F21: infection reported by "chkrootkit".

Thu Jul 30 00:04:20 UTC 2015

On Wed, 29 Jul 2015 14:49:54 -0400, William wrote:

> I already realized that "chkrootkit" is not bullet-proof.  I understand 
> that *no* security tool or method is bullet-proof. Malicious people are 
> always brewing new evil things, and security tools and methods are 
> almost always stuck trying to catch up and keep up.  I suspected that 
> "chkrootkit" did not on its own get updates from some on-line database, 
> but I wasn't sure. I hoped that maybe it was getting such updates when I 
> do "yum update".  You seem to be implying apparently not.  :)

False sense of security.

Check out "rpm -q --changelog chkrootkit|less". That's Fedora's
package changelog.

v0.48 - 2007
v0.49 - 2010, three years later
v0.50 - 2014, four years later (the project page had been gone for
                                a long time even)

And what did change in the software? Does it check for many new
rootkits? Which rootkits are popular? Which pieces of code hackers
leave on a machine after a breakin could be found by chkrootkit?
When was the last time chkrootkit found a rootkit on your installation(s)?

Then notice some of the details in Fedora package's changelog. Fixes
for ancient undiscovered bugs. Oh wait, and CVE-2014-0476? That one
is classified as a "serious vulnerability" in chkrootkit itself.

> This tool (along with "rkhunter" and SELinux) do not give me a false 
> sense of security.  But they sure occasionally give me a serious scare.  

That makes it even worse. I don't know why you find it worthwhile to
run such tools. Have you made any experience with intrusion attempts
and especially rootkits/backdoors? Or is it like running a random virus
checker that never finds a virus, or running a cheap anti-virus which
doesn't protect against the latest and greatest threats?
It causes too much distraction. And having to deal with false positives
is a strange hobby. ;-)

> If "chkrootkit" is so bad and out of date, are we getting any value from 
> it?

Well, decide for yourself.

> Is it completely redundant with SELinux and "rkhunter"?

Do you run AIDE (package "aide") just because it can add another layer
of protection? I don't think so. But that's a great tool with a special
target group, albeit special maintenance requirements, too.

> If it's not 
> adding anything beyond what SELinux and "rkhunter" do, maybe it should 
> be removed from Fedora?

Some packages are kept alive, because there is a volunteer to become
the "owner" of the Fedora package as soon as the previous owner wants to
drop the package. I don't know whether the current owner is convinced of
the usefulness or quality of the software.

> Back to the original question: Is that "INFECTED (PORTS:  3133)" alert a 
> false alarm or a real problem?

Suggestions:
 * Subscribe to the bugzilla ticket I've mentioned.
 * Run chkrootkit in "expert" mode.
 * Look up the *tiny* shell function that checks port 3133 and
   try to understand which "netstat" command chkrootkit runs
   to examine port 3133.
 * Draw conclusions.