rkhunter, false positives?

[Barstow]

Hello all!

Today I noticed in the rkhunter log this:

[09:27:27] Warning: Checking for possible rootkit strings [ Warning ]
[09:27:27] Found string 'hdparm' in file '/etc/init.d/checkroot.sh'. Possible rootkit: Xzibit Rootkit
[09:27:27] Found string 'hdparm' in file '/etc/init.d/bootlogd'. Possible rootkit: Xzibit Rootkit
[09:27:27] Found string 'hdparm' in file '/etc/init.d/.depend.boot'. Possible rootkit: Xzibit Rootkit
[09:27:27] Found string 'hdparm' in file '/etc/init.d/hdparm'. Possible rootkit: Xzibit Rootkit

...

[09:27:39] Rootkit checks...
[09:27:39] Rootkits checked : 245
[09:27:39] Possible rootkits: 4
[09:27:39] Rootkit names : Xzibit Rootkit, Xzibit Rootkit, Xzibit Rootkit, Xzibit Rootkit

Strange thing is when I looked to see if rkhunter found the Xzibit Rootkit in its scan, it stated this:

[09:27:08] Checking for Xzibit Rootkit...
[09:27:08] Checking for file '/dev/dsx' [ Not found ]
[09:27:08] Checking for file '/dev/caca' [ Not found ]
[09:27:08] Checking for file '/dev/ida/.inet/linsniffer' [ Not found ]
[09:27:08] Checking for file '/dev/ida/.inet/logclear' [ Not found ]
[09:27:08] Checking for file '/dev/ida/.inet/sense' [ Not found ]
[09:27:08] Checking for file '/dev/ida/.inet/sl2' [ Not found ]
[09:27:08] Checking for file '/dev/ida/.inet/sshdu' [ Not found ]
[09:27:08] Checking for file '/dev/ida/.inet/s' [ Not found ]
[09:27:08] Checking for file '/dev/ida/.inet/ssh_host_key' [ Not found ]
[09:27:08] Checking for file '/dev/ida/.inet/ssh_random_seed' [ Not found ]
[09:27:08] Checking for file '/dev/ida/.inet/sl2new.c' [ Not found ]
[09:27:08] Checking for file '/dev/ida/.inet/tcp.log' [ Not found ]
[09:27:08] Checking for file '/home/httpd/cgi-bin/becys.cgi' [ Not found ]
[09:27:08] Checking for file '/usr/local/httpd/cgi-bin/becys.cgi' [ Not found ]
[09:27:08] Checking for file '/usr/local/apache/cgi-bin/becys.cgi' [ Not found ]
[09:27:08] Checking for file '/www/httpd/cgi-bin/becys.cgi' [ Not found ]
[09:27:08] Checking for file '/www/cgi-bin/becys.cgi' [ Not found ]
[09:27:08] Checking for directory '/dev/ida/.inet' [ Not found ]
[09:27:08] Xzibit Rootkit [ Not found ]

What's strange about this is that it never checks against hdparm....

So I try to see if I can catch the rootkit by scanning with chkrootkit...

The problem with running chkrootkit is that it does not scan for that specific rootkit ( Xzibit Rootkit), though it did state this:

Checking `hdparm'... not infected

To me this seems to suggest a few things...

(1) Using chkrootkit to scan for false positives may not always be a true test of a false positive, especially when chkrootkit doesn't scan for that particular rootkit...
(2) Rkhunter is incongruent while scanning for rootkits (will scan against known rootkits, but not always the files known to be infected by such rootkits), which leads to three possible outcomes:

(A) One's system is really infected with the rootkit...
(B) One has received a false positive...
Or (C) rkhunter really isn't the best tool for detecting rootkits...

Searching online about such false positives... I came up with this:

http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=559696

So perhaps maybe it's a bug, but if that were the case I'm using the version in which this bug should have been fixed:

Package: rkhunter
Versions:
1.3.6-3 (/var/lib/apt/lists/ftp.us.debian.org_debian_dists_squeeze_main_binary-i386_Packages) (/var/lib/dpkg/status)
Description Language:
File: /var/lib/apt/lists/ftp.us.debian.org_debian_dists_squeeze_main_binary-i386_Packages
MD5: 0278f467a97cada21f0a2fbf9e818586


Reverse Depends:
unhide,rkhunter
Dependencies:
1.3.6-3 - file (0 (null)) exim4 (16 (null)) postfix (16 (null)) sendmail (16 (null)) mail-transport-agent (0 (null)) perl (0 (null)) net-tools (0 (null)) binutils (0 (null)) debconf (18 0.5) debconf-2.0 (0 (null)) bsd-mailx (0 (null)) tripwire (0 (null)) wget (16 (null)) curl (16 (null)) links (16 (null)) elinks (16 (null)) lynx (0 (null)) iproute (0 (null)) unhide (0 (null)) lsof (0 (null)) libdigest-sha-perl (0 (null))
Provides:
1.3.6-3 -
Reverse Provides:

So, false positive, a bug, or do I really have a rootkit?

barstow

[julian67]

I don't know if you have a rootkit but I do know that running rkhunter on an unstable or testing (as in ever changing) release means that you're going to be experiencing similar situations regularly and often. If security is important it's better to run Stable, it has full and prompt security team support and you can run file integrity checkers without them throwing a fit every time....because the system isn't in a permanent state of flux.

