Debian Bug report logs - #576680
rkhunter: Fix false positive Xzibit rootkit detection

version graph

Package: rkhunter; Maintainer for rkhunter is Debian Security Tools <team+pkg-security@tracker.debian.org>; Source for rkhunter is src:rkhunter (PTS, buildd, popcon).

Reported by: Marc Deslauriers <marc.deslauriers@ubuntu.com>

Date: Tue, 6 Apr 2010 13:42:01 UTC

Severity: normal

Tags: patch

Found in versions rkhunter/1.3.6-3, rkhunter/1.3.6-4

Done: Julien Valroff <julien@kirya.net>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, Julien Valroff <julien@kirya.net>:
Bug#576680; Package rkhunter. (Tue, 06 Apr 2010 13:42:04 GMT) (full text, mbox, link).

Acknowledgement sent to Marc Deslauriers <marc.deslauriers@ubuntu.com>:
New Bug report received and forwarded. Copy sent to Julien Valroff <julien@kirya.net>. (Tue, 06 Apr 2010 13:42:04 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Marc Deslauriers <marc.deslauriers@ubuntu.com>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: rkhunter: Fix false positive Xzibit rootkit detection
Date: Tue, 06 Apr 2010 08:54:56 -0400
[Message part 1 (text/plain, inline)]
Package: rkhunter
Version: 1.3.6-3
Severity: normal
Tags: patch
User: ubuntu-devel@lists.ubuntu.com
Usertags: origin-ubuntu lucid ubuntu-patch



*** /tmp/tmpxR3xQ8
In Ubuntu, we've applied the attached patch to achieve the following:

  * debian/patches/20_fix_strings_check.diff: fix hdparm false alert which
    leads to the Xzibit rootkit incorrectly being detected. The patch
    now ignores comment lines when performing string checks. (LP: #556455)

We thought you might be interested in doing the same. 


-- System Information:
Debian Release: squeeze/sid
  APT prefers lucid-updates
  APT policy: (500, 'lucid-updates'), (500, 'lucid-security'), (500, 'lucid')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.32-19-generic (SMP w/2 CPU cores)
Locale: LANG=en_CA.utf8, LC_CTYPE=en_CA.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

[tmpnPuRZW (text/x-diff, attachment)]

Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#576680; Package rkhunter. (Tue, 06 Apr 2010 16:06:06 GMT) (full text, mbox, link).

Acknowledgement sent to Julien Valroff <julien@kirya.net>:
Extra info received and forwarded to list. (Tue, 06 Apr 2010 16:06:06 GMT) (full text, mbox, link).

Message #10 received at 576680@bugs.debian.org (full text, mbox, reply):

From: Julien Valroff <julien@kirya.net>
To: Marc Deslauriers <marc.deslauriers@ubuntu.com>, 576680@bugs.debian.org
Subject: Re: Bug#576680: rkhunter: Fix false positive Xzibit rootkit detection
Date: Tue, 06 Apr 2010 17:54:39 +0200
Hi Marc,

Le mardi 06 avril 2010 à 08:54 -0400, Marc Deslauriers a écrit :
> Package: rkhunter
> Version: 1.3.6-3
> Severity: normal
> Tags: patch
> User: ubuntu-devel@lists.ubuntu.com
> Usertags: origin-ubuntu lucid ubuntu-patch
> 
> 
> 
> *** /tmp/tmpxR3xQ8
> In Ubuntu, we've applied the attached patch to achieve the following:
> 
>   * debian/patches/20_fix_strings_check.diff: fix hdparm false alert which
>     leads to the Xzibit rootkit incorrectly being detected. The patch
>     now ignores comment lines when performing string checks. (LP: #556455)
> 
> We thought you might be interested in doing the same. 

Great, thanks a lot for taking the time to forward this patch.

I know I should watch Ubuntu more closely...

Cheers,
Julien

Reply sent to Julien Valroff <julien@kirya.net>:
You have taken responsibility. (Tue, 06 Apr 2010 17:27:07 GMT) (full text, mbox, link).

Notification sent to Marc Deslauriers <marc.deslauriers@ubuntu.com>:
Bug acknowledged by developer. (Tue, 06 Apr 2010 17:27:07 GMT) (full text, mbox, link).

Message #15 received at 576680-close@bugs.debian.org (full text, mbox, reply):

From: Julien Valroff <julien@kirya.net>
To: 576680-close@bugs.debian.org
Subject: Bug#576680: fixed in rkhunter 1.3.6-4
Date: Tue, 06 Apr 2010 17:21:29 +0000
Source: rkhunter
Source-Version: 1.3.6-4

We believe that the bug you reported is fixed in the latest version of
rkhunter, which is due to be installed in the Debian FTP archive:

rkhunter_1.3.6-4.debian.tar.gz
  to main/r/rkhunter/rkhunter_1.3.6-4.debian.tar.gz
rkhunter_1.3.6-4.dsc
  to main/r/rkhunter/rkhunter_1.3.6-4.dsc
rkhunter_1.3.6-4_all.deb
  to main/r/rkhunter/rkhunter_1.3.6-4_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 576680@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Julien Valroff <julien@kirya.net> (supplier of updated rkhunter package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Tue, 06 Apr 2010 18:07:53 +0200
Source: rkhunter
Binary: rkhunter
Architecture: source all
Version: 1.3.6-4
Distribution: unstable
Urgency: low
Maintainer: Julien Valroff <julien@kirya.net>
Changed-By: Julien Valroff <julien@kirya.net>
Description: 
 rkhunter   - rootkit, backdoor, sniffer and exploit scanner
Closes: 576680
Changes: 
 rkhunter (1.3.6-4) unstable; urgency=low
 .
   * Bump Debian policy version to 3.8.4
   * Remove Micah from Uploaders
   * Switch GIT repository: updated VCS field accordingly
   * Apply patch kindly sent by Marc Deslauriers to fix
     some of the false positives in the Xzibit rootkit
     detection (Closes: #576680)
   * Update note in README.Debian to only state remaining files
Checksums-Sha1: 
 7bf218be8be4f6df24aba695eb9951d9d4004eea 1168 rkhunter_1.3.6-4.dsc
 7accb19dcfecb64b83c9b836cffb69cd65b0cdf4 25874 rkhunter_1.3.6-4.debian.tar.gz
 0859b93dde907ce975cfa44dfe4a6795482cbbb4 221944 rkhunter_1.3.6-4_all.deb
Checksums-Sha256: 
 e811e04947bdc551752403fbee944345a42fcf02053bdfde19aaf5a0e134b6c3 1168 rkhunter_1.3.6-4.dsc
 85fee6d4f6b128b2b6b13b215e0b274d194894e34834e9b3f6fe77e4ea8258b8 25874 rkhunter_1.3.6-4.debian.tar.gz
 58fbcab87e528b540fd47d9f98f2d5f62465307e03b8d71b7cf14d939a6f4adc 221944 rkhunter_1.3.6-4_all.deb
Files: 
 4d41dc6fcf44b5fb281c8d4f41969fda 1168 admin optional rkhunter_1.3.6-4.dsc
 7c8474b00e5f3b67d41e4d6f55c110f3 25874 admin optional rkhunter_1.3.6-4.debian.tar.gz
 cc7cd071ccb2f178f1d50c50b8cbdc34 221944 admin optional rkhunter_1.3.6-4_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iEYEARECAAYFAku7Y4EACgkQIQvyq59x1EkEDACfSVY5kAgIayEy0RqDX4L3QIo0
PesAoKMNBw3m1TY9VpEwNOAv+tm/8QGU
=fv9p
-----END PGP SIGNATURE-----

Information forwarded to debian-bugs-dist@lists.debian.org, rx82cixl+debian@gmail.com, Julien Valroff <julien@kirya.net>:
Bug#576680; Package rkhunter. (Fri, 30 Apr 2010 21:36:03 GMT) (full text, mbox, link).

Acknowledgement sent to noname <rx82cixl+debian@gmail.com>:
Extra info received and forwarded to list. Copy sent to rx82cixl+debian@gmail.com, Julien Valroff <julien@kirya.net>. (Fri, 30 Apr 2010 21:36:04 GMT) (full text, mbox, link).

Message #20 received at 576680@bugs.debian.org (full text, mbox, reply):

From: noname <rx82cixl+debian@gmail.com>
To: Debian Bug Tracking System <576680@bugs.debian.org>
Subject: rkhunter: Bug still exists
Date: Fri, 30 Apr 2010 23:27:03 +0200
Package: rkhunter
Version: 1.3.6-4
Severity: normal

I installed rkhunter, did 'rkhunter --check' and got two warnings. Here are the relevant entries from the log.

