On Wed, 29 Jul 2015 14:49:54 -0400, William wrote:
I already realized that "chkrootkit" is not bullet-proof. I understand that *no* security tool or method is bullet-proof. Malicious people are always brewing new evil things, and security tools and methods are almost always stuck trying to catch up and keep up. I suspected that "chkrootkit" did not on its own get updates from some on-line database, but I wasn't sure. I hoped that maybe it was getting such updates when I do "yum update". You seem to be implying apparently not. :)
False sense of security.
Check out "rpm -q --changelog chkrootkit|less". That's Fedora's package changelog.
v0.48 - 2007 v0.49 - 2010, three years later v0.50 - 2014, four years later (the project page had been gone for a long time even)
And what did change in the software? Does it check for many new rootkits? Which rootkits are popular? Which pieces of code hackers leave on a machine after a breakin could be found by chkrootkit? When was the last time chkrootkit found a rootkit on your installation(s)?
Then notice some of the details in Fedora package's changelog. Fixes for ancient undiscovered bugs. Oh wait, and CVE-2014-0476? That one is classified as a "serious vulnerability" in chkrootkit itself.
This tool (along with "rkhunter" and SELinux) do not give me a false sense of security. But they sure occasionally give me a serious scare.
That makes it even worse. I don't know why you find it worthwhile to run such tools. Have you made any experience with intrusion attempts and especially rootkits/backdoors? Or is it like running a random virus checker that never finds a virus, or running a cheap anti-virus which doesn't protect against the latest and greatest threats? It causes too much distraction. And having to deal with false positives is a strange hobby. ;-)
If "chkrootkit" is so bad and out of date, are we getting any value from it?
Well, decide for yourself.
Is it completely redundant with SELinux and "rkhunter"?
Do you run AIDE (package "aide") just because it can add another layer of protection? I don't think so. But that's a great tool with a special target group, albeit special maintenance requirements, too.
If it's not adding anything beyond what SELinux and "rkhunter" do, maybe it should be removed from Fedora?
Some packages are kept alive, because there is a volunteer to become the "owner" of the Fedora package as soon as the previous owner wants to drop the package. I don't know whether the current owner is convinced of the usefulness or quality of the software.
Back to the original question: Is that "INFECTED (PORTS: 3133)" alert a false alarm or a real problem?
Suggestions: * Subscribe to the bugzilla ticket I've mentioned. * Run chkrootkit in "expert" mode. * Look up the *tiny* shell function that checks port 3133 and try to understand which "netstat" command chkrootkit runs to examine port 3133. * Draw conclusions.