Re: systemd rootkit signature?
Psst! Listmaster! This was a false positive. M. Ullrich has actually
hit a genuine, and widely reported, bug in checkrootkit. Ironically,
that's a false positive too.
Hans Ullrich:
Searching for Suckitrootkit... Warning:
> /sbin/init INFECTED
>
> The file "/sbin/init" is a symlink to "/lib/systemd/systemd", that
> means, that systemd is infected.
No it does not. It means that checkrootkit's test for the Suckit
rootkit is extremely simplistic to the point of being downright
incorrect. If you look, you'll find that it's looking for the string
"HOME" in the binary, and that's it. systemd sets various environment
variables when it starts services, and HOME is one of them. (See the
list on the systemd.exec(5) manual page.) So it quite legitimately has
the string "HOME" in the program file image found at "/sbin/init" and
matches the erroneous test. If you have any contact with the developers
of checkrootkit, you might want to make them aware that this bug has hit
two init programs (system and upstart both have the string "HOME" in
their program images, because they both do this.) and has spawned quite
a lot of bug reports over at least four years with no apparent fix to
checkrootkit. Here are some:
* https://bugs.launchpad.net/ubuntu/+source/upstart/+bug/676376
* https://bugs.launchpad.net/ubuntu/+source/chkrootkit/+bug/454566
* https://bugzilla.novell.com/show_bug.cgi?id=731281
* https://bugzilla.redhat.com/show_bug.cgi?id=636231
* https://bugzilla.redhat.com/show_bug.cgi?id=743696
* https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=740898
Reply to: