTED"
      else
         if [ -d ${ROOTDIR}/dev/.golf ]; then
            echo "Warning: Suspect directory ${ROOTDIR}dev/.golf"
         else
            if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi
         fi
      fi
   fi

The key line is:

cat ${ROOTDIR}/proc/1/maps | ${egrep} "init."

Since recent versions of Ubuntu, running that command does produce some output (need to run as root or sudo) :

# sudo cat /proc/1/maps | egrep "init."
b78c2000-b78db000 r-xp 00000000 08:02 271571     /sbin/init (deleted)
b78db000-b78dc000 r--p 00019000 08:02 271571     /sbin/init (deleted)
b78dc000-b78dd000 rw-p 0001a000 08:02 271571     /sbin/init (deleted)

However, this is not an infection by a rootkit. I have also looked at the rkhunter code, and the checks are far more rigorous (testing for all sorts of additional files installed by the rootkit).

I have changed lines 1003,1004 in chkrootkit file not to check perform the check of /proc/1/maps (remember to take a copy first) 

if [ ${SYSTEM} != "HP-UX" ] && ( ${strings} ${ROOTDIR}sbin/init | ${egrep} HOME  ) \
             >/dev/null 2>&1
Simon B
  • 1,258
  • 4
    This applies to V0.49 as installed by apt-get. It looks like chkrootkit 0.50 (available from http://www.chkrootkit.org/ directly) fixes this false positive. – DDM Jun 10 '14 at 02:23
  • if you want to know which version come with your ubuntu have a look at: http://packages.ubuntu.com/search?keywords=chkrootkit – Édouard Lopez Mar 01 '15 at 16:17
  • Because this came up in search when I was troubleshooting, I wanted to mention that there is another discussion with additional information here: https://askubuntu.com/questions/597432/do-i-have-a-rootkit-suckit-detected-in-sbin-init-chkutmp-errors/ – Cody Sharp Mar 26 '16 at 01:26
2

On Kubuntu 13.04 as of 2013-07-31

Running:

cat /sbin/init | egrep HOME

Produces:

Binary file (standard input) matches

AND

Running:

cat /proc/1/maps | egrep "init."

Produces NO output.

Note: Removing the period produces output (changing "init." to "init")

b7768000-b779f000 r-xp 00000000 08:02 399192     /sbin/init
b779f000-b77a0000 r--p 00036000 08:02 399192     /sbin/init
b77a0000-b77a1000 rw-p 00037000 08:02 399192     /sbin/init

So it appears to me that the part checking HOME is the problem.

If one can make the assumption that rkhunter has a valid check, then perhaps the easy route is just to remove this section from chkrootkit and run both rkhunter and chkrootkit?

Seth
  • 58,122
Archdave
  • 21
  • 3
  • 1
    I have the same on Ubuntu 14.04 32 bit. If I try strings /sbin/init | grep HOME I get XDG_CACHE_HOME and XDG_CONFIG_HOME is that still a false positive? What is the purpose of searching for the string "HOME" in /sbin/init? Why should that be a positive? – rubo77 Oct 13 '14 at 23:06