Page 1 of 2

Possible infected ISO of BusterDog [NOT]

Posted: Wed Aug 25, 2021 1:04 pm
by mcgiwer

EDIT: by fredx181, removed [WARNING] from the title as the OP used a modified version of rkhunter to scan for infection, IMO this message below is a false alarm, see more in the replies of this thread.
===================================================================================================================

After burning out the downloaded BusterDog ISO on a fresh USB stick and starting the system up from it, I had installed and configured the rkhunter. After scanning it, I had recieved output as in the attached file.

Notes:

  • the lines got thruchated, removing the "OK" entries and leaving the rest

  • because of the security reasons, the confidental informations were truncated

Pastebin with the log:


Re: [WARNING] Possible infected ISO of BusterDog

Posted: Wed Aug 25, 2021 1:40 pm
by rockedge

seems like many of the files found are normally present in this type of system. I can find some of them on this Bionic64-8.0 as well.


Re: [WARNING] Possible infected ISO of BusterDog

Posted: Wed Aug 25, 2021 3:24 pm
by rcrsn51

1. I did a clean install of BusterDog-openbox_jwm-2020-09-07_64-bit-UEFI.iso
2. I installed rkhunter via apt
3. I ran it.
4. It came back clean.
5. Some files reported in mcgiwer's log do not exist in the install nor inside the ISO.


Re: [WARNING] Possible infected ISO of BusterDog

Posted: Wed Aug 25, 2021 4:57 pm
by fredx181
rcrsn51 wrote: Wed Aug 25, 2021 3:24 pm

1. I did a clean install of BusterDog-openbox_jwm-2020-09-07_64-bit-UEFI.iso
2. I installed rkhunter via apt
3. I ran it.
4. It came back clean.
5. Some files reported in mcgiwer's log do not exist in the install nor inside the ISO.

Same I did (clean frugal install) and no rootkits for me too:

Rootkit checks...
Rootkits checked : 470
Possible rootkits: 0

Updating the database rkhunter --update gave me error first. Edited /etc/rkhunter.conf following the instructions from first answer here:
https://unix.stackexchange.com/question ... -bin-false
And updating went ok.

rkhunter.log attached:

rkhunter.log
(122.26 KiB) Downloaded 45 times

So... @mcgiwer the question is... how came all these rootkits etc... in your system? Weird...


Re: [WARNING] Possible infected ISO of BusterDog

Posted: Wed Aug 25, 2021 5:31 pm
by rcrsn51

In the event that these rootkits were all hiding on the ISO's bootloader, I burned the ISO to a flash drive and booted off that.

It also came out clean.

Mcgiwer's log lists something called burpsuite. This is clearly not part of the original ISO.


Re: [WARNING] Possible infected ISO of BusterDog

Posted: Wed Aug 25, 2021 6:05 pm
by Flash

I doubt we'll hear from @mcgiwer again.


Re: [WARNING] Possible infected ISO of BusterDog

Posted: Wed Aug 25, 2021 6:07 pm
by fredx181
Flash wrote: Wed Aug 25, 2021 6:05 pm

I doubt we'll hear from @mcgiwer again.

Why?


Re: [WARNING] Possible infected ISO of BusterDog

Posted: Thu Aug 26, 2021 2:53 am
by Flash

Just a feeling. I hope he proves me wrong. We'll see.


Re: [WARNING] Possible infected ISO of BusterDog

Posted: Thu Aug 26, 2021 11:18 am
by mcgiwer
Flash wrote: Thu Aug 26, 2021 2:53 am

Just a feeling. I hope he proves me wrong. We'll see.

Notes:

  • the mentioned case apply to a system run from a live USB and not installed on disk

  • the bellow test was done 26 August 2021 at 11:59 CEST on a freshly started from a live USB stick system, without any network connection

  • the test was made with the newest available database and signatures files

Depends what version of ISO have you burned out. The one I did (and still use it) seem to be infected.

Bellow I attach the log of latest scan:

I guess that your system seemed to be "clean" because you had used rkhunter:

  • with had a default configuration, with does not have some importing settings set

  • without additional tools and scripts with would show the things with the rkhunter in a default configuration may not detect

Please use the attached version of rkhunter with the configuration and already included scripts and tools.

Instruction:

The attached rkhunter does not need to become installed and can be run directly from the rkhunter folder in the directory to with you would extract the archive.

