Windigo Notification/Ebury Warning in Chkrootkit run
Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Windigo Notification/Ebury Warning in Chkrootkit run
Recently ran Chkrootkit on my F22 Workstation. Produced Ebury malware warning. Checked through the posting on the "Net and find it is a server bot problem, but nothing vis a vis a problem on a home workstation installation. Still took the advice and reinstalled F22 WS after deleting all partitions on the drive. Set the system up, reran Chkrootkit, and it still showing up.
Anyone know if this is a known false positive for F22 and/or is this a real problem in my situation?
Thanks all.
Anyone know if this is a known false positive for F22 and/or is this a real problem in my situation?
Likely the first but unfortunately you haven't posted any factual information (like 'ssh -G 2>&1;', 'ipcs;' and 'rpm -Vva|grep -v '^\.\{8\}';' output) to go on.
Recently ran Chkrootkit on my F22 Workstation. Produced Ebury malware warning.
is SELinux set to ENFORCING and targeted
or
did you fallow bad advice and DISABLE it
did you use the VERY BAD idea of "the pam hack" and enable ROOT gui login
-- if so -- not good
if you are using normal everyday "best practices"
then it is unlikely to be a real warning
BUT if you ARE loging into Gnome as root and disabled SELinux and are installing random programs from random sites
-- then it might be real
also HOW was chkrootkit installed ?
from the 2014 ( 0.5 ) chkrootkit.tar.gz http://www.chkrootkit.org/
( the static-glibc needs to bi installed to build it )
The examination of the libkeyutils produced a file size within the 15K size, as opposed to a much larger infected size.
The summary of the various tests that are subscribed in the many different documents I found online, is it looks like an infection for chkrootkit, is a noshow for rkhunter, shows up for ssh -G and falls within the expected for libkeyutils size and ipcs.
After all this, I went with caution and reinstalled what I considered a clean ver of F22 WS, one that was verified clean via the keys and signature provided by Fedora. I am loathe to redo all this work, to still have the same end result.
I never login under Root.
I do my system maintenance, installations, updates, etc under a user account and use sudo when required.
I use SELinux and run it under enforce, except in the circumstance of my printer package install and upgrades, since the script from HP requires it.
chkrootkit would have been installed from dnf. Or from yum, in the original F21 install which was feduped to F22 in May?, I think
I am obsessive about keeping my system patched and updated.
I'm sorry but I asked for command output, not your interpretation thereof.
Quote:
Originally Posted by mathwzrd01
ipcs -m
------ Shared Memory Segments --------
key shmid owner perms bytes nattch status
0x6c6c6536 0 root 600 4096 0
0x00000000 20414466 ngn_user 600 4194304 2 dest
0x00000000 1409028 ngn_user 600 524288 2 dest
0x00000000 20021254 ngn_user 600 2097152 2 dest
0x00000000 20447239 ngn_user 600 2304 2 dest
I don't see a root-owned segment with a size greater than 1000000 bytes?
Quote:
Originally Posted by mathwzrd01
The examination of the libkeyutils produced a file size within the 15K size, as opposed to a much larger infected size.
What does 'clamscan -d signatures/RKH_libkeyutils* -ri /lib/libkeyutil*; clamscan -d signatures/RKH_sshd.ldb -ri /usr/sbin/ssh*;' return please? (Find the sigs where you installed them, like /var/lib/rkhunter/signatures.)
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.