chkrootkit shows "tcpd" as INFECTED. Is it a false positive?

security malware rootkit tcpdump chkrootkit
13,840

Solution 1

In this Ubuntu Forums post, user kpatz tested this in a fresh 16.10 VM and chkrootkit still complained, making this a false positive. You can always check if a file has been tampered by comparing the md5sum from the package:

$ dpkg -S /usr/sbin/tcpd
tcpd: /usr/sbin/tcpd
$ (cd /; md5sum -c /var/lib/dpkg/info/tcpd.md5sums)
usr/sbin/safe_finger: OK
usr/sbin/tcpd: OK
usr/sbin/tcpdchk: OK
usr/sbin/tcpdmatch: OK
usr/sbin/try-from: OK
usr/share/man/man8/safe_finger.8.gz: OK
usr/share/man/man8/tcpd.8.gz: OK
usr/share/man/man8/tcpdchk.8.gz: OK
usr/share/man/man8/tcpdmatch.8.gz: OK
usr/share/man/man8/try-from.8.gz: OK

Of course, the md5sums file itself maybe tampered, (and so could md5sum itself and so on...).

Solution 2

This is a false positive caused by a bug in the main chkrootkit script. I tried to post the fix here, but was downvoted. I reported the issue to the chkrootkit devs, but if you'd like to fix the issue so that it actually works, you might want to check out: https://www.linuxquestions.org/questions/linux-security-4/chkrootkit-tcpd-521683/page2.html#post5788733

Share:
13,840

Related videos on Youtube

mariner
Author by

mariner

Updated on September 18, 2022

Comments

  • mariner
    mariner over 1 year

    Scan by chkrootkit shows "tcpd" as being INFECTED. Although a scan by rkhunter shows ok,(except for regular false positives)

    Shall I be worried? (I'm on Ubuntu 16.10 with 4.8.0-37-generic)

    • muru
      muru over 7 years
    • mariner
      mariner over 7 years
      muru, thanks! It helped! p.s. How do i vote for reputation of a user? (you in this case)
    • muru
      muru over 7 years
      That was just a comment. I'll post an answer in a moment, which you can accept, if you like.
    • naXa stands with Ukraine
      naXa stands with Ukraine almost 7 years
      Does direct scan sudo chkrootkit tcpd returns infected?
    • Jason
      Jason over 5 years
      Mine came up as INFECTED also and it isn't installed.
  • mariner
    mariner over 7 years
    Muru, thank you for such a prompt respond! It was really helpful. (unfortunately the system won't let me vote for your reputation. It says I am not yet allowed to to that :(((((
  • Washington Guedes
    Washington Guedes over 7 years
    When checking if something is malicious or not and checking it against a known good version MD5s are probably the worst hashsums to use due to collisions.
  • Philippe Delteil
    Philippe Delteil almost 6 years
    In my case, using Ubuntu 18.04 tcpd wasn't even installed and it was reported as infected!

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Chkrootkit says "Searching for Linux/Ebury - Operation Windigo ssh... Possible Linux/Ebury - Operation Windigo installetd", should I be worried?
How to install rkhunter in ubuntu?
can windows virus affect Linux machine through wine?
Does Ubuntu 18.04LTS require antivirus/malware?
Malware and Backdoor detection Shell Script
Packet Sniffer found, what next?
Remote Access Trojan in Ubuntu?
Better malware protection from ClamAV
How to remove malware?
ClamAV: PUA.Win.Exploit.CVE_2012_0110 FOUND (/usr/share/mime/mime.cache)