WARNING: To make it work, you must run it as the root user

To use it, run enter the rkhunter directory in the folder to with you had extracted the archive and run following command:

Code: Select all

./hunter --nocf --propupd --autox --verbose-logging --skip-keypress --pkgmgr dpkg --hash sha512 --configfile ./hunter.conf -c

Re: [WARNING] Possible infected ISO of BusterDog

Posted: Thu Aug 26, 2021 11:32 am
by mcgiwer
rcrsn51 wrote: Wed Aug 25, 2021 5:31 pm

Mcgiwer's log lists something called burpsuite. This is clearly not part of the original ISO.

Burpsuite is a pentesting (and also provides a proxy) software I use


Re: [WARNING] Possible infected ISO of BusterDog

Posted: Thu Aug 26, 2021 11:38 am
by fredx181
mcgiwer wrote:

Depends what version of ISO have you burned out. The one I did (and still use it) seem to be infected

.
So why don't you tell us which ISO that is you use, only then it can be properly reproduced.

I guess that your system seemed to be "clean" because you had used rkhunter:

No, for me it was first time using rkhunter.
Anyway will test tonight, scanning with your rkhunter version.

EDIT: Looking at your log -as rcrsn51 already said- there are many files that are not existing by default in the iso.
Can you scan again on a absolutely clean/pristine install of Busterdog ? (e.g. boot without "changes=...")
And show original log-file please, don't edit it !


Re: [WARNING] Possible infected ISO of BusterDog

Posted: Thu Aug 26, 2021 2:53 pm
by rcrsn51

I installed the rkhunter_aoi package in BusterDog and eventually got it working. It indeed found rootkits, but by identifying files that did NOT exist.

I then tried the same thing on a clean Bullseye Starter Kit. I had already tested it with rkhunter installed via apt and it was clean. Again, the aoi version detected rootkits.

So I see two conclusions: Either all of Debian is riddled with rootkits or there is something wrong with the rkhunter_aoi version.


Re: [WARNING] Possible infected ISO of BusterDog

Posted: Thu Aug 26, 2021 3:04 pm
by Flash

So, after installing Busterdog you installed a few programs before running rkhunter?


Re: [WARNING] Possible infected ISO of BusterDog

Posted: Thu Aug 26, 2021 3:09 pm
by fredx181
mcgiwer wrote:

Please use the attached version of rkhunter with the configuration and already included scripts and tools.

Ok, extracted in /root and ran the command to test (on a clean Busterdog frugal install):

Code: Select all

root@live:~/rkhunter# ./hunter --nocf --propupd --autox --verbose-logging --skip-keypress --pkgmgr dpkg --hash sha512 --configfile ./hunter.conf -c
ERROR: This tool need to run as root. Exiting.
Installation directory does not exist: /mnt/sda2/app/extracted/rkhunter

So I did mkdir -p /mnt/sda2/app/extracted/ and copied the rkhunter dir to there.

Ran again from /mnt/sda2/app/extracted/rkhunter:

Code: Select all

root@live:/mnt/sda2/app/extracted/rkhunter# ./hunter --nocf --propupd --autox --verbose-logging --skip-keypress --pkgmgr dpkg --hash sha512 --configfile ./hunter.conf -c

Then it runs and in the log lots of warnings (not showing as "found" as in your log) e.g. for /usr/bin/file:

[16:08:13] /usr/bin/file [ Warning ]
[16:08:13] Warning: File '/usr/bin/file' has the immutable-bit set.

Checked if the immutable-bit is set on /usr/bin/file:

Code: Select all

root@live:~/rkhunter# lsattr /usr/bin/file
lsattr: Inappropriate ioctl for device While reading flags on /usr/bin/file

Ok, it's in the virtual filesystem, so, as I've found in the past, lsattr won't work then (same when trying chattr +i /usr/bin/file)

Code: Select all

 root@live:~/rkhunter# chattr +i /usr/bin/file
chattr: Inappropriate ioctl for device while reading flags on /usr/bin/file

Copied /usr/bin/file outside the virtual filesystem to sda2

Code: Select all

cp -a /usr/bin/file /mnt/sda2/
root@live:/mnt/sda2# lsattr ./file
--------------e---- ./file

Doesn't have the immutable-bit set (otherwise it shows ---i---)

My conclusion so far: rkhunter is made to run on a full install (on an "actual" filesystem), NOT on a frugal install that is running a virtual filesystem.
Still strange that I see only warnings "[ Warning ]" where you have "found" in your log.

@rcrsn51 Did you see similar warnings about "has the immutable-bit set" when running rkhunter_aoi ?

