HPE Community
Operating System - HP-UX
1827701 Members
3002 Online
109967 Solutions
New Discussion

Should init contain string HOME in HPUX 11.0?

 
SOLVED
Go to solution
Gavin Clarke
Trusted Contributor

‎07-15-2003 05:53 AM

‎07-15-2003 05:53 AM

Should init contain string HOME in HPUX 11.0?

The reason I ask is that I've just run chkrootkit (see www.chkrootkit.org) and it says we've got a suckit rootkit on our machines (all of them).

This is a scary thing for me. Still we looked a bit harder and the reason it thinks we've got suckit is that the string HOME appears in /sbin/init.

Please advise me what you find, I'd love to know whether I'm getting excited over nothing or not.
0 Kudos
Reply
20 REPLIES 20
Pete Randall
Outstanding Contributor

‎07-15-2003 05:56 AM

‎07-15-2003 05:56 AM

Solution

Re: Should init contain string HOME in HPUX 11.0?

strings /sbin/init |grep -i home
HOME=

Mine does, too. I think it's normal.


Pete


Pete
Reply
Gavin Clarke
Trusted Contributor

‎07-15-2003 05:58 AM

‎07-15-2003 05:58 AM

Re: Should init contain string HOME in HPUX 11.0?

Can I ask a few more questions relating to chkrootkit please?

Like does login contain 7 ^root$ entries?
0 Kudos
Reply
Pete Randall
Outstanding Contributor

‎07-15-2003 06:08 AM

‎07-15-2003 06:08 AM

Re: Should init contain string HOME in HPUX 11.0?

$ strings /usr/bin/login |grep ^root$
root
root
root
root
root
root
root


That's 7 by my count.


Pete


Pete
Reply
Gavin Clarke
Trusted Contributor

‎07-15-2003 06:15 AM

‎07-15-2003 06:15 AM

Re: Should init contain string HOME in HPUX 11.0?

Rock On!

How about mail, is it setuid?
Here's an ll (not that I trust it).


-r-sr-sr-x 2 root mail 45056 Nov 7 1997 /usr/bin/mail


Perhaps a better question would be where on the various disks I've got can I find a trustworthy version of ll?
0 Kudos
Reply
Pete Randall
Outstanding Contributor

‎07-15-2003 06:18 AM

‎07-15-2003 06:18 AM

Re: Should init contain string HOME in HPUX 11.0?

$ ll /usr/bin/mail
-r-sr-sr-x 2 root mail 45056 Nov 14 2000 /usr/bin/mail


I'm not sure where you might locate a trusty version.


Pete


Pete
Reply
Gavin Clarke
Trusted Contributor

‎07-15-2003 06:27 AM

‎07-15-2003 06:27 AM

Re: Should init contain string HOME in HPUX 11.0?

Hmmm, apart from the date, it looks pretty good to me.

So in summary:

I ran chkrootkit.041 which www.chkrootkit.org said had been tested on HPUX 11.0.

It then came back with results:
/sbin/ifconfig: No such file or directory
/sbin/ifconfig: No such file or directory
Checking `ifconfig'... INFECTED
Checking `login'... INFECTED
Checking `mail'... INFECTED
Checking `passwd'... INFECTED
/usr/lib/.unix95
/usr/lib/.unix95
/usr/lib/security
/usr/lib/security/libpam_unix.1
/usr/lib/security/libpam_updbe.1
Warning: /sbin/init INFECTED

ifconfig is obviously not quite right since it's looking in the wrong place.
login, mail and init we've just covered.

So I guess the logical conclusion is that chkrootkit isn't quite working for HPUX 11.0.

Or the cracker has very cleverly covered their tracks.

Or I'm missing something.

Thanks for all the help so far, how many points do you want for the rest of the answers, they're all good?
0 Kudos
Reply
Pete Randall
Outstanding Contributor

‎07-15-2003 06:33 AM

‎07-15-2003 06:33 AM

Re: Should init contain string HOME in HPUX 11.0?

Gavin,

A nice offer, but it's up to you! Glad to be of help.


Pete


Pete
0 Kudos
Reply
Gavin Clarke
Trusted Contributor

‎07-15-2003 06:37 AM

‎07-15-2003 06:37 AM

Re: Should init contain string HOME in HPUX 11.0?

You have been tremendously helpful.

I feel somewhat less like the world is out to get me, which is good.

You'll just have to put up with the indistinguishable 9 points for each answer then. Thanks for your lightning fast response.
0 Kudos
Reply
Pete Randall
Outstanding Contributor

‎07-15-2003 06:40 AM

‎07-15-2003 06:40 AM

Re: Should init contain string HOME in HPUX 11.0?

Thanks, Gavin. Good luck!


Pete


Pete
0 Kudos
Reply
Pete Randall
Outstanding Contributor

‎07-15-2003 06:46 AM

‎07-15-2003 06:46 AM

Re: Should init contain string HOME in HPUX 11.0?

