chkrootkit shows "tcpd" as INFECTED. Is it a false positive?

Question

Scan by chkrootkit shows "tcpd" as being INFECTED. Although a scan by rkhunter shows ok,(except for regular false positives)

Shall I be worried? (I'm on Ubuntu 16.10 with 4.8.0-37-generic)

muru, thanks! It helped! p.s. How do i vote for reputation of a user? (you in this case) — user633620, Feb 15 '17 at 06:16
That was just a comment. I'll post an answer in a moment, which you can accept, if you like. — muru, Feb 15 '17 at 06:16

score 35 · Accepted Answer · answered Feb 15 '17 at 06:25

35

In this Ubuntu Forums post, user kpatz tested this in a fresh 16.10 VM and chkrootkit still complained, making this a false positive. You can always check if a file has been tampered by comparing the md5sum from the package:

$ dpkg -S /usr/sbin/tcpd
tcpd: /usr/sbin/tcpd
$ (cd /; md5sum -c /var/lib/dpkg/info/tcpd.md5sums)
usr/sbin/safe_finger: OK
usr/sbin/tcpd: OK
usr/sbin/tcpdchk: OK
usr/sbin/tcpdmatch: OK
usr/sbin/try-from: OK
usr/share/man/man8/safe_finger.8.gz: OK
usr/share/man/man8/tcpd.8.gz: OK
usr/share/man/man8/tcpdchk.8.gz: OK
usr/share/man/man8/tcpdmatch.8.gz: OK
usr/share/man/man8/try-from.8.gz: OK

Of course, the md5sums file itself maybe tampered, (and so could md5sum itself and so on...).

answered Feb 15 '17 at 06:25

muru

197,895
55
485
740

1

Muru, thank you for such a prompt respond! It was really helpful.
(unfortunately the system won't let me vote for your reputation. It says I am not yet allowed to to that :(((((
– user633620 Feb 15 '17 at 06:38
When checking if something is malicious or not and checking it against a known good version MD5s are probably the worst hashsums to use due to collisions. – Feb 17 '17 at 16:18
2

In my case, using Ubuntu 18.04 tcpd wasn't even installed and it was reported as infected! – Philippe Delteil May 30 '18 at 14:34

score 7 · Answer 2 · answered Dec 04 '17 at 23:41

This is a false positive caused by a bug in the main chkrootkit script. I tried to post the fix here, but was downvoted. I reported the issue to the chkrootkit devs, but if you'd like to fix the issue so that it actually works, you might want to check out: https://www.linuxquestions.org/questions/linux-security-4/chkrootkit-tcpd-521683/page2.html#post5788733

score 0 · Answer 3 · answered Feb 12 '19 at 02:05

0

Mine was also listed as "INFECTED" (Ubuntu 18.10)... so I cross checked tcpd using the debsums utility ie:

sudo debsums | grep tcpd

It was listed as "OK".

answered Feb 12 '19 at 02:05

Jay Marm

141

avisitoritseems · Answer 4 · 2019-02-12T02:21:16.763

You can try uploading them to sites for testing like virustotal and I believe BitDefender has a one minute rootkit scanner program available (unsure of multi OS support).

If you have a rootkit, there's no way to know if it's a false positive without solid documentation as was posted above, considering that a malicious program with root access can hide itself. You seem to be concerned, or are just following the syntax of CAPS LOCKS, but in the future I would recommend vaulting and backing up essential files (either through a cloud or an external that you must take care to not cross infect) such as databases, family photos, work, unsavory videos, etc.

check the md5 sum for inconsistencies for the important junk. Which is mostly anything that can be given root access or the distro itself. And if you are running a fresh install or don't mind doing one, you could always wipe and check it once more.

Quick edit: BitDefender does not actually offer support for anything other than Windows. Sidenote, all antivirus programs are datamining you and your internet usage. Open source ftw.

tl;dr on the insidious nature of rootkits and how easily they propagate.

chkrootkit shows "tcpd" as INFECTED. Is it a false positive?

4 Answers4

Linked

Related