WelcomeWelcome | FAQFAQ | DownloadsDownloads | WikiWiki
« previous next »
Pages: [1]   Go Down

Author Topic: TinyCore Infected ?  (Read 2671 times)

Offline jrm7262

  • Newbie
  • *
  • Posts: 22
TinyCore Infected ?
« on: January 30, 2011, 11:23:52 AM »
Hi All,

            Downloaded, compiled and ran "chkrootkit" and got the following results:

Checking `basename'... INFECTED
Checking `date'... unknown shell '%s', assuming bash INFECTED
Checking `dirname'... INFECTED
Checking `echo'... INFECTED
Checking `env'... INFECTED
Checking `netstat'... INFECTED
Checking `passwd'... INFECTED
Checking `traceroute'... INFECTED
Searching for Suckit rootkit... Warning: /sbin/init INFECTED
Checking `lkm'... You have     3 process hidden for ps command
chkproc: Warning: Possible LKM Trojan installed
Checking `sniffer'... wlan0: PF_PACKET(/tmp/tcloop/wpa_supplicant/usr/local/sbin/wpa_supplicant)

                Either my system has been badly infected or something else maybe going on here.
Since my understanding of tinycore could be described as minimal at best can anyone else give me an insight.

Kindest regards
James
Logged

Offline tinypoodle

  • Hero Member
  • *****
  • Posts: 3857
Re: TinyCore Infected ?
« Reply #1 on: January 30, 2011, 12:47:03 PM »
Quote from: jrm7262 on January 30, 2011, 11:23:52 AM
Hi All,

            Downloaded, compiled and ran "chkrootkit" and got the following results:

Checking `basename'... INFECTED
Checking `date'... unknown shell '%s', assuming bash INFECTED
Checking `dirname'... INFECTED
Checking `echo'... INFECTED
Checking `env'... INFECTED
Checking `netstat'... INFECTED
Checking `passwd'... INFECTED
Checking `traceroute'... INFECTED
Searching for Suckit rootkit... Warning: /sbin/init INFECTED
Checking `lkm'... You have     3 process hidden for ps command
chkproc: Warning: Possible LKM Trojan installed
Checking `sniffer'... wlan0: PF_PACKET(/tmp/tcloop/wpa_supplicant/usr/local/sbin/wpa_supplicant)

                Either my system has been badly infected or something else maybe going on here.
Since my understanding of tinycore could be described as minimal at best can anyone else give me an insight.

Kindest regards
James


FWIW, all the executables marked as 'INFECTED' are busybox applets, i.e. symlinks pointing to /bin/busybox
Logged
"Software gets slower faster than hardware gets faster." Niklaus Wirth - A Plea for Lean Software (1995)

Offline roberts

  • Retired Admins
  • Hero Member
  • *****
  • Posts: 7361
  • Founder Emeritus
Re: TinyCore Infected ?
« Reply #2 on: January 30, 2011, 02:01:34 PM »
They are false alarms. Chkroot doesn't like busybox, which is what we use to provide several of the core utilities. Google this and you will see many distros that use busybox have the same result.

Chkrootkit basically is not able to test busybox and cannot handle the fact that the busybox binary has code for many applets. Therefore when checking for example echo it will see in the binary code that chkrootkit would not normally see because echo is not just echo but instead a link to busybox.
Logged
10+ Years Contributing to Linux Open Source Projects.

Offline jrm7262

  • Newbie
  • *
  • Posts: 22
Re: TinyCore Infected ?
« Reply #3 on: January 30, 2011, 03:20:32 PM »
Thank you both for your replies.

Kindest regards
James
Logged
Pages: [1]   Go Up
« previous next »