Possible infection. Chrootkit reports linux.xor.ddos
SlackwareThis Forum is for the discussion of Slackware Linux.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Possible infection. Chrootkit reports linux.xor.ddos
Hi everbody
So i just ran chrootkit and i get a line that reads
"Searching for linux.xor.ddos... Infected: Possible maliccious linux.xor.ddos installed"
Is this true? I have a brand new clean system version slackware 14.2 with the last kernal update from current and all i have installed is the defualt programs, my conputer has been running wierd, last time xfce wouldnt start and last time i got an irq shutdown with was tied to my ethernet card 1 but i think all those issues are due to me running the current updates instead of stable. After the upgrades pretty sure amy mkinitrd screen did not look like my picture. I did read that this virus requieres ssh to work on and i have verified i never had the ssh deamon enabled, can someone help me verify that my system is not infected
I was wondering would it be beneficial to install maybe eset antivirus for linux?
Ps: i also ran rkhunter and it did not find anything just some warning but no infections
Thanks
Last edited by Slakerlife; 05-07-2017 at 04:00 PM.
Reason: Added scan for rkhunter
You will get this false positive anytime you have an executable file in your /tmp:
Code:
## Linux/Xor.DDoS
if [ "${QUIET}" != "t" ]; then
printn "Searching for Linux.Xor.DDoS ... "; fi
files="`${find} ${ROOTDIR}tmp/ ${findargs} -executable -type f 2> /dev/null`"
if [ "${files}" = "" ]; then
files="`${ls} ${ROOTDIR}etc/cron.hourly/udev.sh 2> /dev/null`"
if [ "${files}" = "" ]; then
if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi
else
echo "INFECTED: Possible Malicious Linux.Xor.DDoS installed"
fi
else
echo "INFECTED: Possible Malicious Linux.Xor.DDoS installed"
echo "${files}"
fi
And with Slackware creating its packages in /tmp when running a SlackBuild script, it is easy to trigger this...
And with Slackware creating its packages in /tmp when running a SlackBuild script, it is easy to trigger this...
I have long ceased to do that, but build with fakeroot and TMP=$(pwd) instead. Yes there are a few cases where it's not possible (aaa_base comes to mind, and others for which you need to expand user's PATH) but then it is still possible to use a container or a VM. Off topic, I know
PS To be honest, that's also because I have messed / building a package a couple times by inattention
Last edited by Didier Spaier; 05-07-2017 at 05:35 PM.
ok i guess i wont worry to much, i did have the package for rkhunter and chrootkit in my tmp folder, i will delete them and re-run the program, thanks for the quick reply everyone, im still curious lets say i did have this malware/virus would an antivirus for linux be able to detect it and dissinfect it?
Last edited by Slakerlife; 05-07-2017 at 07:44 PM.
Reason: Added some extra lines of text
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.