Chkrootkit: some tests result show INFECTED.

MrSorcus commented 6 years ago

Issue description

root@nixos_root_server> chkrootkit                                                                                                                                                                                                                                           ~
ROOTDIR is `/'
Checking `amd'... not found
Checking `basename'... INFECTED
Checking `biff'... not found
Checking `chfn'... not infected
Checking `chsh'... not infected
Checking `cron'... not found
Checking `crontab'... not found
Checking `date'... /bin/sh
INFECTED
Checking `du'... not infected
Checking `dirname'... INFECTED
Checking `echo'... INFECTED
Checking `egrep'... not infected
Checking `env'... INFECTED
Checking `find'... not infected
Checking `fingerd'... not found
Checking `gpm'... not found
Checking `grep'... not infected
Checking `hdparm'... not found
Checking `su'... not infected
Checking `ifconfig'... not infected
Checking `inetd'... not tested
Checking `inetdconf'... not found
Checking `identd'... not found
Checking `init'... not infected
Checking `killall'... not found
Checking `ldsopreload'... can't exec ./strings-static, not tested
Checking `login'... not infected
Checking `ls'... not infected
Checking `lsof'... not found
Checking `mail'... not found
Checking `mingetty'... not found
Checking `netstat'... not infected
Checking `named'... not found
Checking `passwd'... not infected
Checking `pidof'... not infected
Checking `pop2'... not found
Checking `pop3'... not found
Checking `ps'... not infected
Checking `pstree'... not found
Checking `rpcinfo'... not found
Checking `rlogind'... not found
Checking `rshd'... not found
Checking `slogin'... not found
Checking `sendmail'... not found
Checking `sshd'... not infected
Checking `syslogd'... not tested
Checking `tar'... not infected
Checking `tcpd'... not infected
Checking `tcpdump'... not infected
Checking `top'... not infected
Checking `telnetd'... not found
Checking `timed'... not found
Checking `traceroute'... not found
Checking `vdir'... not infected
Checking `w'... not infected
Checking `write'... not infected
Checking `aliens'... no suspect files
Searching for sniffer's logs, it may take a while... nothing found
Searching for HiDrootkit's default dir... nothing found
Searching for t0rn's default files and dirs... nothing found
Searching for t0rn's v8 defaults... nothing found
Searching for Lion Worm default files and dirs... nothing found
Searching for RSHA's default files and dir... nothing found
Searching for RH-Sharpe's default files... nothing found
Searching for Ambient's rootkit (ark) default files and dirs... nothing found
Searching for suspicious files and dirs, it may take a while... /run/current-system/sw/bin/find: ‘/usr/lib’: No such file or directory
/run/current-system/sw/bin/find: ‘/usr/lib’: No such file or directory
nothing found
Searching for LPD Worm files and dirs... nothing found
Searching for Ramen Worm files and dirs... nothing found
Searching for Maniac files and dirs... nothing found
Searching for RK17 files and dirs... /run/current-system/sw/bin/find: ‘/sbin’: No such file or directory
nothing found
Searching for Ducoci rootkit... nothing found
Searching for Adore Worm... /run/current-system/sw/bin/find: ‘/usr/lib’: No such file or directory
nothing found
Searching for ShitC Worm... nothing found
Searching for Omega Worm... nothing found
Searching for Sadmind/IIS Worm... nothing found
Searching for MonKit... nothing found
Searching for Showtee... nothing found
Searching for OpticKit... nothing found
Searching for T.R.K... nothing found
Searching for Mithra... nothing found
Searching for LOC rootkit... nothing found
Searching for Romanian rootkit... nothing found
Searching for Volc rootkit... nothing found
Searching for Gold2 rootkit... nothing found
Searching for TC2 Worm default files and dirs... nothing found
Searching for Anonoying rootkit default files and dirs... nothing found
Searching for ZK rootkit default files and dirs... nothing found
Searching for ShKit rootkit default files and dirs... nothing found
Searching for AjaKit rootkit default files and dirs... nothing found
Searching for zaRwT rootkit default files and dirs... nothing found
Searching for Madalin rootkit default files... nothing found
Searching for Fu rootkit default files... nothing found
Searching for ESRK rootkit default files... nothing found
Searching for rootedoor... nothing found
Searching for ENYELKM rootkit default files... nothing found
Searching for common ssh-scanners default files... nothing found
Searching for Linux/Ebury - Operation Windigo ssh... not tested
Searching for 64-bit Linux Rootkit ... nothing found
Searching for 64-bit Linux Rootkit modules... nothing found
Searching for Mumblehard Linux ... nothing found
Searching for Backdoor.Linux.Mokes.a ... nothing found
Searching for Malicious TinyDNS ... nothing found
Searching for Linux.Xor.DDoS ... nothing found
Searching for suspect PHP files... nothing found
Searching for anomalies in shell history files... nothing found
Checking `asp'... not infected
Checking `bindshell'... not infected
Checking `lkm'... not tested: can't exec 
Checking `rexedcs'... not found
Checking `sniffer'... not tested: can't exec ./ifpromisc
Checking `w55808'... not infected
Checking `wted'... not tested: can't exec ./chkwtmp
Checking `scalper'... not infected
Checking `slapper'... not infected
Checking `z2'... not tested: can't exec ./chklastlog
Checking `chkutmp'... not tested: can't exec ./chkutmp
Checking `OSX_RSPLUG'... not tested

