[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Does 'date' (sh-utils) contain a rootkit?

From: Roy Lanek
Subject: Re: Does 'date' (sh-utils) contain a rootkit?
Date: Sun, 31 Mar 2002 02:46:11 +0700

Bob Proulx wrote (Sat 30-Mar-2002, 12:01:54 -0700)

> Jim is away from his keyboard for a few days.  In lieu of his
> authoritative answers let me provide some information.
> > ** sh-utils-2.0
> > ** chkrootkit-0.35 (chkrootkit.org)
> > 
> > 'chkrootkit' says that 'date' (sh-utils) contains a rootkit. Is this a
> > false positive or not?
> Since the GNU utilities are core to many flavors of operating systems
> they are prime targets for a cracker to attack.  Therefore it is not
> impossible that your rootkit detection software may have found a real
> rootkit on a version of the file that you have for sh-utils.
> But you did not say where you obtained your file.  I was not able to
> recreate your check using the official release bits.  The official
> location for released versions sh-utils is at:
>   ftp://ftp.gnu.org/gnu/sh-utils/
> At this time sh-utils is in need of a new release.  Probably the best
> versions are the testing versions which are located here.  I recommend
> using sh-utils-2.0.11.tar.gz located here.
>  ftp://alpha.gnu.org/gnu/shellutils/
> And, of course, the main web page is here with more general
> information.
>   http://www.gnu.org/software/shellutils/
> Since I don't have the original announcements I can't vouch for the
> official release signatures.  But I do have a copy of 2.0 dated 'Sun
> Aug 15 14:45:37 1999' which is when I downloaded that file from the
> ftp.gnu.org site.  I just downloaded a fresh copy and it bit compared
> exactly to the old copy I had laying around.  Here are my cksum values
> which you could use to compare to your possibly compromised files.
>   5e78d1d48ca563ca77e96b22406c4aaf  sh-utils-2.0.tar.gz
>   a2970bb68eafc4b35f44e8121390adb44409067c  sh-utils-2.0.tar.gz
> I did not examine chkrootkit in detail.  But it is possible that it is
> creating a false positive due to the nature of the shell utils code.
> GNU shell utilities includes 'su' among others.  If chkrootkit is
> looking for C code that manipulates user id environments and such then
> it would certainly be triggered by the code in su.c and other programs
> in the utilities or by other indications that a user is intending to
> replace system utilities.  But since that is exactly what the
> utilities do this is probably confusing chkrootkit.
> To the best of my knowledge, those utilities do not contain a
> rootkit.  If you conclude otherwise please do not hesitate to bring
> this to the attention of the list.
> Bob

Well: halas, sad point, I don't remember from where exactly I have
downloaded sh-utils. (Something that I will change for sure.) I often use
mirrors: Korea, Japan, Thailand, Australia, China; but not always:
sometimes it's from the US. Plus, all but Thailand have many sites; I
could also not say from which one exactly per country.

On the other hand, the md5sum of my sh-utils-2.0.tar.gz is the same as the
one that you have indicated: 5e78d1d48ca563ca77e96b22406c4aaf. (Perhaps
there are a few more chances that it's a false positive indeed.)

It would be nice to use public keys, and sign the software.

I am in contact with Nelson Murilo <address@hidden>, who is looking
if it's a false positive or not. Let me know if you want to see the
details of the correspondence.

/Roy Lanek

reply via email to

[Prev in Thread] Current Thread [Next in Thread]