Bug#1004232: chkrootkit: overzealous Linux.Xor.DDoS warnings

Sat, 15 Jul 2023 06:57:12 -0700 

On Sun, 23 Jan 2022 10:27:26 +0100 Samuel Thibault <sthiba...@debian.org> wrote:

> chkrootkit reports this:
>
> Searching for Linux.Xor.DDoS ...                            INFECTED: 
> Possible Malicious Linux.Xor.DDoS installed
> /tmp/lynx-2.9.0dev.10/configure
> /tmp/lynx-2.9.0dev.10/.pc/30_build_path_in_binary.diff/scripts/cfg_defs.sh
> /tmp/lynx-2.9.0dev.10/.pc/21_do_not_strip_-g.diff/configure
> /tmp/lynx-2.9.0dev.10/debian/rules
> /tmp/lynx-2.9.0dev.10/install-sh
> /tmp/lynx-2.9.0dev.10/config.sub
> /tmp/lynx-2.9.0dev.10/scripts/cfg_defs.sh
> [...]
>
> The source code of chkrootkit says:
>
> files="`${find} ${ROOTDIR}tmp/ ${findargs} -executable -type f 2> /dev/null`"
>
> Well, yes, I do have executable files in /tmp: whenever I use "apt
> source" there there is at least debian/rules, and ./configure, etc.
>
> This looks like an overzealous check, and copying the result to
> /var/log/chkrootkit/log.expected won't fly of course.

This is a classic example of a false positive: the test chkrootkit is
designed to report when executable are found in /tmp because (as i
understand the comments in upstream's file), many rootkits leave
executables there, and so can often be a sign of something
bad/unintended happening on the system. Of course, just because an
automated script tells you something is there, doesnt mean it is a
rootkit - human judgement is always needed for that

An automated check like this is never going to be precise, but it is
operating as intended: I dont realistically see any way chkrootkit can
determine  when executables came from apt source. Personally, i would
simply accept that such reports are going to happen, and take it as a
reminder to clean up the temporary files created by apt source.

But you _could_ try and:
- use the FILTER option in /etc/chkrootkit/chkrootkit.conf to delete
any line ending in 'configure' or 'debian/rules' -- this works with or
without diff_mode.
- tell systemd to run chkrootkit at a different time, to minimise the
chance of it running when you are in the middle of using 'apt source'
(and make sure you clean up anything left in /tmp)
- (I wonder if there is an option to tell 'apt source' to use a
different location, perhaps by setting TMPDIR?)

What we should do is document 'apt source' in
/usr/share/doc/chkrootkit/README.FALSE-POSITIVES --- other suggestions
welcome of course, but i dont see what action can really be taken to
fix this 'issue'.

Reply via email to