# chkrootkit

## mbjr

Hi there,

I was running chkrootkit over night and realized that it detects some suspicious stuff like:

 *Quote:*   

> 
> 
> $chkrootkit |grep -v -i "nothing found" | grep -v -i "not infected"
> 
> Checking `find'... INFECTED
> ...

 

Don't know anything about find, but port 465 is provided by my postfix (smtp protocol over TLS/SSL)

And well, it found tons of suspicious files and dirs:

 *Quote:*   

> 
> 
> Searching for suspicious files and dirs, it may take a while...
> 
> /usr/lib/.keep /usr/lib/perl5/site_perl/5.8.6/i686-linux/auto/DBD/mysql/.packlist /usr/lib/perl5/site_perl/5.8.7/i686-linux/auto/Cyrus/IMAP/.packlist /usr/lib/perl5/site_perl/5.8.7/i686-linux/auto/Cyrus/SIEVE/managesieve/.packlist /usr/lib/perl5/site_perl/5.8.7/i686-linux/auto/Bundle/NetSNMP/.packlist /usr/lib/perl5/vendor_perl/5.8.7/i686-linux/auto/swatch/.packlist /usr/lib/perl5/vendor_perl/5.8.7/i686-linux/auto/Math/Pari/.packlist /usr/lib/perl5/vendor_perl/5.8.7/i686-linux/auto/Math/GMP/.packlist /usr/lib/perl5/vendor_perl/5.8.7/i686-linux/auto/Archive/Tar/.packlist /usr/lib/perl5/vendor_perl/5.8.7/i686-linux/auto/Archive/Zip/.packlist /usr/lib/perl5/vendor_perl/5.8.7/i686-linux/auto/Authen/SASL/.packlist /usr/lib/perl5/vendor_perl/5.8.7/i686-linux/auto/BerkeleyDB/.packlist /usr/lib/perl5/vendor_perl/5.8.7/i686-linux/auto/Bit/Vector/.packlist /usr/lib/perl5/vendor_perl/5.8.7/i686-linux/auto/Carp/Clan/.packlist /usr/lib/perl5/vendor_perl/5.8.7/i686-linux/auto/Compress/Zlib/.packlist /usr/lib/perl5/vendor_perl/5.8.7/i686-linux/auto/Convert/ASN1/.packlist /usr/lib/perl5/vendor_perl/5.8.7/i686-linux/auto/Convert/TNEF/.packlist /usr/lib/perl5/vendor_perl/5.8.7/i686-linux/auto/Convert/UUlib/.packlist /usr/lib/perl5/vendor_perl/5.8.7/i686-linux/auto/Convert/PEM/.packlist /usr/lib/perl5/vendor_perl/5.8.7/i686-linux/auto/Convert/ASCII/Armour/.packlist /usr/lib/perl5/vendor_perl/5.8.7/i686-linux/auto/Crypt/SSLeay/.packlist /usr/lib/perl5/vendor_perl/5.8.7/i686-linux/auto/Crypt/SmbHash/.packlist /usr/lib/perl5/vendor_perl/5.8.7/i686-linux/auto/Crypt/DES/.packlist /usr/lib/perl5/vendor_perl/5.8.7/i686-linux/auto/Crypt/DES_EDE3/.packlist /usr/lib/perl5/vendor_perl/5.8.7/i686-linux/auto/Crypt/Random/.packlist /usr/lib/perl5/vendor_perl/5.8.7/i686-linux/auto/Crypt/DSA/.packlist /usr/lib/perl5/vendor_perl/5.8.7/i686-linux/auto/Crypt/OpenSSL/Random/.packlist /usr/lib/perl5/vendor_perl/5.8.7/i686-linux/auto/Crypt/OpenSSL/RSA/.packlist /usr/lib/perl5/vendor_perl/5.8.7/i686-linux/auto/Crypt/IDEA/.packlist /usr/lib/perl5/vendor_perl/5.8.7/i686-linux/auto/Crypt/Blowfish/.packlist /usr/lib/perl5/vendor_perl/5.8.7/i686-linux/auto/Crypt/DH/.packlist /usr/lib/perl5/vendor_perl/5.8.7/i686-linux/auto/Crypt/CBC/.packlist /usr/lib/perl5/vendor_perl/5.8.7/i686-linux/auto/Crypt/Primes/.packlist /usr/lib/perl5/vendor_perl/5.8.7/i686-linux/auto/Crypt/RSA/.packlist /usr/lib/perl5/vendor_perl/5.8.7/i686-linux/auto/DBD/Pg/.packlist /usr/lib/perl5/vendor_perl/5.8.7/i686-linux/auto/DBD/mysql/.packlist /usr/lib/perl5/vendor_perl/5.8.7/i686-linux/auto/DBD/SQLite/.packlist /usr/lib/perl5/vendor_perl/5.8.7/i686-linux/auto/DBI/.packlist /usr/lib/perl5/vendor_perl/5.8.7/i686-linux/auto/Date/Calc/.packlist /usr/lib/perl5/vendor_perl/5.8.7/i686-linux/auto/Date/Manip/.packlist /usr/lib/perl5/vendor_perl/5.8.7/i686-linux/auto/Digest/HMAC/.packlist /usr/lib/perl5/vendor_perl/5.8.7/i686-linux/auto/Digest/MD4/.packlist /usr/lib/perl5/vendor_perl/5.8.7/i686-linux/auto/Digest/SHA1/.packlist /usr/lib/perl5/vendor_perl/5.8.7/i686-linux/auto/Digest/MD5/.packlist /usr/lib/perl5/vendor_perl/5.8.7/i686-linux/auto/Digest/BubbleBabble/.packlist /usr/lib/perl5/vendor_perl/5.8.7/i686-linux/auto/Digest/.packlist /usr/lib/perl5/vendor_perl/5.8.7/i686-linux/auto/Digest/MD2/.packlist /usr/lib/perl5/vendor_perl/5.8.7/i686-linux/auto/File/Tail/.packlist /usr/lib/perl5/vendor_perl/5.8.7/i686-linux/auto/GD/Graph3d/.packlist /usr/lib/perl5/vendor_perl/5.8.7/i686-linux/auto/GD/.packlist /usr/lib/perl5/vendor_perl/5.8.7/i686-linux/auto/GD/SVG/.packlist /usr/lib/perl5/vendor_perl/5.8.7/i686-linux/auto/GD/Graph/.packlist /usr/lib/perl5/vendor_perl/5.8.7/i686-linux/auto/GD/Text/.packlist /usr/lib/perl5/vendor_perl/5.8.7/i686-linux/auto/HTML/Parser/.packlist /usr/lib/perl5/vendor_perl/5.8.7/i686-linux/auto/HTML/Tagset/.packlist /usr/lib/perl5/vendor_perl/5.8.7/i686-linux/auto/HTML-Tree/.packlist /usr/lib/perl5/vendor_perl/5.8.7/i686-linux/auto/IO/Multiplex/.packlist /usr/lib/perl5/vendor_perl/5.8.7/i686-linux/auto/IO/Socket/SSL/.packlist /usr/lib/perl5/vendor_perl/5.8.7/i686-linux/auto/IO/String/.packlist /usr/lib/perl5/vendor_perl/5.8.7/i686-linux/auto/IO/Zlib/.packlist /usr/lib/perl5/vendor_perl/5.8.7/i686-linux/auto/IO/Stringy/.packlist /usr/lib/perl5/vendor_perl/5.8.7/i686-linux/auto/Locale/gettext/.packlist /usr/lib/perl5/vendor_perl/5.8.7/i686-linux/auto/MIME-tools/.packlist /usr/lib/perl5/vendor_perl/5.8.7/i686-linux/auto/Mail/SpamAssassin/.packlist /usr/lib/perl5/vendor_perl/5.8.7/i686-linux/auto/Mail/.packlist /usr/lib/perl5/vendor_perl/5.8.7/i686-linux/auto/Net/DNS/.packlist /usr/lib/perl5/vendor_perl/5.8.7/i686-linux/auto/Net/Daemon/.packlist /usr/lib/perl5/vendor_perl/5.8.7/i686-linux/auto/Net/SSLeay/.packlist /usr/lib/perl5/vendor_perl/5.8.7/i686-linux/auto/Net/Server/.packlist /usr/lib/perl5/vendor_perl/5.8.7/i686-linux/auto/Net/.packlist /usr/lib/perl5/vendor_perl/5.8.7/i686-linux/auto/Net/LDAP/.packlist /usr/lib/perl5/vendor_perl/5.8.7/i686-linux/auto/Net/SSH/Perl/.packlist /usr/lib/perl5/vendor_perl/5.8.7/i686-linux/auto/Net/SFTP/.packlist /usr/lib/perl5/vendor_perl/5.8.7/i686-linux/auto/Net/IP/.packlist /usr/lib/perl5/vendor_perl/5.8.7/i686-linux/auto/RPC/PlServer/.packlist /usr/lib/perl5/vendor_perl/5.8.7/i686-linux/auto/Pod/Parser/.packlist /usr/lib/perl5/vendor_perl/5.8.7/i686-linux/auto/SVG/.packlist /usr/lib/perl5/vendor_perl/5.8.7/i686-linux/auto/Term/ReadLine/.packlist /usr/lib/perl5/vendor_perl/5.8.7/i686-linux/auto/Term/ReadKey/.packlist /usr/lib/perl5/vendor_perl/5.8.7/i686-linux/auto/TimeDate/.packlist /usr/lib/perl5/vendor_perl/5.8.7/i686-linux/auto/URI/.packlist /usr/lib/perl5/vendor_perl/5.8.7/i686-linux/auto/Unicode/Map/.packlist /usr/lib/perl5/vendor_perl/5.8.7/i686-linux/auto/Unicode/String/.packlist /usr/lib/perl5/vendor_perl/5.8.7/i686-linux/auto/Unix/Syslog/.packlist /usr/lib/perl5/vendor_perl/5.8.7/i686-linux/auto/XML/Generator/.packlist /usr/lib/perl5/vendor_perl/5.8.7/i686-linux/auto/XML/NamespaceSupport/.packlist /usr/lib/perl5/vendor_perl/5.8.7/i686-linux/auto/XML/Parser/.packlist /usr/lib/perl5/vendor_perl/5.8.7/i686-linux/auto/XML/SAX/Base/.packlist /usr/lib/perl5/vendor_perl/5.8.7/i686-linux/auto/libwww-perl/.packlist /usr/lib/perl5/vendor_perl/5.8.7/i686-linux/auto/SVN/_Core/.packlist /usr/lib/perl5/vendor_perl/5.8.7/i686-linux/auto/Image/Magick/.packlist /usr/lib/perl5/vendor_perl/5.8.7/i686-linux/auto/Foomatic/.packlist /usr/lib/perl5/vendor_perl/5.8.7/i686-linux/auto/CGI/.packlist /usr/lib/perl5/vendor_perl/5.8.7/i686-linux/auto/ExtUtils/MakeMaker/.packlist /usr/lib/perl5/vendor_perl/5.8.7/i686-linux/auto/ExtUtils/MakeMaker/.packliste /usr/lib/perl5/vendor_perl/5.8.7/i686-linux/auto/Getopt/Long/.packlist /usr/lib/perl5/vendor_perl/5.8.7/i686-linux/auto/MIME/Base64/.packlist /usr/lib/perl5/vendor_perl/5.8.7/i686-linux/auto/Storable/.packlist /usr/lib/perl5/vendor_perl/5.8.7/i686-linux/auto/Test/Harness/.packlist /usr/lib/perl5/vendor_perl/5.8.7/i686-linux/auto/Test/Simple/.packlist /usr/lib/perl5/vendor_perl/5.8.7/i686-linux/auto/Time/HiRes/.packlist /usr/lib/perl5/vendor_perl/5.8.7/i686-linux/auto/Time/Local/.packlist /usr/lib/perl5/vendor_perl/5.8.7/i686-linux/auto/mod_perl/.packlist /usr/lib/perl5/vendor_perl/5.8.7/i686-linux/auto/DB_File/.packlist /usr/lib/perl5/vendor_perl/5.8.7/i686-linux/auto/Class/Loader/.packlist /usr/lib/perl5/vendor_perl/5.8.7/i686-linux/auto/Data/Buffer/.packlist /usr/lib/perl5/vendor_perl/5.8.7/i686-linux/auto/String/CRC32/.packlist /usr/lib/perl5/vendor_perl/5.8.7/i686-linux/auto/Sort/Versions/.packlist /usr/lib/perl5/vendor_perl/5.8.7/i686-linux/auto/Tie/EncryptedHash/.packlist /usr/lib/perl5/vendor_perl/5.8.7/i686-linux/auto/YAML/.packlist /usr/lib/perl5/vendor_perl/5.8.7/i686-linux/auto/Module/Build/.packlist /usr/lib/perl5/vendor_perl/5.8.7/i686-linux/auto/List/Util/.packlist /usr/lib/perl5/vendor_perl/5.8.7/i686-linux/auto/.packlist /usr/lib/perl5/vendor_perl/5.8.7/i686-linux/auto/Math-BigInt/.packlist /usr/lib/perl5/5.8.7/i686-linux/.packlist /usr/lib/ccache/bin/.keep /usr/lib/samba/rpc/.keep /usr/lib/samba/idmap/.keep /usr/lib/samba/auth/.keep /usr/lib/nfs/sm/.keep /usr/lib/nfs/sm.bak/.keep /usr/lib/openldap/openldap/.keep /lib/.keep /lib/dev-state/.keep /lib/dev-state/.udevdb /lib/rcscripts/sh/.keep /lib/rcscripts/awk/.keep /lib/rcscripts/net.modules.d/helpers.d/.keep /lib/rcscripts/net.modules.d/.keep /lib/rcscripts/.keep /lib/udev-state/.keep
> ...

