#33 Jynx undetected

Rkhunter (37)

The most recent stable version of rkhunter failed to detect Jynx on my machine. The rootkit was not installed in one of the typical locations "/xochikit" or "/omgxochi", but resided in "/var/local/^^", instead. Reading "/var/local" with "ls" was prevented by the rootkit (resulted in an error). Also, "/etc/ld.so.preload" was made invisible by the rootkit. I was able to detect the rootkit, by running "ldd" against any executable, which listed the library "ld_poison.so" as a prerequisite. "lsof | grep ld_poison" showed that the library was loaded by many processes. Furthermore, launching 32-bit executables showed an error that "ld_poison.so" could not be loaded, because the OS was 64-bit and the library obviously, too. 32-bit executables ran fine, regardless. I suggest that the detection mechanism of rkhunter be extended by the methods which allowed me to detect the presence of the rootkit. I am sorry, I cannot provide logs, because the OS has been wiped. If you have any questions, I will do my best to answer them, though.


  • John Horne

    John Horne - 2012-08-09

    Can I ask how ' "/etc/ld.so.preload" was made invisible'?

    I suspect that if the SCANROOTKITMODE was set to thorough, then the rootkit would have been detected. However, use of that option is not recommended.

    Perhaps extend the shared_libs check to run ldd against a common binary and check the output against a list of known bad libraries? And/or run lsof and again check against the list. Perhaps use a '.dat' file??

  • tpv5f9

    tpv5f9 - 2012-08-13

    The rootkit (in particular ld_poison) overwrites functions necessary for directory listings, e.g., stat(). I assume it made /etc/ld.so.preload invisible simply by omitting it from the result of certain functions.

    Your suggested methods of detecting the particular rootkit on my system sound like they would work. I am not sure, though, what you mean by '.dat' file.

    Thanks for looking into this and your effort in general!

  • unSpawn

    unSpawn - 2014-04-18

    Fixed with rkhunter-1.4.2 ClamAV sig RKH_jynx.ldb.

  • unSpawn

    unSpawn - 2014-04-18
    • status: open --> closed-fixed
    • Group: --> main

Log in to post a comment.

Get latest updates about Open Source Projects, Conferences and News.

Sign up for the SourceForge newsletter:

JavaScript is required for this form.

No, thanks