EDIT: Attached log:

rkhunter.log
(133.7 KiB) Downloaded 52 times

EDIT: Cant understand why several files are marked as 'found' by rkhunter while I really can't see them exist on my system, strange.., just examples, there are more:

[16:13:19] Checking for file '/dev/tux/backup/df' [ Found ]
[16:13:20] Checking for file '/dev/tux/backup/dir' [ Found ]
[16:13:20] Checking for file '/dev/tux/backup/find' [ Found ]
[16:13:20] Checking for file '/dev/tux/backup/ifconfig' [ Found ]


Re: [WARNING] Possible infected ISO of BusterDog

Posted: Thu Aug 26, 2021 4:04 pm
by mcgiwer

Code: Select all

ERROR: This tool need to run as root. Exiting.

Have you read the instructions? There is highlighted that the user need to be root and the above message show it.

Installation directory does not exist: /mnt/sda2/app/extracted/rkhunter

it seem I had forgotten to edit the installation directory variable. It should be a dot instead of above path. Sorry. Please fix it after downloading.

Then it runs and in the log lots of warnings (not showing as "found" as in your log) e.g. for /usr/bin/file:

[16:08:13] /usr/bin/file [ Warning ]
[16:08:13] Warning: File '/usr/bin/file' has the immutable-bit set.

Checked if the immutable-bit is set on /usr/bin/file:

Code: Select all

root@live:~/rkhunter# lsattr /usr/bin/file
lsattr: Inappropriate ioctl for device While reading flags on /usr/bin/file

Ok, it's in the virtual filesystem, so, as I've found in the past, lsattr won't work then (same when trying chattr +i /usr/bin/file)

Code: Select all

 root@live:~/rkhunter# chattr +i /usr/bin/file
chattr: Inappropriate ioctl for device while reading flags on /usr/bin/file

Copied /usr/bin/file outside the virtual filesystem to sda2

Code: Select all

cp -a /usr/bin/file /mnt/sda2/
root@live:/mnt/sda2# lsattr ./file
--------------e---- ./file

Doesn't have the immutable-bit set (otherwise it shows ---i---)

The warnings of the immutable bit should be ignored. You can turn this warning off by changing in the configuration the IMMUTABLE_BIT variable the value from 0 to 1 (it should help)

EDIT: Cant understand why several files are marked as 'found' by rkhunter while I really can't see them exist on my system, strange.., just examples, there are more:

[16:13:19] Checking for file '/dev/tux/backup/df' [ Found ]
[16:13:20] Checking for file '/dev/tux/backup/dir' [ Found ]
[16:13:20] Checking for file '/dev/tux/backup/find' [ Found ]
[16:13:20] Checking for file '/dev/tux/backup/ifconfig' [ Found ]

As far as I know that most malware are hiding their processes and files, making them invisible for the system and because of it, even it you attempt to remove them from console, it will fail. Attempting to kill the hidden process will fail with the "process not found" error


Re: [WARNING] Possible infected ISO of BusterDog

Posted: Thu Aug 26, 2021 4:08 pm
by mcgiwer
Flash wrote: Thu Aug 26, 2021 3:04 pm

So, after installing Busterdog you installed a few programs before running rkhunter?

Yes. I had. One of them was the mentioned Burp Suite ;-)


Re: [WARNING] Possible infected ISO of BusterDog

Posted: Thu Aug 26, 2021 4:22 pm
by rcrsn51

I compared the "hunter" script in the aio version with the "rkhunter" script from Debian. There are significant differences.

I would prefer to trust the Debian version.


Re: [WARNING] Possible infected ISO of BusterDog

Posted: Thu Aug 26, 2021 4:44 pm
by fredx181
mcgiwer wrote:

Code: Select all

ERROR: This tool need to run as root. Exiting.

Have you read the instructions? There is highlighted that the user need to be root and the above message show it.

I did run it as root (as you can see in the "code" I posted ("root@live")), still it gave the above error (but went on scanning).

Ok, I'll ignore the warnings about "immutable" and yes indeed "possible" rootkits are found, so... I don't know why.

I take this in fact as an accusation (although you may probably not intent to).
I can only trust myself (I didn't put any malware in any of my shares, EVER) and I'm not sure if I can trust the reliability of the rkhunter(aio) program.
Well.. this makes me very sad TBH.


Re: [WARNING] Possible infected ISO of BusterDog

Posted: Thu Aug 26, 2021 5:01 pm
by Flash

If the suspicious files are not very large, what would happen if they were googled? (The whole file)


Re: [WARNING] Possible infected ISO of BusterDog

Posted: Thu Aug 26, 2021 5:06 pm
by mcgiwer

There is a question about when the suspected files got possibly infected... on Debian or after it was modified into DebianDog...


