chkrootkit shows "tcpd" as INFECTED. Is it a false positive?

In this Ubuntu Forums post, user kpatz tested this in a fresh 16.10 VM and chkrootkit still complained, making this a false positive. You can always check if a file has been tampered by comparing the md5sum from the package:

$ dpkg -S /usr/sbin/tcpd
tcpd: /usr/sbin/tcpd
$ (cd /; md5sum -c /var/lib/dpkg/info/tcpd.md5sums)
usr/sbin/safe_finger: OK
usr/sbin/tcpd: OK
usr/sbin/tcpdchk: OK
usr/sbin/tcpdmatch: OK
usr/sbin/try-from: OK
usr/share/man/man8/safe_finger.8.gz: OK
usr/share/man/man8/tcpd.8.gz: OK
usr/share/man/man8/tcpdchk.8.gz: OK
usr/share/man/man8/tcpdmatch.8.gz: OK
usr/share/man/man8/try-from.8.gz: OK

Of course, the md5sums file itself maybe tampered, (and so could md5sum itself and so on...).

This is a false positive caused by a bug in the main chkrootkit script. I tried to post the fix here, but was downvoted. I reported the issue to the chkrootkit devs, but if you'd like to fix the issue so that it actually works, you might want to check out: https://www.linuxquestions.org/questions/linux-security-4/chkrootkit-tcpd-521683/page2.html#post5788733

chkrootkit shows "tcpd" as INFECTED. Is it a false positive?

Tags:

Security

Malware

Tcpdump

Rootkit

Chkrootkit

Related

Recent Posts