Windigo Notification/Ebury Warning in Chkrootkit run
 

Recently ran Chkrootkit on my F22 Workstation. Produced Ebury malware warning. Checked through the posting on the "Net and find it is a server bot problem, but nothing vis a vis a problem on a home workstation installation. Still took the advice and reinstalled F22 WS after deleting all partitions on the drive. Set the system up, reran Chkrootkit, and it still showing up.

Anyone know if this is a known false positive for F22 and/or is this a real problem in my situation?
Thanks all.

Likely the first but unfortunately you haven't posted any factual information (like 'ssh -G 2>&1;', 'ipcs;' and 'rpm -Vva|grep -v '^\.\{8\}';' output) to go on.

is SELinux set to ENFORCING and targeted

or

did you fallow bad advice and DISABLE it

did you use the VERY BAD idea of "the pam hack" and enable ROOT gui login
-- if so -- not good

if you are using normal everyday "best practices"
then it is unlikely to be a real warning


BUT if you ARE loging into Gnome as root and disabled SELinux and are installing random programs from random sites
-- then it might be real


also HOW was chkrootkit installed ?
from the 2014 ( 0.5 ) chkrootkit.tar.gz
http://www.chkrootkit.org/
( the static-glibc needs to bi installed to build it )

or
using DNF

More data for Ebury problem
 

ssh -G

Produced the infected text message

ipcs -m

------ Shared Memory Segments --------
key shmid owner perms bytes nattch status
0x6c6c6536 0 root 600 4096 0
0x00000000 20414466 ngn_user 600 4194304 2 dest
0x00000000 1409028 ngn_user 600 524288 2 dest
0x00000000 20021254 ngn_user 600 2097152 2 dest
0x00000000 20447239 ngn_user 600 2304 2 dest

ipcs -mp

------ Shared Memory Creator/Last-op PIDs --------
shmid owner cpid lpid
0 root 345 345
20414466 ngn_user 423 503
1409028 ngn_user 2597 389
20021254 ngn_user 5077 2358
20447239 ngn_user 2865 2358

The examination of the libkeyutils produced a file size within the 15K size, as opposed to a much larger infected size.

The summary of the various tests that are subscribed in the many different documents I found online, is it looks like an infection for chkrootkit, is a noshow for rkhunter, shows up for ssh -G and falls within the expected for libkeyutils size and ipcs.

After all this, I went with caution and reinstalled what I considered a clean ver of F22 WS, one that was verified clean via the keys and signature provided by Fedora. I am loathe to redo all this work, to still have the same end result.

Reply to J VV reply
 

I never login under Root.
I do my system maintenance, installations, updates, etc under a user account and use sudo when required.
I use SELinux and run it under enforce, except in the circumstance of my printer package install and upgrades, since the script from HP requires it.

chkrootkit would have been installed from dnf. Or from yum, in the original F21 install which was feduped to F22 in May?, I think

I am obsessive about keeping my system patched and updated.

So, what do you'all think?

I'm sorry but I asked for command output, not your interpretation thereof.


I don't see a root-owned segment with a size greater than 1000000 bytes?


What does 'clamscan -d signatures/RKH_libkeyutils* -ri /lib/libkeyutil*; clamscan -d signatures/RKH_sshd.ldb -ri /usr/sbin/ssh*;' return please? (Find the sigs where you installed them, like /var/lib/rkhunter/signatures.)