1

I used chkrootkit recently and it turned up the following:

/usr/lib/pymodules/python2.7/.path
/usr/lib/python2.7/dist-packages/PyQt4/uic/widget-plugins/.noinit
/usr/lib/jvm/.java-1.7.0-openjdk-i386.jinfo
/usr/lib/jvm/.java-8-oracle.jinfo
/usr/lib/jvm/java-8-oracle/lib/missioncontrol/plugins/org.eclipse.core.runtime.compatibility.registry_3.5.100.v20120521-2346/.api_description
/usr/lib/jvm/java-8-oracle/lib/missioncontrol/p2/org.eclipse.equinox.p2.engine/.settings
/usr/lib/jvm/java-8-oracle/lib/missioncontrol/p2/org.eclipse.equinox.p2.engine/profileRegistry/JMC.profile/.lock
/usr/lib/jvm/java-8-oracle/lib/missioncontrol/p2/org.eclipse.equinox.p2.engine/profileRegistry/JMC.profile/.data
/usr/lib/jvm/java-8-oracle/lib/visualvm/platform/.lastModified
/usr/lib/jvm/java-8-oracle/lib/visualvm/profiler/.lastModified
/usr/lib/jvm/java-8-oracle/lib/visualvm/visualvm/.lastModified
/usr/lib/jvm/java-8-oracle/lib/missioncontrol/p2/org.eclipse.equinox.p2.engine/.settings
/usr/lib/jvm/java-8-oracle/lib/missioncontrol/p2/org.eclipse.equinox.p2.engine/profileRegistry/JMC.profile/.data

and also:

Searching for Suckit rootkit...                             
Warning: /sbin/init INFECTED
muru
  • 193,181
  • 53
  • 473
  • 722
Tony Bartlett
  • 71
  • 6
  • Please provide proof you are using an update reference file. How many times did you scan? One? Please do 3, 4 or 5 times and if those turn blank it is a fake warning. 99.9999% of these warnings are due to -normal- changes and an out of date reference file. – Rinzwind Mar 03 '15 at 19:07
  • Also have a look here http://askubuntu.com/questions/587872/chkrootkit-scanner-detected-possible-klm-trojan/587903#587903 – Rinzwind Mar 03 '15 at 19:08
  • 1
    "chkrootkit" does not do full checks for additional files with "Suckit rootkit", so almost certainly a false positive, a tool which is much better than this tool and does not make these sorts of mistakes anymore is called "rkhunter", I would recommend that instead of the tool you are using. –  Mar 03 '15 at 19:12
  • 1
    @Toroidal: Could you please convert that to an answer so that schmucks like me who go around hunting for unanswered questions don't have to look at this one any more. ;-) (And I'll upvote if you drop me a note and it's a good one too!) – Fabby Mar 03 '15 at 21:23
  • thanks rinzwind ill try again, i did only scan once from what i believe to be an updated reference file, i should have pointed out im a noob to ubuntu,if there no change ill ask again. – Tony Bartlett Mar 03 '15 at 22:06

1 Answers1

0

chkrootkit does not do full checks for additional files with "Suckit rootkit", so this is almost certainly a false-positive.

A tool which I would instead recommend using is called rkhunter, and this is because it does do additional file checks for Suckit Rootkit, and so does not make the same mistake.

You can install rkhunter with:

sudo apt-get install rkhunter

Read this for more information on chkrootkit detecting Suckit Rootkit's presence on the system, when in fact it is not present on the system: https://askubuntu.com/a/25179/364819

Community
  • 1
  • @TonyBartlett: If this answer helped you, don't forget to click the grey **☑** under the "0" at the left of this text, which means "yes, this answer is valid"! ;-) – Fabby Apr 14 '15 at 10:35
  • @Fabby: Ah, but it is no longer a `0`. **;-)** –  Aug 26 '15 at 17:12
  • Sorry I upvoted! :P ;-) But he'll see it when he gets back on-line (2 April last time seen) – Fabby Aug 26 '15 at 21:12