Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Today when I ran chkrootkit on my Linux Mint (MATE) laptop, I got this result, which didn't appear previously:
Code:
Checking `bindshell'... INFECTED PORTS: ( 465)
This infected result appears only when I establish an internet (WiFi) connection, while prior to that chkrootkit doesn't report anything. Rkhunter still doesn't report anything special or out of ordinary.
I searched the internet for this result and all I could find are false positives for people who have Cpanel installed or something similar. But I don't have CPanel installed - it's just a regular Mint MATE installation, and I am sure this infected result didn't appear until a few days ago (I run chkrootkit and rkhunter often). The only thing that I changed in the past several days is that I installed the SNAP package (snapd) and, using snap, I installed a couple of snap applications (somafm-qt and something else whose name I now forgot).
I don't really think the services file will be of much help here. Can you run "lsof -Rpni :465" from the command line when you bring up a WiFi connection and see what happens?
After a few more times running chkrootkit, when I run it now, it doesn't report that infected result anymore. Today I uninstalled snap and its applications, but after that when I ran chkrootkit, it reported one more time that same infected result again. Now it doesn't report it anymore... so maybe it was some unimportant and benign glitch... I don't know.
Anyway, here is the result of the command you proposed:
Code:
bluelight@bluelight:~$ lsof -Rpni :465
lsof: illegal process ID: ni
lsof 4.89
latest revision: ftp://lsof.itap.purdue.edu/pub/tools/unix/lsof/
latest FAQ: ftp://lsof.itap.purdue.edu/pub/tools/unix/lsof/FAQ
latest man page: ftp://lsof.itap.purdue.edu/pub/tools/unix/lsof/lsof_man
usage: [-?abhKlnNoOPRtUvVX] [+|-c c] [+|-d s] [+D D] [+|-E] [+|-e s] [+|-f[gG]]
[-F [f]] [-g [s]] [-i [i]] [+|-L [l]] [+m [m]] [+|-M] [-o [o]] [-p s]
[+|-r [t]] [-s [p:s]] [-S [t]] [-T [t]] [-u s] [+|-w] [-x [fl]] [--] [names]
Use the ``-h'' option to get more help information.
Perhaps it gives the "illegal process ID" error because that process doesn't exist anymore? But I know it did exist, I wonder what application caused it earlier today and why it's gone now... hm, strange... I just hope it's not some rootkit virus again.
Then you may have to be root in order to find the process that way. You can try again using sudo.
I'm hoping that if we find the name of the process we can locate it and then maybe either run some more analysis on it or totally get rid of it depending on what it says.
Last edited by RickDeckard; 04-14-2019 at 02:50 PM.
Then you may have to be root in order to find the process that way. You can try again using sudo.
I'm hoping that if we find the name of the process we can locate it and then maybe either run some more analysis on it or totally get rid of it depending on what it says.
I just tried the same command with sudo and the result is again the same as it was without sudo (no result at all, as if I just pressed enter).
I want to point out that now when I run chkrootkit it does not report the same rootkit warning as it did earlier today.. this is what it now says under the bindshell item, even when I am connected to the internet:
Code:
Checking `bindshell'... not infected
I wonder how that process can switch on and off by itself? Now you see it, now you don't... strange.
When I run the first command according to that procedure, I get an empty line as a result (as if I just pressed enter), so I am unable to proceed with the described procedure as there is no process to examine:
Since chkrootkit doesn't report the infected process anymore, is it possible that the problematic process actually doesn't exist anymore (rather than being hidden)? I did uninstall the snapd package (and its applications) yesterday, and that might have resolved the issue, although I remember that chkrootkit reported the infected process one more time after that, and then stopped reporting it.
As far as I remember, I had these packages installed using snapd:
Do these programs have any component that might have caused chkrootkit to report the issue with bindshell? The timing of the problem and when I installed these packages seem to have a correlation, but I'm not sure about the causation.
That's bad news for us to hear. If an open connection is being hidden from root itself, I have a lot of reason to suspect this isn't a false positive.
Please see my first reply to hydrurga from today. It seems to me that the problematic process doesn't exist anymore, although of course we can't be sure. Chkrootkit doesn't report it anymore, and Rkhunter never reported anything weird since it started happening yesterday.
Yesterday Mint shut down itself for a few seconds and then restarted itself (without going through the regular loading procedure with its logo screen), which of course is not a good sign, but I've seen it before and it might be a tech glitch rather than virus (in my opinion).
Rkhunter does report one suspicious file, and this has been an issue ever since I installed Mint MATE on this laptop. I explained that issue in detail in this thread some time ago.
Now when I run rkhunter the name of the suspicious file has changed a little, but it's still always reported:
Code:
[09:55:38] Info: Starting test name 'filesystem'
[09:55:38] Performing filesystem checks
[09:55:38] Info: SCAN_MODE_DEV set to 'THOROUGH'
[09:55:45] Checking /dev for suspicious file types [ Warning ]
[09:55:45] Warning: Suspicious file types found in /dev:
[09:55:45] /dev/shm/mono.2058: data
[09:55:46] Checking for hidden files and directories [ Warning ]
[09:55:46] Warning: Hidden directory found: /etc/.java
[09:55:46] Checking for missing log files [ Skipped ]
[09:55:46] Info: No missing log file names configured.
[09:55:46] Checking for empty log files [ Skipped ]
[09:55:46] Info: No empty log file names configured.
In that forum thread you hypothesized that the file might have been created by Tomboy Notes or some other Mono application. I do have Tomboy notes installed but I never use it. Is it possible to determine accurately what application or process creates (and maintains) the mono.2058 file?
I have to emphasize that I am absolutely positive I had a rootkit virus on this laptop earlier this year. I experienced things such as all my passwords in chrome were deleted (not just in the chrome program but on google's servers as well), files from desktop were deleted or moved, and some textual files where I keep passwords were tampered with and edited. This problem would re-surface every time even though I would reinstall the whole system on a clean drive (I would clean it with the erase disk drive feature in Parted Magic, which was loaded from an USB stick).
This problem appears to have gone only when I updated my laptop BIOS about a month ago. I strongly suspect that it was a BIOS rootkit, because there's no other way to explain it. It was difficult to update the BIOS because, in their infinite wisdom, the manufacturer of my laptop (Lenovo) gives its users only one way to update the BIOS, and that is by using a Windows .exe application. So I had to install Windows just to update BIOS. But when I did that, at least those obvious virus/rootkit-related things such as passwords and files being deleted or moved finally stopped happening. The hidden mono file and these latest problems with bindshell that chkrootkit reported are disconcerting, but perhaps they have a different explanation, such as some snapd application that was able to cause a false positive...
Do these programs have any component that might have caused chkrootkit to report the issue with bindshell? The timing of the problem and when I installed these packages seem to have a correlation, but I'm not sure about the causation.
Ah, that I don't know. I suppose, in the interests of discovery, you could always reinstall them and see what happens.
Ah, that I don't know. I suppose, in the interests of discovery, you could always reinstall them and see what happens.
Good idea. I reinstalled snap and all the snap applications that I remember having a few days ago. When running chkrootkit out of maybe a dozen times, I got this problematic result twice (once yesterday and once today). Otherwise, chkrootkit doesn't report anything different than when snap is not installed. Rkhunter still doesn't report anything different than when snap is not installed.
EDITED:
RKhunter also reported a LKM trojan now.. but when I ran it again it didn't report it again
Code:
Checking `bindshell'... not infected
Checking `lkm'... You have 1 process hidden for readdir command
You have 1 process hidden for ps command
chkproc: Warning: Possible LKM Trojan installed
chkdirs: nothing detected
Checking `rexedcs'... not found
Checking `sniffer'... lo: not promisc and no packet sniffer sockets
wlp2s0: PACKET SNIFFER(/sbin/wpa_supplicant[654], /sbin/wpa_supplicant[654], /sbin/dhclient[21571])
tun0: not promisc and no packet sniffer sockets
Checking `w55808'... not infected
Checking `wted'... chkwtmp: nothing deleted
Checking `scalper'... not infected
Checking `slapper'... not infected
Checking `z2'... user bluelight deleted or never logged from lastlog!
Checking `chkutmp'... The tty of the following user process(es) were not found
(bold letters added by me)
The packet sniffer is always reported (whether I have snap or not), and I assume it's a false positive. I don't know why this "possible LKM trojan" is sometimes reported now with snap installed... Should I be concerned?
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