Re: [WARNING] Possible infected ISO of BusterDog

Posted: Thu Aug 26, 2021 5:10 pm
by fredx181
mcgiwer wrote: Thu Aug 26, 2021 5:06 pm

There is a question about when the suspected files got possibly infected... on Debian or after it was modified into DebianDog...

Or the possibility that rkhunter (edit: rkhunter_aio) is wrong.


Re: [WARNING] Possible infected ISO of BusterDog

Posted: Thu Aug 26, 2021 5:13 pm
by rcrsn51
mcgiwer wrote: Thu Aug 26, 2021 5:06 pm

There is a question about when the suspected files got possibly infected... on Debian or after it was modified into DebianDog...

So I see two conclusions: Either all of Debian (and every downstream distro) is riddled with rootkits or there is something wrong with the rkhunter_aio version.


Re: [WARNING] Possible infected ISO of BusterDog

Posted: Thu Aug 26, 2021 6:53 pm
by fredx181

Thought I do a scan on a Puppy.

According to hunter FossaPup64 has:

File properties checks...
Required commands check failed
Files checked: 120
Suspect files: 73

Rootkit checks...
Rootkits checked : 379
Possible rootkits: 32

Still believe this version of the hunter program is reliable??
I'm curious about scan results on some major Distro, e.g. Linux Mint, Arch Linux etc... wouldn't be surprised is has similar results...
@mcgiwer I must say that I was at first suspicious about your intentions (perhaps e.g. spamming) but not now anymore.
My apologies for if it came over to you like that.

(workaround to create some directories it complained about missing)

Code: Select all

root# ./hunter --nocf --propupd --autox --verbose-logging --skip-keypress --pkgmgr dpkg --hash sha512 --configfile ./hunter.conf -c
ERROR: This tool need to run as root. Exiting.
Invalid STARTUP_PATHS configuration option: the directory is not readable: /etc/rcS.d
root# mkdir /etc/rcS.d
root# ./hunter --nocf --propupd --autox --verbose-logging --skip-keypress --pkgmgr dpkg --hash sha512 --configfile ./hunter.conf -c
ERROR: This tool need to run as root. Exiting.
Unable to find the package database directory (/var/lib/dpkg/info) for package manager 'DPKG'.
root# mkdir -p /var/lib/dpkg/info
root# ./hunter --nocf --propupd --autox --verbose-logging --skip-keypress --pkgmgr dpkg --hash sha512 --configfile ./hunter.conf -c
ERROR: This tool need to run as root. Exiting.
[ Rootkit Hunter version 1.4.6 ]

Checking system commands...

  Performing 'strings' command checks
    Checking 'strings' command                               [ Skipped ]

  Performing 'shared libraries' checks
    Checking for preloading variables                        [ None found ]
    Checking for preloaded libraries                         [ None found ]
	not a dynamic executable
	not a dynamic executable
    Checking LD_LIBRARY_PATH variable                        [ OK ]

  Performing file properties checks
    Checking for prerequisites                               [ Warning ]
    /bin/bash                                                [ Warning ]
    /bin/cat                                                 [ Warning ]
    /bin/chmod                                               [ Warning ]
    /bin/chown                                               [ OK ]
    /bin/cp                                                  [ Warning ]
    /bin/date                                                [ Warning ]
    /bin/df                                                  [ Warning ]
    /bin/dmesg                                               [ Warning ]
    /bin/echo                                                [ OK ]
    /bin/ed                                                  [ Warning ]
    /bin/egrep                                               [ Warning ]
    /bin/fgrep                                               [ Warning ]
    /bin/fuser                                               [ Warning ]
    /bin/grep                                                [ Warning ]
    /bin/ip                                                  [ OK ]
    /bin/kill                                                [ Warning ]
    /bin/last                                                [ Warning ]
    /bin/login                                               [ OK ]
    /bin/ls                                                  [ Warning ]
    /bin/lsmod                                               [ OK ]
    /bin/mktemp                                              [ Warning ]
    /bin/more                                                [ OK ]
    /bin/mount                                               [ Warning ]
    /bin/mv                                                  [ Warning ]
    /bin/netstat                                             [ Warning ]
    /bin/ping                                                [ OK ]
    /bin/ps                                                  [ Warning ]
    /bin/pwd                                                 [ Warning ]
    /bin/readlink                                            [ Warning ]
    /bin/rpm                                                 [ OK ]
    /bin/sed                                                 [ Warning ]
    /bin/sh                                                  [ OK ]
    /bin/su                                                  [ OK ]
    /bin/touch                                               [ Warning ]
    /bin/uname                                               [ Warning ]
    /bin/busybox                                             [ Warning ]
    /bin/kmod                                                [ Warning ]
    /usr/bin/awk                                             [ OK ]
    /usr/bin/basename                                        [ OK ]
    /usr/bin/bash                                            [ OK ]
    /usr/bin/chattr                                          [ Warning ]
    /usr/bin/curl                                            [ Warning ]
    /usr/bin/cut                                             [ Warning ]
    /usr/bin/diff                                            [ Warning ]
    /usr/bin/dirname                                         [ Warning ]
    /usr/bin/dpkg                                            [ Warning ]
    /usr/bin/dpkg-query                                      [ Warning ]
    /usr/bin/du                                              [ Warning ]
    /usr/bin/env                                             [ OK ]
    /usr/bin/file                                            [ Warning ]
    /usr/bin/find                                            [ Warning ]
    /usr/bin/fuser                                           [ OK ]
    /usr/bin/groups                                          [ Warning ]
    /usr/bin/head                                            [ Warning ]
    /usr/bin/id                                              [ Warning ]
    /usr/bin/ipcs                                            [ Warning ]
    /usr/bin/killall                                         [ OK ]
    /usr/bin/last                                            [ Warning ]
    /usr/bin/ldd                                             [ Warning ]
    /usr/bin/less                                            [ Warning ]
    /usr/bin/logger                                          [ OK ]
    /usr/bin/lsattr                                          [ Warning ]
    /usr/bin/lsof                                            [ OK ]
    /usr/bin/md5sum                                          [ Warning ]
    /usr/bin/passwd                                          [ OK ]
    /usr/bin/perl                                            [ OK ]
    /usr/bin/pgrep                                           [ Warning ]
    /usr/bin/pkill                                           [ OK ]
    /usr/bin/pstree                                          [ OK ]
    /usr/bin/runcon                                          [ Warning ]
    /usr/bin/sh                                              [ OK ]
    /usr/bin/sha1sum                                         [ OK ]
    /usr/bin/sha224sum                                       [ Warning ]
    /usr/bin/sha256sum                                       [ OK ]
    /usr/bin/sha384sum                                       [ Warning ]
    /usr/bin/sha512sum                                       [ Warning ]
    /usr/bin/sort                                            [ Warning ]
    /usr/bin/ssh                                             [ Warning ]
    /usr/bin/stat                                            [ Warning ]
    /usr/bin/sudo                                            [ Warning ]
    /usr/bin/tail                                            [ Warning ]
    /usr/bin/telnet                                          [ OK ]
    /usr/bin/test                                            [ Warning ]
    /usr/bin/top                                             [ Warning ]
    /usr/bin/tr                                              [ OK ]
    /usr/bin/uniq                                            [ Warning ]
    /usr/bin/users                                           [ Warning ]
    /usr/bin/vmstat                                          [ Warning ]
    /usr/bin/watch                                           [ Warning ]
    /usr/bin/wc                                              [ Warning ]
    /usr/bin/wget                                            [ Warning ]
    /usr/bin/whereis                                         [ Warning ]
    /usr/bin/which                                           [ OK ]
    /usr/bin/who                                             [ OK ]
    /usr/bin/whoami                                          [ OK ]
    /usr/bin/numfmt                                          [ Warning ]
    /usr/bin/gawk                                            [ Warning ]
    /usr/bin/perl5.30.0                                      [ Warning ]
    /sbin/depmod                                             [ OK ]
    /sbin/fsck                                               [ Warning ]
    /sbin/ifconfig                                           [ OK ]
    /sbin/ifdown                                             [ OK ]
    /sbin/ifup                                               [ OK ]
    /sbin/init                                               [ Warning ]
    /sbin/insmod                                             [ OK ]
    /sbin/ip                                                 [ OK ]
    /sbin/lsmod                                              [ OK ]
    /sbin/modinfo                                            [ OK ]
    /sbin/modprobe                                           [ OK ]
    /sbin/rmmod                                              [ OK ]
    /sbin/route                                              [ OK ]
    /sbin/runlevel                                           [ Warning ]
    /sbin/sulogin                                            [ OK ]
    /sbin/sysctl                                             [ Warning ]
    /sbin/syslogd                                            [ OK ]
    /usr/sbin/adduser                                        [ OK ]
    /usr/sbin/chroot                                         [ OK ]
    /usr/sbin/inetd                                          [ OK ]
    /usr/sbin/nologin                                        [ OK ]
    /usr/sbin/pkg                                            [ Warning ]

Checking for rootkits...

