Bug 6699

Summary: Alarming Msec output: Suckit rootkit... Warning: /sbin/init INFECTED
Product: Mageia Reporter: Juergen Harms <juergen.harms>
Component: RPM PackagesAssignee: Mageia Bug Squad <bugsquad>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: davidwhodgins, ennael1, javier_diaz, stormi-mageia
Version: 3Keywords: Junior_job, PATCH, Triaged
Target Milestone: ---   
Hardware: All   
OS: Linux   
See Also: https://bugzilla.redhat.com/show_bug.cgi?id=636231
Whiteboard:
Source RPM: chkrootkit-0.49-5.mga1.src.rpm CVE:
Status comment:
Bug Depends on: 13481    
Bug Blocks:    
Attachments: Patch to remove check for the string HOME in /sbin/init.
Patch to remove check for string HOME in /sbin/init

Description Juergen Harms 2012-07-05 09:17:06 CEST 
Description of problem:

The output of msec weekly on my Mageia 2 system (fully updated) signals
    Chkrootkit check: failed
and, amongst other messages - farther down
    Searching for Suckit rootkit... Warning: /sbin/init INFECTED

That sounds quite alarming - but, in Redhat, is considered as a "false positive": a corresponding bug exists in Redhat since December 2010, https://bugzilla.redhat.com/show_bug.cgi?id=636231 - not resolved, but the ticket has been quite active.

If this bug cannot be fixed with a reasonable effort, Mageia should at least disable the corresponding test in chkrootkit in order to keep the output of msec meaningful.

Version-Release number of selected component (if applicable):
chkrootkit-0.49-5.mga1.src.rpm

How reproducible:
100 %


Steps to Reproduce:
1. Run msec weekly (unless a weekly report exists already)
2. In the output, search for SUCKIT
3.
Manuel Hiebel 2012-07-09 19:23:51 CEST

See Also: (none) => https://bugzilla.redhat.com/show_bug.cgi?id=636231
Source RPM: chkrootkit-0.49-5.mga1.src.rpm => chkrootkit-0.49-5.mga1.src.rpm,systemd

Javier Díaz 2012-08-08 09:17:05 CEST

CC: (none) => javier_diaz

Samuel Verschelde 2013-08-29 15:14:07 CEST

Keywords: (none) => Triaged
CC: (none) => ennael1, stormi
Source RPM: chkrootkit-0.49-5.mga1.src.rpm,systemd => chkrootkit-0.49-5.mga1.src.rpm

David Walser 2013-08-30 23:35:53 CEST

QA Contact: (none) => security

Comment 1 Dave Hodgins 2013-09-11 22:32:17 CEST 
Created attachment 4348 [details]
Patch to remove check for the string HOME in /sbin/init.

CC: (none) => davidwhodgins

Dave Hodgins 2013-09-11 22:32:47 CEST

Keywords: (none) => Junior_job, PATCH

Comment 2 Dave Hodgins 2013-09-11 22:44:38 CEST 
Created attachment 4349 [details]
Patch to remove check for string HOME in /sbin/init

Fixing a typo in the comment

Attachment 4348 is obsolete: 0 => 1

Comment 3 David Walser 2013-09-12 00:39:32 CEST 
Fixed in Cauldron in chkrootkit-0.49-7.mga4.

Technically it wouldn't be appropriate to backport this to Mageia 2, since sysvinit is still supported there.  It could be backported to Mageia 3.

Version: 2 => 3

Comment 4 Dave Hodgins 2013-11-21 04:59:00 CET 
Ping. Can someone fix this for Mageia 3?
David Walser 2014-06-04 16:03:06 CEST

Depends on: (none) => 13481

Comment 5 David Walser 2014-06-04 22:58:15 CEST 
Fixed by the update in Bug 13481:
http://advisories.mageia.org/MGASA-2014-0249.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED