© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
0e1f616
(Get the code!)
Some comments on this as it looks like even the latest chkrootkit code (i.e. the one that is checking for 'HOME=') is still producing false positives on my machine which is running Ubuntu 15.04:
$ lsb_release -rdc
Description: Ubuntu 15.04
Release: 15.04
Codename: vivid
I've confirmed it is a false positive using info here: https:/
1) The SucKIT rootkit allows an attacker to hide malicious files by giving them a particular ending. The current attacker is hiding code that ends in xrk or mem. To test for the presence of the rootkit, create a file whose name ends in xrk or mem, then execute an "ls -l". If the files you just created are not shown in the output of ls, it means that the rootkit is hiding them, ie. your system is compromised and needs to be rebuilt.
2) Change directories to /sbin and execute an "ls -l init" -- the link count should be 1. Create a hard link to init using ln, and then execute the "ls -l init" again. If the link count is still 1, the SK rootkit is installed.
Reading through this list of comments, the only relevant one I can see with respect to deactivating the false positive for my case is what serge-hallyn wrote (on 2014-12-16) re the Fedora "fix" (i.e. "They simply check whether /sbin/init is a link to systemd, and ignore the report if so.")
Not sure why a link to systemd should be a reason to ignore the report, but it would deactivate the false positive in my case...
FYI, I got my chkrootkit source from here: https:/