Bug#1119116: chkrootkit: false alert due to spurious "No such file or directory" from /usr/bin/find

[Vincent Lefevre]

Package: chkrootkit
Version: 0.57-2+b6
Severity: normal

I got the following alert:

------------------------------------------------------------------------
Subject: [chkrootkit] alert for joooj.vinc17.net

chkrootkit output was not as expected.

The difference is:
--- [ BEGIN: diff -u /var/log/chkrootkit/log.expected 
/var/log/chkrootkit/log.today ] ---
--- /var/log/chkrootkit/log.expected    2024-11-24 18:41:09.278624066 +0100
+++ /var/log/chkrootkit/log.today       2025-10-27 00:00:50.680156479 +0100
@@ -144,7 +144,8 @@
 Searching for RotaJakiro backdoor rootkit...                not found
 Searching for Syslogk LKM rootkit...                        not found
 Searching for Kovid LKM rootkit...                          not tested
-Searching for suspect PHP files...                          not found
+Searching for suspect PHP files...                          /usr/bin/find: 
‘/var/tmp/systemd-private-f40df39b74cd464c8f5ac59a4648f5a6-logrotate.service-gDYDJi’:
 No such file or directory
+not found
 Searching for zero-size shell history files...              not tested
 Searching for hardlinked shell history files...             not tested
 Checking `aliens'...                                        finished
--- [ END: diff -u /var/log/chkrootkit/log.expected 
/var/log/chkrootkit/log.today ] ---

To update the expected output, run (as root)
#  cp -a -f /var/log/chkrootkit/log.today /var/log/chkrootkit/log.expected
# (note that unedited output is in /var/log/chkrootkit/log.today.raw)
------------------------------------------------------------------------

"No such file or directory" warnings from /usr/bin/find should be
filtered out.

-- System Information:
Debian Release: 12.12
  APT prefers oldstable-updates
  APT policy: (500, 'oldstable-updates'), (500, 'oldstable-security'), (500, 
'oldstable-debug'), (500, 'oldstable')
Architecture: amd64 (x86_64)

Kernel: Linux 6.1.0-40-amd64 (SMP w/1 CPU thread; PREEMPT)
Kernel taint flags: TAINT_WARN
Locale: LANG=C.UTF-8, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages chkrootkit depends on:
ii  libc6  2.36-9+deb12u13

Versions of packages chkrootkit recommends:
ii  binutils                        2.40-2
ii  bsd-mailx [mailx]               8.1.2-0.20220412cvs-1
ii  cron [cron-daemon]              3.0pl1-162
ii  iproute2                        6.1.0-3
ii  mailutils [mailx]               1:3.15-4
ii  net-tools                       2.10-0.1+deb12u2
ii  postfix [mail-transport-agent]  3.7.11-0+deb12u1
ii  procps                          2:4.0.2-3
ii  systemd-sysv                    252.39-1~deb12u1

chkrootkit suggests no packages.

-- Configuration Files:
/etc/chkrootkit/chkrootkit.conf changed:
RUN_DAILY="true"
RUN_DAILY_OPTS=""
DIFF_MODE="true"
FILTER="sed -re 's![[:alnum:]]+: PACKET 
SNIFFER\(((/lib/systemd/systemd-networkd|(/usr)?/sbin/(dhclient|dhcpc?d[0-9]*|wpa_supplicant|NetworkManager))\[[0-9]+\](,
 )?)+\)!<interface>: PACKET 
SNIFFER\([systemd-networkd|dhclient|dhcpd|dhcpcd|wpa_supplicant|NetworkManager]{PID}\)!'
 -e 's/(! [[:alnum:]+-]+)\s+[0-9]+/\1 {PID}/' -e 
'/^Checking/{x;s/.*//;x};/^Checking.*bindshell/h;x;/./{x;d};x'"
IGNORE_FILE="/etc/chkrootkit/chkrootkit.ignore"
MAILTO="root"

-- no debconf information

-- 
Vincent Lefèvre <vinc...@vinc17.net> - Web: <https://www.vinc17.net/>
100% accessible validated (X)HTML - Blog: <https://www.vinc17.net/blog/>
Work: CR INRIA - computer arithmetic / Pascaline project (LIP, ENS-Lyon)