chkrootkit reports tcpd to be infected, should I be worried?

Question

I ran sudo chkrootkit today and was told this as a part of the output:

Checking `tcpd'...                                          INFECTED

I am running Ubuntu GNOME 16.10 with GNOME 3.22, what does this mean, should I be worried and how can I investigate further?

Information Update:

I ran sudo chkrootkit -d -x tcpd as suggested in the comments and this was the output:

+ [ / != / ]
+ [  != t ]
+ echo ROOTDIR is `/'
ROOTDIR is `/'
+ echo amd basename biff chfn chsh cron crontab date du dirname echo egrep env find fingerd gpm grep hdparm su ifconfig inetd inetdconf identd init killall  ldsopreload login ls lsof mail mingetty netstat named passwd pidof pop2 pop3 ps pstree rpcinfo rlogind rshd slogin sendmail sshd syslogd tar tcpd tcpdump top telnetd timed traceroute vdir w write
+ /bin/egrep (^|[^A-Za-z0-9_])tcpd([^A-Za-z0-9_]|$)
+ [ t != t -a  != t ]
+ chk_tcpd
+ STATUS=1
+ TCPD_INFECTED_LABEL=p1r0c4|hack|/dev/xmx|/dev/hdn0|/dev/xdta|/dev/tux
+ [ -r /etc/inetd.conf ]
+ /bin/ps auwx+ 
/bin/egrep xinetd
+ /bin/egrep -v grep
+ [ -z  ]
+ loc tcpd tcpd /usr/local/sbin /usr/local/bin /usr/sbin /usr/bin /sbin /bin /snap/bin /sbin /usr/sbin /lib /usr/lib /usr/libexec .
+ thing=tcpd
+ shift
+ dflt=tcpd
+ shift
+ :
+ test -f /usr/local/sbin/tcpd
+ :
+ test -f /usr/local/bin/tcpd
+ :
+ test -f /usr/sbin/tcpd
+ echo /usr/sbin/tcpd
+ exit 0
+ CMD=/usr/sbin/tcpd
+ [ tcpd = /usr/sbin/tcpd -o ! -f /usr/sbin/tcpd ]
+ [ t = t ]
+ expertmode_output /usr/bin/strings -a /usr/sbin/tcpd
+ echo ###
###
+ echo ### Output of: /usr/bin/strings -a /usr/sbin/tcpd
### Output of: /usr/bin/strings -a /usr/sbin/tcpd
+ echo ###
###
+ eval /usr/bin/strings -a /usr/sbin/tcpd
+ /usr/bin/strings -a /usr/sbin/tcpd
/lib64/ld-linux-x86-64.so.2
libwrap.so.0
_ITM_deregisterTMCloneTable
__gmon_start__
_Jv_RegisterClasses
_ITM_registerTMCloneTable
eval_client
_fini
refuse
sock_host
deny_severity
allow_severity
clean_exit
request_init
hosts_access
fix_options
eval_hostaddr
libc.so.6
execv
strrchr
__stack_chk_fail
openlog
__syslog_chk
umask
__strcpy_chk
__sprintf_chk
__libc_start_main
closelog
_edata
__bss_start
_end
GLIBC_2.3.4
GLIBC_2.4
GLIBC_2.2.5
[]A\
[]A\A]A^A_
/usr/sbin
%s/%s
connect from %s (%s)
error: cannot execute %s: %m
;*3$"
tcpd
.shstrtab
.interp
.note.ABI-tag
.note.gnu.build-id
.gnu.hash
.dynsym
.dynstr
.gnu.version
.gnu.version_r
.rela.dyn
.rela.plt
.init
.text
.fini
.rodata
.eh_frame_hdr
.eh_frame
.init_array
.fini_array
.jcr
.dynamic
.got
.got.plt
.data
.bss
.gnu_debuglink
+ return 0
+ return 5
+ STATUS=5
+ [  = t ]
+ exit 0

And the output for sudo chkrootkit -d tcpd is:

+ [ / != / ]
+ [  != t ]
+ echo ROOTDIR is `/'
ROOTDIR is `/'
+ + echo amd basename biff chfn chsh cron crontab date du dirname echo egrep env find fingerd gpm grep hdparm su ifconfig inetd inetdconf identd init killall  ldsopreload login ls lsof mail mingetty netstat named passwd pidof pop2 pop3 ps pstree rpcinfo rlogind rshd slogin sendmail sshd syslogd tar tcpd tcpdump top telnetd timed traceroute vdir w write/bin/egrep (^|[^A-Za-z0-9_])tcpd([^A-Za-z0-9_]|$)

+ [  != t -a  != t ]
+ printn Checking `tcpd'... 
+ printf=use printf
+ printf_fmt=%-60s
+ [ !  ]
+ which printf
+ PRINTF_BIN=/usr/bin/printf
+ [ ! /usr/bin/printf ]
+ [ /usr/bin/printf ]
+ [ use printf ]
+ /usr/bin/printf %-60s Checking `tcpd'... 
Checking `tcpd'...                                          + chk_tcpd
+ STATUS=1
+ TCPD_INFECTED_LABEL=p1r0c4|hack|/dev/xmx|/dev/hdn0|/dev/xdta|/dev/tux
+ [ -r /etc/inetd.conf ]
+ /bin/egrep -v grep
+ /bin/egrep xinetd
+ /bin/ps auwx
+ [ -z  ]
+ loc tcpd tcpd /usr/local/sbin /usr/local/bin /usr/sbin /usr/bin /sbin /bin /snap/bin /sbin /usr/sbin /lib /usr/lib /usr/libexec .
+ thing=tcpd
+ shift
+ dflt=tcpd
+ shift
+ :
+ test -f /usr/local/sbin/tcpd
+ :
+ test -f /usr/local/bin/tcpd
+ :
+ test -f /usr/sbin/tcpd
+ echo /usr/sbin/tcpd
+ exit 0
+ CMD=/usr/sbin/tcpd
+ [ tcpd = /usr/sbin/tcpd -o ! -f /usr/sbin/tcpd ]
+ [  = t ]
+ /usr/bin/strings -a /usr/sbin/tcpd
+ /bin/egrep p1r0c4|hack|/dev/xmx|/dev/hdn0|/dev/xdta|/dev/tux
+ return 1
+ STATUS=1
+ [  = t ]
+ echo not infected
not infected
+ exit 0

try checking the sha1sum: it should be cd9cfc19df7f0e4b7f9adfa4fe8c5d74caa53d86 — , Jan 03 '17 at 21:39
@Edity: I'd be better off checking the SHA256SUM or the SHA512SUM, SHA1 is about as insecure and vulnerable to collisions as MD5 is, so in this case it probably wouldn't be the best verifier. — , Jan 04 '17 at 10:44
@anx: Right, I have edited my question to include the output of the second more verbose command. — , Jan 04 '17 at 10:49
@anx: Yes, I have just checked again and it does say that. I copied directly from the output. I'm thinking that perhaps the INFECTED is a summary and that it doesn't provide those in the expert mode. For when I ran it in just that it didn't output any of the not infected for any of the others either. — , Jan 04 '17 at 11:22
@anx: I think it is the expert mode which is removing those summaries. I have provided the output for when I just use it as sudo chkrootkit -d tcpd. — , Jan 04 '17 at 11:25

chkrootkit reports tcpd to be infected, should I be worried?

0 Answers0