  Performing check of known rootkit files and directories
    55808 Trojan - Variant A                                 [ Warning ]
    ADM Worm                                                 [ Not found ]
    AjaKit Rootkit                                           [ Not found ]
    Adore Rootkit                                            [ Warning ]
    aPa Kit                                                  [ Not found ]
    Apache Worm                                              [ Not found ]
    Ambient (ark) Rootkit                                    [ Not found ]
    Balaur Rootkit                                           [ Not found ]
    BeastKit Rootkit                                         [ Warning ]
    beX2 Rootkit                                             [ Not found ]
    BOBKit Rootkit                                           [ Warning ]
    cb Rootkit                                               [ Warning ]
    CiNIK Worm (Slapper.B variant)                           [ Not found ]
    Danny-Boy's Abuse Kit                                    [ Warning ]
    Devil RootKit                                            [ Warning ]
    Diamorphine LKM                                          [ Not found ]
    Dica-Kit Rootkit                                         [ Warning ]
    Dreams Rootkit                                           [ Warning ]
    Duarawkz Rootkit                                         [ Not found ]
    Ebury backdoor                                           [ Warning ]
    Enye LKM                                                 [ Not found ]
    Flea Linux Rootkit                                       [ Not found ]
    Fu Rootkit                                               [ Not found ]
    Fuck`it Rootkit                                          [ Warning ]
    GasKit Rootkit                                           [ Not found ]
    Heroin LKM                                               [ Not found ]
    HjC Kit                                                  [ Not found ]
    ignoKit Rootkit                                          [ Warning ]
    IntoXonia-NG Rootkit                                     [ Not found ]
    Irix Rootkit                                             [ Not found ]
    Jynx Rootkit                                             [ Warning ]
    Jynx2 Rootkit                                            [ Not found ]
    KBeast Rootkit                                           [ Not found ]
    Kitko Rootkit                                            [ Not found ]
    Knark Rootkit                                            [ Not found ]
    ld-linuxv.so Rootkit                                     [ Not found ]
    Li0n Worm                                                [ Warning ]
    Lockit / LJK2 Rootkit                                    [ Warning ]
    Mokes backdoor                                           [ Not found ]
    Mood-NT Rootkit                                          [ Not found ]
    MRK Rootkit                                              [ Warning ]
    Ni0 Rootkit                                              [ Not found ]
    Ohhara Rootkit                                           [ Not found ]
    Optic Kit (Tux) Worm                                     [ Not found ]
    Oz Rootkit                                               [ Not found ]
    Phalanx Rootkit                                          [ Not found ]
    Phalanx2 Rootkit                                         [ Not found ]
    Phalanx2 Rootkit (extended tests)                        [ Not found ]
    Portacelo Rootkit                                        [ Warning ]
    R3dstorm Toolkit                                         [ Warning ]
    RH-Sharpe's Rootkit                                      [ Warning ]
    RSHA's Rootkit                                           [ Not found ]
    Scalper Worm                                             [ Not found ]
    Sebek LKM                                                [ Not found ]
    Shutdown Rootkit                                         [ Not found ]
    SHV4 Rootkit                                             [ Not found ]
    SHV5 Rootkit                                             [ Warning ]
    Sin Rootkit                                              [ Not found ]
    Slapper Worm                                             [ Warning ]
    Sneakin Rootkit                                          [ Not found ]
    'Spanish' Rootkit                                        [ Warning ]
    Suckit Rootkit                                           [ Warning ]
    Superkit Rootkit                                         [ Not found ]
    TBD (Telnet BackDoor)                                    [ Not found ]
    TeLeKiT Rootkit                                          [ Warning ]
    T0rn Rootkit                                             [ Warning ]
    trNkit Rootkit                                           [ Warning ]
    Trojanit Kit                                             [ Not found ]
    Tuxtendo Rootkit                                         [ Warning ]
    URK Rootkit                                              [ Warning ]
    Vampire Rootkit                                          [ Not found ]
    VcKit Rootkit                                            [ Not found ]
    Volc Rootkit                                             [ Not found ]
    Xzibit Rootkit                                           [ Warning ]
    zaRwT.KiT Rootkit                                        [ Not found ]
    ZK Rootkit                                               [ Warning ]