 

So the questions is: should I be scared now?

I reemerged findutils to see if that makes any difference, however chkrootkit still shows the reemerged file as infected. Since ps doesn't seem to be infected, I was walking through the running processes and didn't find anything suspicious :-/ Changed the root password though...  :Smile: 

So what else should I do? Do I need to trust the results of chkrootkit at all?

Thanks,

MBJr.

----------

## nlindblad

I guess chkroot only looks up and compare old MD5sums for the files in /bin, /sbin and /usr/bin. That means that if you do an upgrade the MD5 won't  match.

----------

## mbjr

Well, I'm not sure, it would not make too much sense checking for rootkits in files getting updated quite recently (not just on Gentoo), and well, based on a md5 checksum  :Smile: 

However, if that's true, then no wonder  :Smile:  I'll check the source and see what's happening, I just hope it's not a simple md5 checksum verification (probably on a per version bases).

Thanks for the tip!

Cheers,

----------

## nlindblad

Rootkits are useless if you don't know exactly what binary files might be changed during emerge -uDv world, at least the ones I've used myself.

----------

## hanj

 *Quote:*   

> Checking `find'... INFECTED
> 
> Checking `bindshell'... INFECTED (PORTS: 465) 

 

The bindshell.. I would guess is a false positive.. but the 'find' is interesting. I would get a second opinion and emerge rkhunter and run that.

rkhunter is in portage

```
app-forensics/rkhunter
```

Just do:

```
rkhunter -c
```

 *Quote:*   

> I guess chkroot only looks up and compare old MD5sums for the files in /bin, /sbin and /usr/bin. That means that if you do an upgrade the MD5 won't match.

 

I'm not sure if that is correct. I may be wrong, but I thought it looked at the binary file to see if it matches a 'known' rootkit pattern.

From chkrootkit's site

 *Quote:*   

> "INFECTED": the test has identified a command probably modified by a known rootkit;

 

I'm not sure if it's looking at straight MD5sum diffs.. that would be more of file integrity checker (osiris/tripwire/aide,etc).

I myself run chkrootkit everynight as well... and I don't see INFECTED for binaries that change often.

Hope this helps

hanji

----------

## nlindblad

 *hanj wrote:*   

>  *Quote:*   Checking `find'... INFECTED
> 
> Checking `bindshell'... INFECTED (PORTS: 465)  
> 
> The bindshell.. I would guess is a false positive.. but the 'find' is interesting. I would get a second opinion and emerge rkhunter and run that.
> ...

 

Just guessing, I sure hope it's a bit more advanced than MD5Sums since a local/remote attacker might be able to change these aswell.

----------

## hanj

 *Quote:*   

> Just guessing, I sure hope it's a bit more advanced than MD5Sums since a local/remote attacker might be able to change these aswell.

 

I agree. I wish documentation was a little more detailed on their site. Maybe it's worth a shot to look at the source for chkrootkit.

hanji

----------

## hielvc

Well I just read this so I installed chkrootkit adn ran it nothing bad found insluding "find". Well I was curious and ran 

```
emerge find -p

These are the packages that I would merge, in order:

Calculating dependencies   

!!! All ebuilds that could satisfy "find" have been masked.

!!! One of the following masked packages is required to complete your request:

- rox-extra/find-0.0.5 (masked by: ~x86 keyword)

For more information, see MASKED PACKAGES section in the emerge man page or 

refer to the Gentoo Handbook.
```

  It looks like the messages could be improved.   :Very Happy: 

----------

## mbjr

Hi there,

Thanks a lot guys for all those comments.

I've just been emerging and checking my system with rkhunter, however it didn't find any serious stuff. I have couple of Not founds and unknowns for particular software as bind, proftpd, etc.

However it seems to be skipping system tools: *Quote:*   

> Checking binaries
> 
> * Selftests
> 
>      Strings (command)                                        [ OK ]
> ...

 

chkrootkit still shows find as infected.

Will drop them a mail, probably they have some explaination to this.

Thanks for all of ya  :Wink: 

----------

