Today I noticed in the rkhunter log this:
Strange thing is when I looked to see if rkhunter found the Xzibit Rootkit in its scan, it stated this:rkhunter.log wrote: [09:27:27] Warning: Checking for possible rootkit strings [ Warning ]
[09:27:27] Found string 'hdparm' in file '/etc/init.d/checkroot.sh'. Possible rootkit: Xzibit Rootkit
[09:27:27] Found string 'hdparm' in file '/etc/init.d/bootlogd'. Possible rootkit: Xzibit Rootkit
[09:27:27] Found string 'hdparm' in file '/etc/init.d/.depend.boot'. Possible rootkit: Xzibit Rootkit
[09:27:27] Found string 'hdparm' in file '/etc/init.d/hdparm'. Possible rootkit: Xzibit Rootkit
...
[09:27:39] Rootkit checks...
[09:27:39] Rootkits checked : 245
[09:27:39] Possible rootkits: 4
[09:27:39] Rootkit names : Xzibit Rootkit, Xzibit Rootkit, Xzibit Rootkit, Xzibit Rootkit
What's strange about this is that it never checks against hdparm....rkhunter.log wrote: [09:27:08] Checking for Xzibit Rootkit...
[09:27:08] Checking for file '/dev/dsx' [ Not found ]
[09:27:08] Checking for file '/dev/caca' [ Not found ]
[09:27:08] Checking for file '/dev/ida/.inet/linsniffer' [ Not found ]
[09:27:08] Checking for file '/dev/ida/.inet/logclear' [ Not found ]
[09:27:08] Checking for file '/dev/ida/.inet/sense' [ Not found ]
[09:27:08] Checking for file '/dev/ida/.inet/sl2' [ Not found ]
[09:27:08] Checking for file '/dev/ida/.inet/sshdu' [ Not found ]
[09:27:08] Checking for file '/dev/ida/.inet/s' [ Not found ]
[09:27:08] Checking for file '/dev/ida/.inet/ssh_host_key' [ Not found ]
[09:27:08] Checking for file '/dev/ida/.inet/ssh_random_seed' [ Not found ]
[09:27:08] Checking for file '/dev/ida/.inet/sl2new.c' [ Not found ]
[09:27:08] Checking for file '/dev/ida/.inet/tcp.log' [ Not found ]
[09:27:08] Checking for file '/home/httpd/cgi-bin/becys.cgi' [ Not found ]
[09:27:08] Checking for file '/usr/local/httpd/cgi-bin/becys.cgi' [ Not found ]
[09:27:08] Checking for file '/usr/local/apache/cgi-bin/becys.cgi' [ Not found ]
[09:27:08] Checking for file '/www/httpd/cgi-bin/becys.cgi' [ Not found ]
[09:27:08] Checking for file '/www/cgi-bin/becys.cgi' [ Not found ]
[09:27:08] Checking for directory '/dev/ida/.inet' [ Not found ]
[09:27:08] Xzibit Rootkit [ Not found ]
So I try to see if I can catch the rootkit by scanning with chkrootkit...
The problem with running chkrootkit is that it does not scan for that specific rootkit ( Xzibit Rootkit), though it did state this:
To me this seems to suggest a few things...chkrootkit wrote: Checking `hdparm'... not infected
(1) Using chkrootkit to scan for false positives may not always be a true test of a false positive, especially when chkrootkit doesn't scan for that particular rootkit...
(2) Rkhunter is incongruent while scanning for rootkits (will scan against known rootkits, but not always the files known to be infected by such rootkits), which leads to three possible outcomes:
(A) One's system is really infected with the rootkit...
(B) One has received a false positive...
Or (C) rkhunter really isn't the best tool for detecting rootkits...
Searching online about such false positives... I came up with this:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=559696
So perhaps maybe it's a bug, but if that were the case I'm using the version in which this bug should have been fixed:
So, false positive, a bug, or do I really have a rootkit?apt-cache wrote: Package: rkhunter
Versions:
1.3.6-3 (/var/lib/apt/lists/ftp.us.debian.org_debian_dists_squeeze_main_binary-i386_Packages) (/var/lib/dpkg/status)
Description Language:
File: /var/lib/apt/lists/ftp.us.debian.org_debian_dists_squeeze_main_binary-i386_Packages
MD5: 0278f467a97cada21f0a2fbf9e818586
Reverse Depends:
unhide,rkhunter
Dependencies:
1.3.6-3 - file (0 (null)) exim4 (16 (null)) postfix (16 (null)) sendmail (16 (null)) mail-transport-agent (0 (null)) perl (0 (null)) net-tools (0 (null)) binutils (0 (null)) debconf (18 0.5) debconf-2.0 (0 (null)) bsd-mailx (0 (null)) tripwire (0 (null)) wget (16 (null)) curl (16 (null)) links (16 (null)) elinks (16 (null)) lynx (0 (null)) iproute (0 (null)) unhide (0 (null)) lsof (0 (null)) libdigest-sha-perl (0 (null))
Provides:
1.3.6-3 -
Reverse Provides:
barstow