Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Seems as if some scripts were executed without me knowing.
I quickly ran chkrootkit, and it said there was infection with Linux/XOR.DDoS on the first run.
Searching for Linux.Xor.DDoS ... INFECTED: Possible Malicious Linux.Xor.DDoS installed
I became suspicious of a gaming server I ran continuously on this machine, especially as some fun freebies had been installed recently. Hence, I decided to stop it. A little later, on the second and third run, there were no infections reported. My auth.log files look fine. Clamscan was running for over three hours and found nothing.
I restarted the gaming server. Lo and behold, chkrootkit now says there is XOR present.
I am not so much into Linux virology, but would be grateful if somebody could explain what is going on. I am under impression that some of the freebie plugs are calling home.
I'd be very happy to learn that this is the case. I wasn't operating this machine most of the time, so the possibility is there. However, why is there XOR infection warning from the chkrootkit only when the game server is running?
Quote:
Originally Posted by teckk
Looks like you pasted a html page into the terminal.
For example, the top part of the source for this page you are looking at.
Code:
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" lang="en">
<head>
<base href="https://www.linuxquestions.org/questions/" /><!--[if IE]></base><![endif]-->
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1" />
<meta name="keywords" content="Hacked,Trojaned, Hacked or Trojaned?, Linux,how to,tutorial,operating system,linux,red hat,mandrake,security,linux help,installation,question,forum" />
<meta name="description" content="I was running history on the bash terminal, and found a ton of peculiar text there, mostly html, like: 815 sudo <body class="question-page" />
<style type="text/css" id="vbulletin_css">
/**
* vBulletin 3.8.10 Beta 1 CSS
* Style: 'LQ Style - child of default'; Style ID: 7
*/
body
{
background: #FFFFFF;
color: #000000;
font: 10pt Verdana,Arial,Helvetica,sans-serif;
margin: 5px 10px 10px 10px;
padding: 0px;
}
a:link, body_alink
{
color: #22229C;
}
Paste that in to your terminal, then look at your bash history.
since you gave no usable info:
look for your game server and Linux.Xor.DDoS on the net, probably it is a false positive.
do not rely on auth.log or similar if your system is infected.
if you are really interested you can boot another OS (from pendrive) and check your system.
Thanks for the replies, I surely learned a lot, and I am now slightly less concerned. Luckily, I don't see strange things going on along with chkrootkit reporting infection too often, so I am not too experienced with such situations.
Quote:
Originally Posted by ondoho
No.
Your shell does not know how to execute javascript or parse HTML.
What teckk wrote:
I had a quick look at the abilities of that XOR. Seems like it is quite powerful, often embedded into binaries, and able operate from there.
Seems as if some scripts were executed without me knowing.
Quote:
Originally Posted by Jackson111
I became suspicious of a gaming server I ran continuously on this machine, especially as some fun freebies had been installed recently. Hence, I decided to stop it. A little later, on the second and third run, there were no infections reported. My auth.log files look fine. Clamscan was running for over three hours and found nothing.
I restarted the gaming server. Lo and behold, chkrootkit now says there is XOR present.
I am not so much into Linux virology, but would be grateful if somebody could explain what is going on. I am under impression that some of the freebie plugs are calling home.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
I wasn't operating this machine most of the time, so the possibility is there. However, why is there XOR infection warning from the chkrootkit only when the game server is running? 
