chkrootkit (false) positive

Dan Lukes dan at obluda.cz
Wed Mar 23 20:00:00 CET 2016


Peter Rosa wrote on 23.3.2016 18:48:
>> Copak ti vypise
>>
>>> ssh -G 2>&1 | grep -e illegal -e unknown > /dev/null && echo "System
>>> clean" || echo "System infected"

> System infected

OK. To's pustil presne ten prikaz, co ten chrootkit pousti sam, kdyz se
pokousi detekovat infekci.

Jak je videt, test predpoklada, ze ssh option -G nezna a da to najevo
textem obsahujicim slovo 'illegal' nebo 'unknown'.

Tvoje ssh -G takove slovo nepouzije a chrootkit ho proto povazuje za
infikovany.

>> ssh -G

> usage: ssh [-1246AaCfGgKkMNnqsTtVvXxYy] [-b bind_address] [-c cipher_spec]
>            [-D [bind_address:]port] [-E log_file] [-e escape_char]
>            [-F configfile] [-I pkcs11] [-i identity_file] [-L address]
>            [-l login_name] [-m mac_spec] [-O ctl_cmd] [-o option] [-p port]
>            [-Q query_option] [-R address] [-S ctl_path] [-W host:port]
>            [-w local_tun[:remote_tun]] [user@]hostname [command]

A to je odpoved - ssh teto verze option -G zna, tudiz ho za
nespravny/neznamy option nepovazuje, ergo nevypisuje ocekavany test.

Test, v te podobe v jake ho chrootkit provadi nelze s touto verzi ssh
pouzit. Varovani chrootkitu o infekci neni podlozene.

Asi nemusim vysvetlovat, ze dukaz nespravneho testu a nepodlozeneho
varovani nelze zamemovat za dukaz, ze system neni necim infikovany


Dan



More information about the Users-l mailing list