F21: infection reported by "chkrootkit".

William mattison.computer at yahoo.com
Wed Jul 29 18:49:54 UTC 2015 

(replying to two posts)

On 07/28/2015 05:37 PM, William wrote:
>
> On 07/28/2015 01:55 PM, William wrote:
>> Good afternoon,
>>
>> On 07/23/2015 02:56 PM, William wrote:
>>> Hi all,
>>>
>>> While doing my routine patches and scans, "chkrootkit reported the 
>>> following:
>>>
>>> (*** snip ***)
>>> Checking `asp'... not infected
>>> Checking `bindshell'... warning, got bogus l2cap line.
>>> warning, got bogus l2cap line.
>>> (*** snip ***)
>>> warning, got bogus l2cap line.
>>> INFECTED (PORTS:  3133)
>>> Checking `lkm'... chkproc: nothing detected
>>> (*** snip ***)
>>>
>>> I ran "rkhunter" immediately after the "chkrootkit" run finished, 
>>> and it reported no problems.  How do I determine if this is a false 
>>> alarm or a real problem?  If this is a real problem, what should I 
>>> do about it?  Also, as I'm neither a security expert nor a sysadmin, 
>>> what is port 3133 used for?
>>>
>>> thanks,
>>> Bill.
>>
>> I realized a lot later that I also should have mentioned that the 
>> "chkrootkit" run was shortly after doing "yum update", "prelink -a", 
>> and rebooting.  I don't know if that's significant.
>>
>> > By examining the chkrootkit program -- it's a large shell script with
>> > a few helper tools -- to understand what it does to perform a check.
>>
>> ???  I looked at that long sh script.  It didn't help.  I don't see 
>> how knowing that chkrootkit uses "netstat" to check a port tells me 
>> whether or not I have a real problem.  I don't understand what it 
>> means that a port is infected.  I am a home user stuck doing his own 
>> sysadmin and security with no training or experience in these things.
>>
>> Do I have a security problem?  If yes, how do I fix it?
>>
>> > At  http://bugz.fedoraproject.org/chkrootkit  somebody has looked into
>> > the l2cap warning before.
>>
>> Thank-you.
>>
>> thanks,
>> Bill.
>
> > I'm not sure why you're using prelink, but if you're worried about
> > security you might consider adding -r to the command.
>
> Some time ago, I was getting a lot of warnings from "rkhunter". Both 
> John Horne (of "rkhunter" fame) and the "rkhunter" warnings suggested 
> I do a "prelink -a" after doing "yum update", but before running 
> "rkhunter".  It worked.  So I always run "prelink -a" after doing "yum 
> update" and before doing "chkrootkit" and "rkhunter".
>
> The "-r" option requires an address.  What address should I provide?  
> Did you mean "-R" or "-r"?
>
> thanks,
> Bill.

Michael Schwendt said:

> Then I suggest that chkrootkit is not the right tool for you.
> You may ask why not? Because it's far from bullet-proof. Some of
> the checks it implements are no longer relevant these days. There
> are more modern rootkits that are not covered by chkrootkit. There is
> no database that would receive online updates to cover more known
> rootkits or vulnerabilities. It only tries to check for a few modifications
> it is aware of. Other checks are not safe but only very rudimentary.
> Even normal processes running on a normal installation can confuse
> it. For a very long time, it considered the main systemd executable as
> infected, and nobody did anything about that. Everywhere you could
> meet Fedora users asking whether Fedora's official ISO images would be
> infected. There's a README file included in the Fedora package, which
> comments on the problem of "false positives". It's the user's
> responsibility to verify what chkrootkit reports, because it's not
> safe to rely on it. Running chkrootkit gives a false sense of
> security. If it doesn't find anything (and rkhunter not either), you
> could still be affected by something it cannot find (even an only
> slightly modified rootkit) or by some other vulnerability it doesn't
> even check for.

> There are multiple layers of security. As a home user, better focus on
> tools that protect your machine from intruders. Such as a firewall,
> SELinux, security relevant updates, not running things as superuser
> root, and deciding carefully what to install or execute on your machine.

Thank-yo for your comments, Michael.  I *partially* agree.

I already realized that "chkrootkit" is not bullet-proof.  I understand 
that *no* security tool or method is bullet-proof. Malicious people are 
always brewing new evil things, and security tools and methods are 
almost always stuck trying to catch up and keep up.  I suspected that 
"chkrootkit" did not on its own get updates from some on-line database, 
but I wasn't sure. I hoped that maybe it was getting such updates when I 
do "yum update".  You seem to be implying apparently not.  :)

This tool (along with "rkhunter" and SELinux) do not give me a false 
sense of security.  But they sure occasionally give me a serious scare.  
As for the possibility of false positives, that's why I come to this 
group (or for "rkhunter", its group) when I receive a warning or alert.  
It's obvious to me that the contributors to these groups include some 
real experts, and I trust the groups.

If "chkrootkit" is so bad and out of date, are we getting any value from 
it?  Is it completely redundant with SELinux and "rkhunter"? If it's not 
adding anything beyond what SELinux and "rkhunter" do, maybe it should 
be removed from Fedora?

A couple years ago, when I got my new home system, I asked this group 
what I should do to secure and scan my system.  The group recommended 
"chkrootkit" and "rkhunter".  So those are what I use. I have SELinux; I 
assume that by default, it's set/configured appropriately.  The one 
exception is changes that Ed Greshko coached me through to get printing 
working.  I'm hoping that the firewall is set appropriately by default.  
I do a "yum update" every week to stay current.  Is there something else 
that I should do?

Back to the original question: Is that "INFECTED (PORTS:  3133)" alert a 
false alarm or a real problem?

Joe Zeff said:

 > Sorry; that should have been -R.  The idea is to randomize where the
 > various libraries are located, making it harder for malware (if any) to
 > hook into them.

Thank-you, Joe.  Depending on responses to my previous paragraphs 
(responding to Michael), I'll try that tomorrow when I do my weekly 
patches and scans.

Bill.

More information about the users mailing list