Gavin,

I can put your mind to rest on the date issue - I was on the wrong system. Here's my 11.0 version:

# ll /usr/bin/mail
-r-sr-sr-x 2 root mail 45056 Nov 7 1997 /usr/bin/mail


Pete


Pete
Reply
Gavin Clarke
Trusted Contributor

‎07-15-2003 06:56 AM

‎07-15-2003 06:56 AM

Re: Should init contain string HOME in HPUX 11.0?

You're just after the points now !]
0 Kudos
Reply
Pete Randall
Outstanding Contributor

‎07-15-2003 06:58 AM

‎07-15-2003 06:58 AM

Re: Should init contain string HOME in HPUX 11.0?

I am known as a bit of a point monger, but actually I was just trying to set the record straight.

;^)

Pete

Pete
0 Kudos
Reply
Gavin Clarke
Trusted Contributor

‎07-15-2003 07:32 AM

‎07-15-2003 07:32 AM

Re: Should init contain string HOME in HPUX 11.0?

I'm glad you did, otherwise I'd have a small detail to worry over incessantly.

Now all I've got to worry about is an absence of any hard evidence that anything's wrong.

There's always the, "Maybe there's a monster living under my bed?" to go back to I suppose.
0 Kudos
Reply
Steven Sim Kok Leong
Honored Contributor

‎07-19-2003 04:04 PM

‎07-19-2003 04:04 PM

Re: Should init contain string HOME in HPUX 11.0?

Hi,

I am indeed surprised that chkrootkit isn't truly ported over to HP-UX. I have tested chkrootkit on Linux and Solaris, and I have found it to be rather reliable so far.

I suggest that you feedback to chkrootkit's development team on the large number of false positives. A concerned person running chkrootkit might just reformat his entire system to be on the safe side!

Hope this helps. Regards.

Steven Sim Kok Leong
0 Kudos
Reply
Gavin Clarke
Trusted Contributor

‎07-20-2003 11:51 PM

‎07-20-2003 11:51 PM

Re: Should init contain string HOME in HPUX 11.0?

It's very possible I'm doing something wrong.

I haven't installed gcc so the make sense, didn't run. Since there was a script there I ran it anyway, perhaps the make changes the script to take out these bits.

It did flip me out a bit so I went off in headless chicken mode for a while.

I shall see what chkrootkit have to say on the matter.
0 Kudos
Reply
Tony Tibbenham
Advisor

‎08-13-2004 04:38 AM

‎08-13-2004 04:38 AM

Re: Should init contain string HOME in HPUX 11.0?

We see similar results with chkrootkit 0.42b
on 2 old HP-UX 11 boxes.
Also tested chkrootkit 0.43

We also saw the ifconfig not found / ifconfig infected confusion after noting there was an ifconfig in /usr/sbin.
So we hacked the chkrootkit script to find the real ifconfig and 'hey presto' no more 'infected' flag on ifconfig!

# diff chkrootkit chkrootkit.original
2083c2083
< CMD="/usr/sbin/ifconfig"
---
> CMD="${ROOTDIR}sbin/ifconfig"
#

Now to explore the other 'infected' flags and see if they are more 'false positives'.
0 Kudos
Reply
Bill Hassell
Honored Contributor

‎08-14-2004 01:15 PM

‎08-14-2004 01:15 PM

Re: Should init contain string HOME in HPUX 11.0?

I would be very concerned about the use of the word INFECTED rather than the accurate statement: NOT FOUND. Seems like a poor programming technique. And the fact that chkrootkit is looking for /sbin/ifconfig is a concern since ifconfig has never been in /sbin. In fact, /sbin won't have any networking commands since /sbin is only used for single user mode (where there is no networking). With such basic errors, I would be concerned that the package may have other errors such as false negatives (infected but not reported), and may have never been adequately tested on current versions of HP-UX.


Bill Hassell, sysadmin
Reply
Tony Tibbenham
Advisor

‎08-15-2004 10:00 PM

‎08-15-2004 10:00 PM

Re: Should init contain string HOME in HPUX 11.0?

It DID say ifconfig not found .. then also said the file it had not found was 'infected' .. hence my quick hack to indicate that the real ifconfig was not infected.

I had a fast response from the
chkrootkit maintainers who promise a fix to the ifconfig test miss-reporting 'infected' in chkrootkit 0.44
0 Kudos
Reply
Gavin Clarke
Trusted Contributor

‎08-26-2004 10:42 PM

‎08-26-2004 10:42 PM

Re: Should init contain string HOME in HPUX 11.0?

I agree that I was left feeling unsure how much help the tool had been. Having said that the authors were very quick to respond to me too.
It's amazing to think that people will actually provide tools like this for free.

There is no substitute for a really in depth knowledge of the OS. Hopefully one day I'll get there.

Thanks to all who replied.
0 Kudos
Reply
Tony Tibbenham
Advisor

‎12-14-2004 01:24 AM

‎12-14-2004 01:24 AM

Re: Should init contain string HOME in HPUX 11.0?

chkrootkit 0.44 compiled and ran on my HP-UX 11 using gcc 3.2 and a a patch suggested in
http://forums.itrc.hp.com/service/forums/questionanswer.do?threadId=249747

I now get no false 'infected' results and am satisfied that chkrootkit 0.44 is useful to see if any obvious rootkit tell-tales have been left behind.
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.