14982 – Is cauldron infected by the SucKIT rootkit?

Bug 14982 - Is cauldron infected by the SucKIT rootkit?

Summary: Is cauldron infected by the SucKIT rootkit?

Status:	RESOLVED FIXED

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	RPM Packages (show other bugs)
Version:	Cauldron
Hardware:	i586 Linux

Priority:	Normal Severity: normal
Target Milestone:	---
Assignee:	Mageia Bug Squad
QA Contact:

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2015-01-07 22:53 CET by Bjarne Thomsen
Modified:	2015-01-08 02:05 CET (History)
CC List:	2 users (show)

See Also:
Source RPM:	chkrootkit-0.50-5.mga5.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Bjarne Thomsen 2015-01-07 22:53:21 CET

Description of problem:
I ran a freshly installed chkrootkit on 2 machines running mga5 (latest cauldron).
In both caset chkrootkit warns med that /sbin/init is infected by
the Suckit rootkit:
http://la-samhna.de/library/rootkits/list.html

Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1.
2.
3.


Reproducible: 

Steps to Reproduce:

Bit Twister 2015-01-08 00:35:27 CET

CC: (none) => junknospam

Comment 1 Frank Griffin 2015-01-08 00:39:18 CET

I confirm, but I don't know whether it's a false positive or not.

CC: (none) => ftg

Comment 2 David Walser 2015-01-08 02:05:59 CET

It is a false positive, caused by it finding a particular string that's in the systemd binary.

It was supposed to have been fixed upstream in 0.50, but I guess the fix didn't work.  I've added back our old patch to remove the false positive.

Status: NEW => RESOLVED
Resolution: (none) => FIXED
Source RPM: Unknown (to me) => chkrootkit-0.50-5.mga5.src.rpm

Note You need to log in before you can comment on or make changes to this bug.