LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 07-01-2015, 12:13 PM   #1
mathwzrd01
LQ Newbie
 
Registered: Feb 2012
Posts: 5

Rep: Reputation: Disabled
Unhappy Windigo Notification/Ebury Warning in Chkrootkit run


Recently ran Chkrootkit on my F22 Workstation. Produced Ebury malware warning. Checked through the posting on the "Net and find it is a server bot problem, but nothing vis a vis a problem on a home workstation installation. Still took the advice and reinstalled F22 WS after deleting all partitions on the drive. Set the system up, reran Chkrootkit, and it still showing up.

Anyone know if this is a known false positive for F22 and/or is this a real problem in my situation?
Thanks all.
 
Old 07-01-2015, 12:21 PM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600
Quote:
Originally Posted by mathwzrd01 View Post
Anyone know if this is a known false positive for F22 and/or is this a real problem in my situation?
Likely the first but unfortunately you haven't posted any factual information (like 'ssh -G 2>&1;', 'ipcs;' and 'rpm -Vva|grep -v '^\.\{8\}';' output) to go on.
 
Old 07-01-2015, 12:51 PM   #3
John VV
LQ Muse
 
Registered: Aug 2005
Location: A2 area Mi.
Posts: 17,622

Rep: Reputation: 2651Reputation: 2651Reputation: 2651Reputation: 2651Reputation: 2651Reputation: 2651Reputation: 2651Reputation: 2651Reputation: 2651Reputation: 2651Reputation: 2651
Quote:
Recently ran Chkrootkit on my F22 Workstation. Produced Ebury malware warning.
is SELinux set to ENFORCING and targeted

or

did you fallow bad advice and DISABLE it

did you use the VERY BAD idea of "the pam hack" and enable ROOT gui login
-- if so -- not good

if you are using normal everyday "best practices"
then it is unlikely to be a real warning


BUT if you ARE loging into Gnome as root and disabled SELinux and are installing random programs from random sites
-- then it might be real


also HOW was chkrootkit installed ?
from the 2014 ( 0.5 ) chkrootkit.tar.gz
http://www.chkrootkit.org/
( the static-glibc needs to bi installed to build it )

or
using DNF
 
Old 07-01-2015, 01:21 PM   #4
mathwzrd01
LQ Newbie
 
Registered: Feb 2012
Posts: 5

Original Poster
Rep: Reputation: Disabled
More data for Ebury problem

ssh -G

Produced the infected text message

ipcs -m

------ Shared Memory Segments --------
key shmid owner perms bytes nattch status
0x6c6c6536 0 root 600 4096 0
0x00000000 20414466 ngn_user 600 4194304 2 dest
0x00000000 1409028 ngn_user 600 524288 2 dest
0x00000000 20021254 ngn_user 600 2097152 2 dest
0x00000000 20447239 ngn_user 600 2304 2 dest

ipcs -mp

------ Shared Memory Creator/Last-op PIDs --------
shmid owner cpid lpid
0 root 345 345
20414466 ngn_user 423 503
1409028 ngn_user 2597 389
20021254 ngn_user 5077 2358
20447239 ngn_user 2865 2358

The examination of the libkeyutils produced a file size within the 15K size, as opposed to a much larger infected size.

The summary of the various tests that are subscribed in the many different documents I found online, is it looks like an infection for chkrootkit, is a noshow for rkhunter, shows up for ssh -G and falls within the expected for libkeyutils size and ipcs.

After all this, I went with caution and reinstalled what I considered a clean ver of F22 WS, one that was verified clean via the keys and signature provided by Fedora. I am loathe to redo all this work, to still have the same end result.
 
Old 07-01-2015, 01:30 PM   #5
mathwzrd01
LQ Newbie
 
Registered: Feb 2012
Posts: 5

Original Poster
Rep: Reputation: Disabled
Reply to J VV reply

I never login under Root.
I do my system maintenance, installations, updates, etc under a user account and use sudo when required.
I use SELinux and run it under enforce, except in the circumstance of my printer package install and upgrades, since the script from HP requires it.

chkrootkit would have been installed from dnf. Or from yum, in the original F21 install which was feduped to F22 in May?, I think

I am obsessive about keeping my system patched and updated.

So, what do you'all think?
 
Old 07-02-2015, 12:37 AM   #6
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600
Quote:
Originally Posted by mathwzrd01 View Post
ssh -G

Produced the infected text message
I'm sorry but I asked for command output, not your interpretation thereof.


Quote:
Originally Posted by mathwzrd01 View Post
ipcs -m

------ Shared Memory Segments --------
key shmid owner perms bytes nattch status
0x6c6c6536 0 root 600 4096 0
0x00000000 20414466 ngn_user 600 4194304 2 dest
0x00000000 1409028 ngn_user 600 524288 2 dest
0x00000000 20021254 ngn_user 600 2097152 2 dest
0x00000000 20447239 ngn_user 600 2304 2 dest
I don't see a root-owned segment with a size greater than 1000000 bytes?


Quote:
Originally Posted by mathwzrd01 View Post
The examination of the libkeyutils produced a file size within the 15K size, as opposed to a much larger infected size.
What does 'clamscan -d signatures/RKH_libkeyutils* -ri /lib/libkeyutil*; clamscan -d signatures/RKH_sshd.ldb -ri /usr/sbin/ssh*;' return please? (Find the sigs where you installed them, like /var/lib/rkhunter/signatures.)
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
chkrootkit warning - anything to be worried about? eponymous Linux - Security 7 04-20-2013 04:00 AM
chkrootkit warning qwertyjjj Linux - Server 16 01-10-2010 12:15 PM
chkrootkit warning qwertyjjj Linux - Newbie 1 09-20-2009 09:51 AM
chkrootkit warning of lkm trojan provkitir Linux - Security 5 10-20-2004 06:17 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 10:33 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration