F21: infection reported by "chkrootkit".
Michael Schwendt
mschwendt at gmail.com
Thu Jul 30 00:04:20 UTC 2015
On Wed, 29 Jul 2015 14:49:54 -0400, William wrote:
> I already realized that "chkrootkit" is not bullet-proof. I understand
> that *no* security tool or method is bullet-proof. Malicious people are
> always brewing new evil things, and security tools and methods are
> almost always stuck trying to catch up and keep up. I suspected that
> "chkrootkit" did not on its own get updates from some on-line database,
> but I wasn't sure. I hoped that maybe it was getting such updates when I
> do "yum update". You seem to be implying apparently not. :)
False sense of security.
Check out "rpm -q --changelog chkrootkit|less". That's Fedora's
package changelog.
v0.48 - 2007
v0.49 - 2010, three years later
v0.50 - 2014, four years later (the project page had been gone for
a long time even)
And what did change in the software? Does it check for many new
rootkits? Which rootkits are popular? Which pieces of code hackers
leave on a machine after a breakin could be found by chkrootkit?
When was the last time chkrootkit found a rootkit on your installation(s)?
Then notice some of the details in Fedora package's changelog. Fixes
for ancient undiscovered bugs. Oh wait, and CVE-2014-0476? That one
is classified as a "serious vulnerability" in chkrootkit itself.
> This tool (along with "rkhunter" and SELinux) do not give me a false
> sense of security. But they sure occasionally give me a serious scare.
That makes it even worse. I don't know why you find it worthwhile to
run such tools. Have you made any experience with intrusion attempts
and especially rootkits/backdoors? Or is it like running a random virus
checker that never finds a virus, or running a cheap anti-virus which
doesn't protect against the latest and greatest threats?
It causes too much distraction. And having to deal with false positives
is a strange hobby. ;-)
> If "chkrootkit" is so bad and out of date, are we getting any value from
> it?
Well, decide for yourself.
> Is it completely redundant with SELinux and "rkhunter"?
Do you run AIDE (package "aide") just because it can add another layer
of protection? I don't think so. But that's a great tool with a special
target group, albeit special maintenance requirements, too.
> If it's not
> adding anything beyond what SELinux and "rkhunter" do, maybe it should
> be removed from Fedora?
Some packages are kept alive, because there is a volunteer to become
the "owner" of the Fedora package as soon as the previous owner wants to
drop the package. I don't know whether the current owner is convinced of
the usefulness or quality of the software.
> Back to the original question: Is that "INFECTED (PORTS: 3133)" alert a
> false alarm or a real problem?
Suggestions:
* Subscribe to the bugzilla ticket I've mentioned.
* Run chkrootkit in "expert" mode.
* Look up the *tiny* shell function that checks port 3133 and
try to understand which "netstat" command chkrootkit runs
to examine port 3133.
* Draw conclusions.
More information about the users
mailing list