Bug#576680: rkhunter: Fix false positive Xzibit rootkit detection

Tue, 06 Apr 2010 06:57:00 -0700 

Package: rkhunter
Version: 1.3.6-3
Severity: normal
Tags: patch
User: ubuntu-de...@lists.ubuntu.com
Usertags: origin-ubuntu lucid ubuntu-patch



*** /tmp/tmpxR3xQ8
In Ubuntu, we've applied the attached patch to achieve the following:

  * debian/patches/20_fix_strings_check.diff: fix hdparm false alert which
    leads to the Xzibit rootkit incorrectly being detected. The patch
    now ignores comment lines when performing string checks. (LP: #556455)

We thought you might be interested in doing the same. 


-- System Information:
Debian Release: squeeze/sid
  APT prefers lucid-updates
  APT policy: (500, 'lucid-updates'), (500, 'lucid-security'), (500, 'lucid')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.32-19-generic (SMP w/2 CPU cores)
Locale: LANG=en_CA.utf8, LC_CTYPE=en_CA.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

diff -Nru rkhunter-1.3.6/debian/changelog rkhunter-1.3.6/debian/changelog
diff -Nru rkhunter-1.3.6/debian/patches/20_fix_strings_check.diff rkhunter-1.3.6/debian/patches/20_fix_strings_check.diff
--- rkhunter-1.3.6/debian/patches/20_fix_strings_check.diff	1969-12-31 19:00:00.000000000 -0500
+++ rkhunter-1.3.6/debian/patches/20_fix_strings_check.diff	2010-04-06 08:45:07.000000000 -0400
@@ -0,0 +1,17 @@
+Description: fix hdparm false alert
+Bug: http://sourceforge.net/tracker/?func=detail&aid=2951178&group_id=155034&atid=794187
+Origin: upstream, http://rkhunter.cvs.sourceforge.net/viewvc/rkhunter/rkhunter/files/rkhunter?r1=1.310&r2=1.311
+Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/rkhunter/+bug/556455
+
+diff -Nur rkhunter-1.3.6/files/rkhunter rkhunter-1.3.6.new/files/rkhunter
+--- rkhunter-1.3.6/files/rkhunter	2009-11-29 08:05:09.000000000 -0500
++++ rkhunter-1.3.6.new/files/rkhunter	2010-04-06 08:39:13.000000000 -0400
+@@ -9392,7 +9405,7 @@
+ 			FOUNDFILE=1
+ 
+ 			for FNAME in ${RC_PATHS}; do
+-				FOUNDSTRING=`${STRINGS_CMD} -n 3 ${FNAME} | grep "${STRING}"`
++				FOUNDSTRING=`${STRINGS_CMD} -n 3 ${FNAME} | grep -v '^#' | grep "${STRING}"`
+ 
+ 				if [ -n "${FOUNDSTRING}" ]; then
+ 					RKHTMPVAR2=`echo "${FNAME}" | sed -e 's/\./\\\./g'`
diff -Nru rkhunter-1.3.6/debian/patches/series rkhunter-1.3.6/debian/patches/series
--- rkhunter-1.3.6/debian/patches/series	2009-12-11 12:01:34.000000000 -0500
+++ rkhunter-1.3.6/debian/patches/series	2010-04-06 08:43:40.000000000 -0400
@@ -1,3 +1,4 @@
 05_custom_conffile.diff
 10_fix-man.diff
 15_remove-empty-dir.diff
+20_fix_strings_check.diff

Reply via email to