Tiny Core Linux

Tiny Core Base => TCB Q&A Forum => Topic started by: jrm7262 on January 30, 2011, 11:23:52 AM

Title: TinyCore Infected ?
Post by: jrm7262 on January 30, 2011, 11:23:52 AM

Hi All,

            Downloaded, compiled and ran "chkrootkit" and got the following results:

Checking `basename'... INFECTED
Checking `date'... unknown shell '%s', assuming bash INFECTED
Checking `dirname'... INFECTED
Checking `echo'... INFECTED
Checking `env'... INFECTED
Checking `netstat'... INFECTED
Checking `passwd'... INFECTED
Checking `traceroute'... INFECTED
Searching for Suckit rootkit... Warning: /sbin/init INFECTED
Checking `lkm'... You have     3 process hidden for ps command
chkproc: Warning: Possible LKM Trojan installed
Checking `sniffer'... wlan0: PF_PACKET(/tmp/tcloop/wpa_supplicant/usr/local/sbin/wpa_supplicant)

                Either my system has been badly infected or something else maybe going on here.
Since my understanding of tinycore could be described as minimal at best can anyone else give me an insight.

Kindest regards
James

Title: Re: TinyCore Infected ?
Post by: tinypoodle on January 30, 2011, 12:47:03 PM

Quote from: jrm7262 on January 30, 2011, 11:23:52 AM

Hi All,

            Downloaded, compiled and ran "chkrootkit" and got the following results:

Checking `basename'... INFECTED
Checking `date'... unknown shell '%s', assuming bash INFECTED
Checking `dirname'... INFECTED
Checking `echo'... INFECTED
Checking `env'... INFECTED
Checking `netstat'... INFECTED
Checking `passwd'... INFECTED
Checking `traceroute'... INFECTED
Searching for Suckit rootkit... Warning: /sbin/init INFECTED
Checking `lkm'... You have     3 process hidden for ps command
chkproc: Warning: Possible LKM Trojan installed
Checking `sniffer'... wlan0: PF_PACKET(/tmp/tcloop/wpa_supplicant/usr/local/sbin/wpa_supplicant)

                Either my system has been badly infected or something else maybe going on here.
Since my understanding of tinycore could be described as minimal at best can anyone else give me an insight.

Kindest regards
James

FWIW, all the executables marked as 'INFECTED' are busybox applets, i.e. symlinks pointing to /bin/busybox

Title: Re: TinyCore Infected ?
Post by: roberts on January 30, 2011, 02:01:34 PM

They are false alarms. Chkroot doesn't like busybox, which is what we use to provide several of the core utilities. Google this and you will see many distros that use busybox have the same result.

Chkrootkit basically is not able to test busybox and cannot handle the fact that the busybox binary has code for many applets. Therefore when checking for example echo it will see in the binary code that chkrootkit would not normally see because echo is not just echo but instead a link to busybox.

Title: Re: TinyCore Infected ?
Post by: jrm7262 on January 30, 2011, 03:20:32 PM

Thank you both for your replies.

Kindest regards
James