chkrootkit shows "tcpd" as INFECTED. Is it a false positive?
Solution 1
In this Ubuntu Forums post, user kpatz tested this in a fresh 16.10 VM and chkrootkit still complained, making this a false positive. You can always check if a file has been tampered by comparing the md5sum from the package:
$ dpkg -S /usr/sbin/tcpd
tcpd: /usr/sbin/tcpd
$ (cd /; md5sum -c /var/lib/dpkg/info/tcpd.md5sums)
usr/sbin/safe_finger: OK
usr/sbin/tcpd: OK
usr/sbin/tcpdchk: OK
usr/sbin/tcpdmatch: OK
usr/sbin/try-from: OK
usr/share/man/man8/safe_finger.8.gz: OK
usr/share/man/man8/tcpd.8.gz: OK
usr/share/man/man8/tcpdchk.8.gz: OK
usr/share/man/man8/tcpdmatch.8.gz: OK
usr/share/man/man8/try-from.8.gz: OK
Of course, the md5sums file itself maybe tampered, (and so could md5sum
itself and so on...).
Solution 2
This is a false positive caused by a bug in the main chkrootkit script. I tried to post the fix here, but was downvoted. I reported the issue to the chkrootkit devs, but if you'd like to fix the issue so that it actually works, you might want to check out: https://www.linuxquestions.org/questions/linux-security-4/chkrootkit-tcpd-521683/page2.html#post5788733
Related videos on Youtube
mariner
Updated on September 18, 2022Comments
-
mariner over 1 year
Scan by chkrootkit shows "tcpd" as being INFECTED. Although a scan by rkhunter shows ok,(except for regular false positives)
Shall I be worried? (I'm on Ubuntu 16.10 with 4.8.0-37-generic)
-
muru over 7 years
-
mariner over 7 yearsmuru, thanks! It helped! p.s. How do i vote for reputation of a user? (you in this case)
-
muru over 7 yearsThat was just a comment. I'll post an answer in a moment, which you can accept, if you like.
-
naXa stands with Ukraine almost 7 yearsDoes direct scan
sudo chkrootkit tcpd
returnsinfected
? -
Jason over 5 yearsMine came up as INFECTED also and it isn't installed.
-
-
mariner over 7 yearsMuru, thank you for such a prompt respond! It was really helpful. (unfortunately the system won't let me vote for your reputation. It says I am not yet allowed to to that :(((((
-
Washington Guedes over 7 yearsWhen checking if something is malicious or not and checking it against a known good version MD5s are probably the worst hashsums to use due to collisions.
-
Philippe Delteil almost 6 yearsIn my case, using Ubuntu 18.04 tcpd wasn't even installed and it was reported as infected!