  Performing additional rootkit checks
    Suckit Rootkit additional checks                         [ OK ]
    Checking for possible rootkit files and directories      [ None found ]
    Checking for possible rootkit strings                    [ Skipped ]

  Performing malware checks
    Checking running processes for deleted files             [ Warning ]
    Checking running processes for suspicious files          [ None found ]
    Checking for hidden processes                            [ Skipped ]
    Checking for files with suspicious contents              [ Skipped ]
    Checking for login backdoors                             [ None found ]
    Checking for sniffer log files                           [ None found ]
    Checking for suspicious directories                      [ None found ]
    Checking for suspicious (large) shared memory segments   [ Warning ]
    Checking for Apache backdoor                             [ Not found ]

  Performing Linux specific checks
    Checking loaded kernel modules                           [ OK ]
    Checking kernel module names                             [ OK ]

Checking the network...

  Performing checks on the network ports
    Checking for backdoor ports                              [ None found ]
    Checking for hidden ports                                [ Skipped ]

  Performing checks on the network interfaces
    Checking for promiscuous interfaces                      [ None found ]
    Checking for packet capturing applications               [ None found ]

Checking the local host...

  Performing system boot checks
    Checking for local host name                             [ Found ]
    Checking for system startup files                        [ Found ]
    Checking system startup files for malware                [ None found ]

  Performing group and account checks
    Checking for passwd file                                 [ Found ]
    Checking for root equivalent (UID 0) accounts            [ None found ]
    Checking for passwordless accounts                       [ Warning ]
    Checking for passwd file changes                         [ Warning ]
    Checking for group file changes                          [ Warning ]
    Checking root account shell history files                [ OK ]

  Performing system configuration file checks
    Checking for an SSH configuration file                   [ Not found ]
    Checking for a running system logging daemon             [ Found ]
    Checking for a system logging configuration file         [ Warning ]

  Performing filesystem checks
    Checking /dev for suspicious file types                  [ None found ]
    Checking for hidden files and directories                [ None found ]

Checking application versions...

    Checking version of Apache                               [ Skipped ]
    Checking version of OpenSSL                              [ OK ]


System checks summary
=====================

File properties checks...
    Required commands check failed
    Files checked: 120
    Suspect files: 73

Rootkit checks...
    Rootkits checked : 379
    Possible rootkits: 32
    Rootkit names    : 55808 Trojan - Variant A, Adore Rootkit, BeastKit Rootkit, BOBKit Rootkit, cb Rootkit, Danny-Boy's Abuse Kit, Devil RootKit, Dica-Kit Rootkit, Dreams Rootkit, Ebury backdoor, Fuck`it Rootkit, ignoKit Rootkit, Jynx Rootkit, Li0n Worm, Lockit / LJK2 Rootkit, MRK Rootkit, Portacelo Rootkit, R3dstorm Toolkit, RH-Sharpe's Rootkit, SHV5 Rootkit, Slapper Worm, 'Spanish' Rootkit, Suckit Rootkit, TeLeKiT Rootkit, T0rn Rootkit, trNkit Rootkit, Tuxtendo Rootkit, URK Rootkit, Xzibit Rootkit, ZK Rootkit

Applications checks...
    Applications checked: 2
    Suspect applications: 0

The system checks took: 8 minutes and 52 seconds

All results have been written to the log file: rkhunter.log

137 warnings have been found while checking the system.
Please check the log file (rkhunter.log)

root# 

Re: [WARNING] Possible infected ISO of BusterDog

Posted: Thu Aug 26, 2021 7:39 pm
by williams2

Thought I do a scan on a Puppy

Running Bionicpup64 8.0.

i downloaded rkhunter 1.4.6 from http://rkhunter.sourceforge.net/

I unzipped it in /tmp/ and installed it to a dir in /tmp/ as per the readme, like this:

Code: Select all

cd /tmp/rkhunter-1.4.6/
./installer.sh --layout custom . --install
cd files/
./rkhunter --propupd --check --sk

Results:

Code: Select all

[14:37:57] System checks summary
[14:37:57] =====================
[14:37:57]
[14:37:57] File properties checks...
[14:37:57] Required commands check failed
[14:37:57] Files checked: 120
[14:37:57] Suspect files: 10
[14:37:57]
[14:37:57] Rootkit checks...
[14:37:57] Rootkits checked : 480
[14:37:58] Possible rootkits: 0

Most of the warnings were for files that had been replaced with a script. which is perfectly normal for Puppy.
There were warnings about the passwd and group files. Just means I haven't changed the root password from woofwoof.
Last time I ran rkhunter (a long time ago) it did not like busybox.