Why there is some packages has INFECTED? I think that is because some binaries patched for correct working with nix-store, but i'm not sure...

Steps to reproduce

environment.systemPackages = with pkgs; [
  binutils
  chkrootkit
];

# chkrootkit

Technical details

system: "x86_64-linux"
host os: Linux 4.9.71, NixOS, 17.09.2476.53e6d671a96 (Hummingbird)
multi-user?: yes
sandbox: yes
version: nix-env (Nix) 1.11.16
channels(root): "nixos-17.09.2476.53e6d671a96"
nixpkgs: /nix/var/nix/profiles/per-user/root/channels/nixos/nixpkgs

dtzWill commented 6 years ago

FWIW, using coreutils.override { singleBinary = false; } fixes a number of those tools being detected as 'INFECTED'.

I think in general this tool is not particularly suited for NixOS as-is, interpret the results with copious quantities of salt :).

dtzWill commented 6 years ago

Using #33152 and this nix expression:

(modify local path to an appropriate location)

with import /home/will/nixpkgs {};
mkShell {
  nativeBuildInputs = [
    (coreutils.override { singleBinary = false; })
    binutils
    chkrootkit
  ];
}

Results in much better output. Also, consider using the -q flag to be less noisy:

$ cd /path/containing/above/default-dot-nix
$ sudo nix-shell
$ chkrootkit -q

c0bw3b commented 5 years ago

This is a false-positive based on some strings found in the inspected binary.

Looking at chkrootkit source the check for 'basename' is:

chk_basename () {
   STATUS=${NOT_INFECTED}
   CMD=`loc basename basename $pth`

   if [ "${EXPERT}" = "t" ]; then
       expertmode_output "${strings} -a ${CMD}"
       expertmode_output "${ls} -l ${CMD}"
       return 5
   fi
   if ${strings} -a ${CMD} | ${egrep} "${GENERIC_ROOTKIT_LABEL}" > /dev/null 2>&1
   then
       STATUS=${INFECTED}
   fi

   [ "$SYSTEM" != "OSF1" ] &&
   {
      if ${ls} -l ${CMD} | ${egrep} "^...s" > /dev/null 2>&1
      then
         STATUS=${INFECTED}
      fi
   }
   return ${STATUS}
}

where

# Many trojaned commands have this label
GENERIC_ROOTKIT_LABEL="^/bin/.*sh$|bash|elite$|vejeta|\.ark|iroffer"

And since

$ strings /nix/store/y9kxbzvm78zzc9ab3i3rmlxlkgnd7bcw-coreutils-8.30/bin/basename | egrep '/bin/sh'
/bin/sh
If no command is given, run '"$SHELL" -i' (default: '/bin/sh -i').

chkrootkit considers basename as 'infected' (ie here it just means it contains the '/bin/sh' string somewhere in the coreutils binary).

i-am-logger commented 9 months ago

https://github.com/NixOS/nixpkgs/issues/285643

NixOS / nixpkgs