Anyway use google and search for Xzibit Rootkit and you'll quickly see that either a surprising number of people found a rootkit using this version of rkhunter in the last month or else it's a false positive.

[Barstow]

... Anyway use google and search for Xzibit Rootkit and you'll quickly see that either a surprising number of people found a rootkit using this version of rkhunter in the last month or else it's a false positive.

Ever mindful of the fear of compromise, I set myself yet on another quest for truth...

Knowing that hdparm is a binary that's found within the debian repositories I ran debsums to see if the hash has been changed... which a rootkit would do...

debsums: no md5sums for anarchism
debsums: no md5sums for beav
debsums: no md5sums for binutils
debsums: no md5sums for binutils-doc
debsums: no md5sums for bogofilter
debsums: no md5sums for debian-archive-keyring
debsums: no md5sums for doc-debian
debsums: no md5sums for g++
debsums: no md5sums for gawk
debsums: missing file [way to many /gdm/themes to list]
debsums: no md5sums for gimp-dimage-color
debsums: no md5sums for gsl-ref-html
debsums: no md5sums for gsl-ref-psdoc
debsums: no md5sums for gui-apt-key
debsums: no md5sums for iconx
debsums: no md5sums for installation-report
debsums: no md5sums for jargon
debsums: no md5sums for latex2html
debsums: no md5sums for libaudio2
debsums: no md5sums for libberkeleydb-perl
debsums: no md5sums for libdb4.5
debsums: missing file /usr/lib/libGL.so.1.2 (from libgl1-mesa-glx package)
debsums: no md5sums for liblockfile1
debsums: missing file /usr/lib/libvdpau.so.1.0.0 (from libvdpau1 package)
debsums: missing file /usr/lib/vdpau/libvdpau_trace.so.1.0.0 (from libvdpau1 package)
debsums: no md5sums for lockfile-progs
debsums: no md5sums for mawk
debsums: no md5sums for netbase
debsums: changed file /var/lib/openoffice/basis3.1/share/config/javasettingsunopkginstall.xml (from openoffice.org-common package)
debsums: changed file /var/lib/openoffice/basis3.1/program/services.rdb (from openoffice.org-core package)
debsums: no md5sums for slib
debsums: no md5sums for sun-java6-fonts
debsums: changed file /usr/lib/xorg/modules/extensions/libglx.so (from xserver-xorg-core package)

As one can see there is a lot of missing md5sums hashes...

And if the hashes found in /var/lib/dpkg/info/*.md5sums where changed it would list them as well, so its a good bet that this scan was legit....

But notice in the list of missing hashes neither a missing or changed md5sums for the hdparm binary can be found...

This suggests, strongly, that this is indeed a bug...

And you are right...

This is testing and things are in flux, and perhaps it may be not the best distribution for security...

We can, however, at least, because of the counter measures given to us, determine if there was/is a security breach...

barstow

[Bulkley]

Just a thought. Because a rootkit is so deep it makes it hard to trust anything. Have you tried using a live-CD to run rkhunter or chkrootkit?

[craigevil]

Xzibit Rootkit is most likely a false positive. It is a bug in the rkhunter db, many people from various distros are seeing it.

My install is almost 6 yrs old, I have never found a rootkit.

Other than the recent Xzibit Rootkit that rkhunter insist it finds.

Use a router, no open ports, disable remote login, disable root login, turn off any services you do not need, keep your system updated.

Keep in mind that while Testing does not have security support it does get fixes from new versions after they make there way into testing from unstable.

The security-announce mailing list is a good one to be on if you like to keep an eye on security issues with packages.

[Barstow]

Xzibit Rootkit is most likely a false positive. It is a bug in the rkhunter db, many people from various distros are seeing it.

Indeed, and after exhausting testing procedures, using unhide as well as the above mentioned and testing another recently installed squeeze system, I have come to the conclusion that it's a false positive .

The security-announce mailing list is a good one to be on if you like to keep an eye on security issues with packages.

Thank you for suggesting this, and I will most certainly keep an eye on it.

barstow

[xurizaemon]

http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=576680

* hdparm: the string "hdparm" found in the initscripts leads to rkhunter warns
about possible Xzibit rootkit. Use the RTKT_FILE_WHITELIST option to whitelist
initscripts stating this string (eg. /etc/init.d/hdparm)

Consider also checksumming the files via USER_FILEPROP_FILES_DIRS if you're excluding them from rootkit scans.