[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: systemd rootkit signature?



Psst! Listmaster! This was a false positive. M. Ullrich has actually hit a genuine, and widely reported, bug in checkrootkit. Ironically, that's a false positive too.

Hans Ullrich:
Searching for Suckitrootkit...                     Warning:
> /sbin/init INFECTED
>
> The file "/sbin/init" is a symlink to "/lib/systemd/systemd", that
> means, that systemd is infected.

No it does not. It means that checkrootkit's test for the Suckit rootkit is extremely simplistic to the point of being downright incorrect. If you look, you'll find that it's looking for the string "HOME" in the binary, and that's it. systemd sets various environment variables when it starts services, and HOME is one of them. (See the list on the systemd.exec(5) manual page.) So it quite legitimately has the string "HOME" in the program file image found at "/sbin/init" and matches the erroneous test. If you have any contact with the developers of checkrootkit, you might want to make them aware that this bug has hit two init programs (system and upstart both have the string "HOME" in their program images, because they both do this.) and has spawned quite a lot of bug reports over at least four years with no apparent fix to checkrootkit. Here are some:

* https://bugs.launchpad.net/ubuntu/+source/upstart/+bug/676376
* https://bugs.launchpad.net/ubuntu/+source/chkrootkit/+bug/454566
* https://bugzilla.novell.com/show_bug.cgi?id=731281
* https://bugzilla.redhat.com/show_bug.cgi?id=636231
* https://bugzilla.redhat.com/show_bug.cgi?id=743696
* https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=740898


Reply to: