1

I installed chkrootkit with apt-install in a freshly installed Ubuntu server 16.04.3.
chkrootkit found suspicious files and directories after first run:

Searching for suspicious files and dirs, it may take a while... The following suspicious files and directories were found: 
/usr/lib/python3/dist-packages/fail2ban/tests/files/config/apache-auth/noentry/.htaccess /usr/lib/python3/dist-packages/fail2ban/tests/files/config/apache-auth/digest_time/.htaccess /usr/lib/python3/dist-packages/fail2ban/tests/files/config/apache-auth/digest_time/.htpasswd /usr/lib/python3/dist-packages/fail2ban/tests/files/config/apache-auth/digest_anon/.htaccess /usr/lib/python3/dist-packages/fail2ban/tests/files/config/apache-auth/digest_anon/.htpasswd /usr/lib/python3/dist-packages/fail2ban/tests/files/config/apache-auth/digest_wrongrelm/.htaccess /usr/lib/python3/dist-packages/fail2ban/tests/files/config/apache-auth/digest_wrongrelm/.htpasswd /usr/lib/python3/dist-packages/fail2ban/tests/files/config/apache-auth/digest/.htaccess /usr/lib/python3/dist-packages/fail2ban/tests/files/config/apache-auth/digest/.htpasswd /usr/lib/python3/dist-packages/fail2ban/tests/files/config/apache-auth/basic/authz_owner/.htaccess /usr/lib/python3/dist-packages/fail2ban/tests/files/config/apache-auth/basic/authz_owner/.htpasswd /usr/lib/python3/dist-packages/fail2ban/tests/files/config/apache-auth/basic/file/.htaccess /usr/lib/python3/dist-packages/fail2ban/tests/files/config/apache-auth/basic/file/.htpasswd /lib/modules/4.4.0-87-generic/vdso/.build-id /lib/modules/4.4.0-96-generic/vdso/.build-id
/lib/modules/4.4.0-87-generic/vdso/.build-id /lib/modules/4.4.0-96-generic/vdso/.build-id

I noticed that three years ago another user at stackexchange found same false positives and posted Chkrootkit found alot of suspicious files and directories, and /sbin/init INFECTED.

In FAQ number 8 at the chkrootkit official website it is stated that they cannot whitelist false positives because an attacker might use this, since he knows that chkrootkit will ignore certain files and dirs.

What you suggest to do with this long list of files and directories? How can I check that they are false positives? If they are false positives, Is there any way to compare these files against their original content (as with packages using dpkg -V)?

Asarluhi
  • 317
  • 2
  • 5
  • 13

1 Answers1

1

Whitelisting is generally deprecated for obvious reasons (c.f. also chkrootkit FAQ #8).

However, as you specifically ask for it, one way to do so (using debian) is mentioned in How to treat potential FP in chkrootkit, of course, at your own assessment and risk:

/usr/sbin/chkrootkit | /bin/grep -vf /usr/local/share/chkrootkit/ignore-fp.txt

Where /usr/local/share/chkrootkit/ignore-fp.txt holds the regex or files to ignore.

Using debian, you can check against known good installation files:

/usr/bin/debsums -sa

Include config files checks ("-a") and only report errors "-s"), c.f. using debsums.

As always, use common sense, invest quite a bit of time and execute careful investigation. Practicing proactive and pre-incident behaviour is key in this field. Best practices for hardening your system are to be found everywhere on the net, be sure to do vast research and avoid settling on one single or the first checklist. Continuous work is required to stay on top of things. Summing up: Whitelisting, in this context, seems rather not the way to go.

HTH

Gen.Stack
  • 740
  • 1
  • 6
  • 15