[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Does 'date' (sh-utils) contain a rootkit?
From: |
Roy Lanek |
Subject: |
Re: Does 'date' (sh-utils) contain a rootkit? |
Date: |
Sun, 31 Mar 2002 02:46:11 +0700 |
Bob Proulx wrote (Sat 30-Mar-2002, 12:01:54 -0700)
> Jim is away from his keyboard for a few days. In lieu of his
> authoritative answers let me provide some information.
>
> > ** sh-utils-2.0
> > ** chkrootkit-0.35 (chkrootkit.org)
> >
> > 'chkrootkit' says that 'date' (sh-utils) contains a rootkit. Is this a
> > false positive or not?
>
> Since the GNU utilities are core to many flavors of operating systems
> they are prime targets for a cracker to attack. Therefore it is not
> impossible that your rootkit detection software may have found a real
> rootkit on a version of the file that you have for sh-utils.
>
> But you did not say where you obtained your file. I was not able to
> recreate your check using the official release bits. The official
> location for released versions sh-utils is at:
>
> ftp://ftp.gnu.org/gnu/sh-utils/
>
> At this time sh-utils is in need of a new release. Probably the best
> versions are the testing versions which are located here. I recommend
> using sh-utils-2.0.11.tar.gz located here.
>
> ftp://alpha.gnu.org/gnu/shellutils/
>
> And, of course, the main web page is here with more general
> information.
>
> http://www.gnu.org/software/shellutils/
>
> Since I don't have the original announcements I can't vouch for the
> official release signatures. But I do have a copy of 2.0 dated 'Sun
> Aug 15 14:45:37 1999' which is when I downloaded that file from the
> ftp.gnu.org site. I just downloaded a fresh copy and it bit compared
> exactly to the old copy I had laying around. Here are my cksum values
> which you could use to compare to your possibly compromised files.
>
> 5e78d1d48ca563ca77e96b22406c4aaf sh-utils-2.0.tar.gz
> a2970bb68eafc4b35f44e8121390adb44409067c sh-utils-2.0.tar.gz
>
> I did not examine chkrootkit in detail. But it is possible that it is
> creating a false positive due to the nature of the shell utils code.
> GNU shell utilities includes 'su' among others. If chkrootkit is
> looking for C code that manipulates user id environments and such then
> it would certainly be triggered by the code in su.c and other programs
> in the utilities or by other indications that a user is intending to
> replace system utilities. But since that is exactly what the
> utilities do this is probably confusing chkrootkit.
>
> To the best of my knowledge, those utilities do not contain a
> rootkit. If you conclude otherwise please do not hesitate to bring
> this to the attention of the list.
>
> Bob
Well: halas, sad point, I don't remember from where exactly I have
downloaded sh-utils. (Something that I will change for sure.) I often use
mirrors: Korea, Japan, Thailand, Australia, China; but not always:
sometimes it's from the US. Plus, all but Thailand have many sites; I
could also not say from which one exactly per country.
On the other hand, the md5sum of my sh-utils-2.0.tar.gz is the same as the
one that you have indicated: 5e78d1d48ca563ca77e96b22406c4aaf. (Perhaps
there are a few more chances that it's a false positive indeed.)
It would be nice to use public keys, and sign the software.
I am in contact with Nelson Murilo <address@hidden>, who is looking
if it's a false positive or not. Let me know if you want to see the
details of the correspondence.
/Roy Lanek