The result of the test: no trace of any rootkits.


Re: [WARNING] Possible infected ISO of BusterDog

Posted: Thu Aug 26, 2021 8:57 pm
by fredx181
williams2 wrote: Thu Aug 26, 2021 7:39 pm

Thought I do a scan on a Puppy

Running Bionicpup64 8.0.

i downloaded rkhunter 1.4.6 from http://rkhunter.sourceforge.net/

I unzipped it in /tmp/ and installed it to a dir in /tmp/ as per the readme, like this:

Code: Select all

cd /tmp/rkhunter-1.4.6/
./installer.sh --layout custom . --install
cd files/
./rkhunter --propupd --check --sk

Results:
.....

Thanks, I did the same running BusterDog and no rootkits found.
Most likely the result is the same on FossaPup64 with this rkhunter version.


Re: [WARNING] Possible infected ISO of BusterDog

Posted: Fri Aug 27, 2021 4:45 pm
by fredx181

@mcgiwer
You didn't reply yet on my question here viewtopic.php?p=35200#p35200 about the rkhunter version you shared here: viewtopic.php?p=35156#p35156 :

fredx181 wrote:

Still believe this version of the hunter program is reliable??

IMO, there's enough evidence from above posts that BusterDog is NOT infected.
Do you agree ? If so: Would you mind editing your first post (and title) by saying it's a false alarm or something like that ?
TBH I don't like that people are reading some statement/report that is not true (and not all people will read this whole thread, I guess). Hope you understand.

Fred


Re: [WARNING] Possible infected ISO of BusterDog

Posted: Mon Aug 30, 2021 3:42 pm
by mcgiwer

Sorry for the delay, but I got busy thru the few weeks.

I had used a modified version from the latest rkhunter . Done changes:

  • allowing the relative patches instead of the absolurlte only

  • adding the tools and scripts

  • pre-setting the configuration

notes: as I wrote earlier, it's a suspection of infection and not confirmation


Re: [WARNING] Possible infected ISO of BusterDog

Posted: Mon Aug 30, 2021 5:09 pm
by fredx181
mcgiwer wrote: Mon Aug 30, 2021 3:42 pm

Sorry for the delay, but I got busy thru the few weeks.

I had used a modified version from the latest rkhunter . Done changes:

  • allowing the relative patches instead of the absolurlte only

  • adding the tools and scripts

  • pre-setting the configuration

notes: as I wrote earlier, it's a suspection of infection and not confirmation

Well... that's not really an answer to my question(s) (read again my previous post, please), which in fact is: Are you still suspicious that there is infection or not ? After reading all the replies in this thread, you could come to some conclusion.
Or do you really think me or anyone has infected it on purpose ? Or, even more ridiculous, that the Debian software is infected, c'mon!

If no suspicion anymore, again I ask you to edit your original first post, which sounds alarming and IMO it's false information.


Re: [WARNING] Possible infected ISO of BusterDog

Posted: Mon Aug 30, 2021 5:49 pm
by williams2

I tested BionicPup64 with the current rkhunter from sourceforge, which finds no rootkits.

I added unhide and unhide-tcp, and enabled the unhide tests in rkhunter.conf.

That causes it to report a suspicion of 1 rootkit found.
As far as I can tell, unhide finds nothing, but unhide-tcp finds some "hidden ports."
One is port 631, which is the cups printer server.
The other "hidden port" is port 53, which is my dnsmasq dns caching server.
netstat shows these "hidden ports", of course.

I think the report of 1 suspicious possible rootkit is because of the "hidden ports" that were found.


Re: [WARNING] Possible infected ISO of BusterDog

Posted: Mon Aug 30, 2021 6:27 pm
by fredx181
williams2 wrote: Mon Aug 30, 2021 5:49 pm

I tested BionicPup64 with the current rkhunter from sourceforge, which finds no rootkits.

I added unhide and unhide-tcp, and enabled the unhide tests in rkhunter.conf.

That causes it to report a suspicion of 1 rootkit found.
As far as I can tell, unhide finds nothing, but unhide-tcp finds some "hidden ports."
One is port 631, which is the cups printer server.
The other "hidden port" is port 53, which is my dnsmasq dns caching server.
netstat shows these "hidden ports", of course.

I think the report of 1 suspicious possible rootkit is because of the "hidden ports" that were found.

Thanks, may be valuable info, but you are using official rkhunter and we've seen the outcome of that enough, I think the main point in this discussion is that the OP uses a modified version of rkhunter and IMO the question is if that version can be trusted (I don't think so).