[23:05:11] Warning: Checking for possible rootkit strings    [ Warning ]
[23:05:11]          Found string 'hdparm' in file '/etc/init.d/hdparm'. Possible rootkit: Xzibit Rootkit
[23:05:11]          Found string 'hdparm' in file '/etc/init.d/.depend.boot'. Possible rootkit: Xzibit Rootkit
[23:05:29]   Checking for hidden files and directories       [ Warning ]
[23:05:29] Warning: Hidden directory found: /etc/.java
[23:05:29] Warning: Hidden directory found: /dev/.udev
[23:05:29] Warning: Hidden directory found: /dev/.initramfs

-- System Information:
Debian Release: squeeze/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.32-trunk-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_DK.UTF-8, LC_CTYPE=en_DK.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages rkhunter depends on:
ii  binutils                      2.20.1-8   The GNU assembler, linker and bina
ii  debconf [debconf-2.0]         1.5.32     Debian configuration management sy
ii  exim4                         4.71-4     metapackage to ease Exim MTA (v4) 
ii  exim4-daemon-light [mail-tran 4.71-4     lightweight Exim MTA (v4) daemon
ii  file                          5.04-2     Determines file type using "magic"
ii  net-tools                     1.60-23    The NET-3 networking toolkit
ii  perl                          5.10.1-12  Larry Wall's Practical Extraction 

Versions of packages rkhunter recommends:
ii  curl                       7.20.1-2      Get a file from an HTTP, HTTPS or 
ii  iproute                    20100224-5    networking and traffic control too
ii  lsof                       4.81.dfsg.1-1 List open files
ii  perl [libdigest-sha-perl]  5.10.1-12     Larry Wall's Practical Extraction 
ii  unhide                     20100201-1    Forensic tool to find hidden proce
ii  wget                       1.12-2        retrieves files from the web

Versions of packages rkhunter suggests:
ii  bsd-mailx          8.1.2-0.20100314cvs-1 simple mail user agent
pn  tripwire           <none>                (no description available)

-- debconf information:
  rkhunter/apt_autogen: false
  rkhunter/cron_db_update:
  rkhunter/cron_daily_run:

Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#576680; Package rkhunter. (Sat, 01 May 2010 06:27:02 GMT) (full text, mbox, link).

Acknowledgement sent to Julien Valroff <julien@kirya.net>:
Extra info received and forwarded to list. (Sat, 01 May 2010 06:27:03 GMT) (full text, mbox, link).

Message #25 received at 576680@bugs.debian.org (full text, mbox, reply):

From: Julien Valroff <julien@kirya.net>
To: noname <rx82cixl+debian@gmail.com>, 576680@bugs.debian.org
Subject: Re: Bug#576680: rkhunter: Bug still exists
Date: Sat, 01 May 2010 08:24:48 +0200
Le vendredi 30 avril 2010 à 23:27 +0200, noname a écrit :
> Package: rkhunter
> Version: 1.3.6-4
> Severity: normal
> 
> I installed rkhunter, did 'rkhunter --check' and got two warnings.
> Here are the relevant entries from the log.
> 
> [23:05:11] Warning: Checking for possible rootkit strings    [ Warning ]
> [23:05:11]          Found string 'hdparm' in file '/etc/init.d/hdparm'. Possible rootkit: Xzibit Rootkit
> [23:05:11]          Found string 'hdparm' in file '/etc/init.d/.depend.boot'. Possible rootkit: Xzibit Rootkit

Please read README.Debian:
    * hdparm: the string "hdparm" found in the initscripts leads to rkhunter warns
      about possible Xzibit rootkit. Use the RTKT_FILE_WHITELIST option to whitelist
      initscripts stating this string (eg. /etc/init.d/hdparm)

> [23:05:29]   Checking for hidden files and directories       [ Warning ]
> [23:05:29] Warning: Hidden directory found: /etc/.java
> [23:05:29] Warning: Hidden directory found: /dev/.udev
> [23:05:29] Warning: Hidden directory found: /dev/.initramfs

Please check rkhunter.conf

Cheers
Julien

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sat, 29 May 2010 07:36:12 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sun Jun 4 21:05:24 2023; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.