0

I installed chkrootkit with apt-install in a freshly installed Ubuntu server 16.04.3.
chkrootkit found suspicious files and directories after first run:

Searching for suspicious files and dirs, it may take a while... The following suspicious files and directories were found: 
/usr/lib/python3/dist-packages/fail2ban/tests/files/config/apache-auth/noentry/.htaccess /usr/lib/python3/dist-packages/fail2ban/tests/files/config/apache-auth/digest_time/.htaccess /usr/lib/python3/dist-packages/fail2ban/tests/files/config/apache-auth/digest_time/.htpasswd /usr/lib/python3/dist-packages/fail2ban/tests/files/config/apache-auth/digest_anon/.htaccess /usr/lib/python3/dist-packages/fail2ban/tests/files/config/apache-auth/digest_anon/.htpasswd /usr/lib/python3/dist-packages/fail2ban/tests/files/config/apache-auth/digest_wrongrelm/.htaccess /usr/lib/python3/dist-packages/fail2ban/tests/files/config/apache-auth/digest_wrongrelm/.htpasswd /usr/lib/python3/dist-packages/fail2ban/tests/files/config/apache-auth/digest/.htaccess /usr/lib/python3/dist-packages/fail2ban/tests/files/config/apache-auth/digest/.htpasswd /usr/lib/python3/dist-packages/fail2ban/tests/files/config/apache-auth/basic/authz_owner/.htaccess /usr/lib/python3/dist-packages/fail2ban/tests/files/config/apache-auth/basic/authz_owner/.htpasswd /usr/lib/python3/dist-packages/fail2ban/tests/files/config/apache-auth/basic/file/.htaccess /usr/lib/python3/dist-packages/fail2ban/tests/files/config/apache-auth/basic/file/.htpasswd /lib/modules/4.4.0-87-generic/vdso/.build-id /lib/modules/4.4.0-96-generic/vdso/.build-id
/lib/modules/4.4.0-87-generic/vdso/.build-id /lib/modules/4.4.0-96-generic/vdso/.build-id

I noticed that three years ago another user at stackexchange found same false positives and posted Chkrootkit found alot of suspicious files and directories, and /sbin/init INFECTED.

In FAQ number 8 at the chkrootkit official website it is stated that they cannot whitelist false positives because an attacker might use this, since he knows that chkrootkit will ignore certain files and dirs.

What you suggest to do with this long list of files and directories? How can I check that they are false positives? If they are false positives, Is there any way to compare these files against their original content (as with packages using dpkg -V)?

Asarluhi
  • 1,607
  • IMO this is the problem with most if not all scanners in Linux, the false positives . You have to investigate the false positives, no one can make a determination for you. – Panther Oct 05 '17 at 16:07
  • 1
    IMO you are better off with an alternate HIDS such as tripwire or OSSEC. With those tools you need to start with a know good system. See https://www.server-world.info/en/note?os=Ubuntu_16.04&p=tripwire and https://www.digitalocean.com/community/tutorials/how-to-monitor-ossec-agents-using-an-ossec-server-on-ubuntu-14-04 and https://www.digitalocean.com/community/tutorials/how-to-monitor-ossec-agents-using-an-ossec-server-on-ubuntu-14-04 https://www.digitalocean.com/community/tutorials/how-to-install-and-configure-ossec-security-notifications-on-ubuntu-14-04 – Panther Oct 05 '17 at 16:10
  • The two digitalocean urls are the same – Asarluhi Oct 05 '17 at 16:15
  • 1
    Second https://www.digitalocean.com/community/tutorials/how-to-install-and-configure-ossec-security-notifications-on-ubuntu-14-04 – Panther Oct 05 '17 at 16:17

1 Answers1

4

You can verify your packages (somewhat) with debsums

sudo apt install debsums

Then 

sudo debsums

By default it skips config files, to include them

sudo debsums -a

To show only errors use the -s flag

sudo debsums -as

For details and additional options see man debsums

http://manpages.ubuntu.com/manpages/zesty/en/man1/debsums.1.html

If  you  are  looking  for  an integrity checker that can run from safe
       media, do integrity checks on checksum  databases  and  can  be  easily
       configured  to  run periodically to warn the admin of changes see other
       tools such as: aide, integrit, samhain, or tripwire.

Those tools (aide, integrit, samhain, or tripwire) should be installed / initialized on a fresh install / known good system and preferably run from a live media as come cracking tools can defeat these tools on a cracked system.

Panther
  • 102,067