bug-sh-utils
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Does 'date' (sh-utils) contain a rootkit?

From: Bob Proulx
Subject: Re: Does 'date' (sh-utils) contain a rootkit?
Date: Sat, 30 Mar 2002 12:01:54 -0700 
Jim is away from his keyboard for a few days.  In lieu of his
authoritative answers let me provide some information.

> ** sh-utils-2.0
> ** chkrootkit-0.35 (chkrootkit.org)
> 
> 'chkrootkit' says that 'date' (sh-utils) contains a rootkit. Is this a
> false positive or not?

Since the GNU utilities are core to many flavors of operating systems
they are prime targets for a cracker to attack.  Therefore it is not
impossible that your rootkit detection software may have found a real
rootkit on a version of the file that you have for sh-utils.

But you did not say where you obtained your file.  I was not able to
recreate your check using the official release bits.  The official
location for released versions sh-utils is at:

  ftp://ftp.gnu.org/gnu/sh-utils/

At this time sh-utils is in need of a new release.  Probably the best
versions are the testing versions which are located here.  I recommend
using sh-utils-2.0.11.tar.gz located here.

 ftp://alpha.gnu.org/gnu/shellutils/

And, of course, the main web page is here with more general
information.

  http://www.gnu.org/software/shellutils/

Since I don't have the original announcements I can't vouch for the
official release signatures.  But I do have a copy of 2.0 dated 'Sun
Aug 15 14:45:37 1999' which is when I downloaded that file from the
ftp.gnu.org site.  I just downloaded a fresh copy and it bit compared
exactly to the old copy I had laying around.  Here are my cksum values
which you could use to compare to your possibly compromised files.

  5e78d1d48ca563ca77e96b22406c4aaf  sh-utils-2.0.tar.gz
  a2970bb68eafc4b35f44e8121390adb44409067c  sh-utils-2.0.tar.gz

I did not examine chkrootkit in detail.  But it is possible that it is
creating a false positive due to the nature of the shell utils code.
GNU shell utilities includes 'su' among others.  If chkrootkit is
looking for C code that manipulates user id environments and such then
it would certainly be triggered by the code in su.c and other programs
in the utilities or by other indications that a user is intending to
replace system utilities.  But since that is exactly what the
utilities do this is probably confusing chkrootkit.

To the best of my knowledge, those utilities do not contain a
rootkit.  If you conclude otherwise please do not hesitate to bring
this to the attention of the list.

Bob
reply via email to
[Prev in Thread] Current Thread [Next in Thread]