Windigo Notification/Ebury Warning in Chkrootkit run
Recently ran Chkrootkit on my F22 Workstation. Produced Ebury malware warning. Checked through the posting on the "Net and find it is a server bot problem, but nothing vis a vis a problem on a home workstation installation. Still took the advice and reinstalled F22 WS after deleting all partitions on the drive. Set the system up, reran Chkrootkit, and it still showing up.
Anyone know if this is a known false positive for F22 and/or is this a real problem in my situation? Thanks all. |
Quote:
|
Quote:
or did you fallow bad advice and DISABLE it did you use the VERY BAD idea of "the pam hack" and enable ROOT gui login -- if so -- not good if you are using normal everyday "best practices" then it is unlikely to be a real warning BUT if you ARE loging into Gnome as root and disabled SELinux and are installing random programs from random sites -- then it might be real also HOW was chkrootkit installed ? from the 2014 ( 0.5 ) chkrootkit.tar.gz http://www.chkrootkit.org/ ( the static-glibc needs to bi installed to build it ) or using DNF |
More data for Ebury problem
ssh -G
Produced the infected text message ipcs -m ------ Shared Memory Segments -------- key shmid owner perms bytes nattch status 0x6c6c6536 0 root 600 4096 0 0x00000000 20414466 ngn_user 600 4194304 2 dest 0x00000000 1409028 ngn_user 600 524288 2 dest 0x00000000 20021254 ngn_user 600 2097152 2 dest 0x00000000 20447239 ngn_user 600 2304 2 dest ipcs -mp ------ Shared Memory Creator/Last-op PIDs -------- shmid owner cpid lpid 0 root 345 345 20414466 ngn_user 423 503 1409028 ngn_user 2597 389 20021254 ngn_user 5077 2358 20447239 ngn_user 2865 2358 The examination of the libkeyutils produced a file size within the 15K size, as opposed to a much larger infected size. The summary of the various tests that are subscribed in the many different documents I found online, is it looks like an infection for chkrootkit, is a noshow for rkhunter, shows up for ssh -G and falls within the expected for libkeyutils size and ipcs. After all this, I went with caution and reinstalled what I considered a clean ver of F22 WS, one that was verified clean via the keys and signature provided by Fedora. I am loathe to redo all this work, to still have the same end result. |
Reply to J VV reply
I never login under Root.
I do my system maintenance, installations, updates, etc under a user account and use sudo when required. I use SELinux and run it under enforce, except in the circumstance of my printer package install and upgrades, since the script from HP requires it. chkrootkit would have been installed from dnf. Or from yum, in the original F21 install which was feduped to F22 in May?, I think I am obsessive about keeping my system patched and updated. So, what do you'all think? |
Quote:
Quote:
Quote:
|
All times are GMT -5. The time now is 07:49 PM. |