LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Slackware
User Name
Password
Slackware This Forum is for the discussion of Slackware Linux.

Notices


Reply
  Search this Thread
Old 05-07-2017, 03:10 PM   #1
Slakerlife
Member
 
Registered: May 2016
Location: somewhere in the world!
Distribution: slackware
Posts: 63

Rep: Reputation: Disabled
Possible infection. Chrootkit reports linux.xor.ddos


Hi everbody

So i just ran chrootkit and i get a line that reads
"Searching for linux.xor.ddos... Infected: Possible maliccious linux.xor.ddos installed"

Is this true? I have a brand new clean system version slackware 14.2 with the last kernal update from current and all i have installed is the defualt programs, my conputer has been running wierd, last time xfce wouldnt start and last time i got an irq shutdown with was tied to my ethernet card 1 but i think all those issues are due to me running the current updates instead of stable. After the upgrades pretty sure amy mkinitrd screen did not look like my picture. I did read that this virus requieres ssh to work on and i have verified i never had the ssh deamon enabled, can someone help me verify that my system is not infected
I was wondering would it be beneficial to install maybe eset antivirus for linux?
Ps: i also ran rkhunter and it did not find anything just some warning but no infections

Thanks
Attached Thumbnails
Click image for larger version

Name:	IMG_0043.JPG
Views:	193
Size:	240.2 KB
ID:	24957  

Last edited by Slakerlife; 05-07-2017 at 04:00 PM. Reason: Added scan for rkhunter
 
Old 05-07-2017, 04:23 PM   #2
coralfang
Member
 
Registered: Nov 2010
Location: Bristol, UK
Distribution: Slackware, FreeBSD
Posts: 748
Blog Entries: 3

Rep: Reputation: 233Reputation: 233Reputation: 233
Well i have just run chkrootkit on my own system, and i get:
Code:
Searching for Linux.Xor.DDoS ... INFECTED: Possible Malicious Linux.Xor.DDoS installed
I would assume it's a false positive.
 
Old 05-07-2017, 04:44 PM   #3
RadicalDreamer
Member
 
Registered: Jul 2016
Location: USA
Distribution: Slackware64-Current
Posts: 963

Rep: Reputation: 454Reputation: 454Reputation: 454Reputation: 454Reputation: 454
I ran Chrootkit and didn't get that.

Last edited by RadicalDreamer; 05-07-2017 at 04:57 PM.
 
Old 05-07-2017, 05:03 PM   #4
Alien Bob
Slackware Contributor
 
Registered: Sep 2005
Location: Eindhoven, The Netherlands
Distribution: Slackware
Posts: 7,534

Rep: Reputation: 5896Reputation: 5896Reputation: 5896Reputation: 5896Reputation: 5896Reputation: 5896Reputation: 5896Reputation: 5896Reputation: 5896Reputation: 5896Reputation: 5896
You will get this false positive anytime you have an executable file in your /tmp:

Code:
## Linux/Xor.DDoS 
   if [ "${QUIET}" != "t" ]; then
      printn "Searching for Linux.Xor.DDoS ... "; fi
   files="`${find} ${ROOTDIR}tmp/ ${findargs} -executable -type f 2> /dev/null`"
   if [ "${files}" = "" ]; then
      files="`${ls} ${ROOTDIR}etc/cron.hourly/udev.sh 2> /dev/null`"
      if [ "${files}" = "" ]; then 
         if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi
      else
         echo "INFECTED: Possible Malicious Linux.Xor.DDoS installed"
      fi
   else
     echo "INFECTED: Possible Malicious Linux.Xor.DDoS installed"
     echo "${files}"
   fi
And with Slackware creating its packages in /tmp when running a SlackBuild script, it is easy to trigger this...
 
9 members found this post helpful.
Old 05-07-2017, 05:29 PM   #5
Didier Spaier
LQ Addict
 
Registered: Nov 2008
Location: Paris, France
Distribution: Slint64-14.2.1.2 on Lenovo Thinkpad W520
Posts: 8,854

Rep: Reputation: Disabled
Quote:
Originally Posted by Alien Bob View Post
And with Slackware creating its packages in /tmp when running a SlackBuild script, it is easy to trigger this...
I have long ceased to do that, but build with fakeroot and TMP=$(pwd) instead. Yes there are a few cases where it's not possible (aaa_base comes to mind, and others for which you need to expand user's PATH) but then it is still possible to use a container or a VM. Off topic, I know

PS To be honest, that's also because I have messed / building a package a couple times by inattention

Last edited by Didier Spaier; 05-07-2017 at 05:35 PM.
 
1 members found this post helpful.
Old 05-07-2017, 05:42 PM   #6
Slakerlife
Member
 
Registered: May 2016
Location: somewhere in the world!
Distribution: slackware
Posts: 63

Original Poster
Rep: Reputation: Disabled
ok i guess i wont worry to much, i did have the package for rkhunter and chrootkit in my tmp folder, i will delete them and re-run the program, thanks for the quick reply everyone, im still curious lets say i did have this malware/virus would an antivirus for linux be able to detect it and dissinfect it?

Last edited by Slakerlife; 05-07-2017 at 07:44 PM. Reason: Added some extra lines of text
 
1 members found this post helpful.
Old 05-08-2017, 05:42 AM   #7
Didier Spaier
LQ Addict
 
Registered: Nov 2008
Location: Paris, France
Distribution: Slint64-14.2.1.2 on Lenovo Thinkpad W520
Posts: 8,854

Rep: Reputation: Disabled
Quote:
Originally Posted by Slakerlife View Post
im still curious lets say i did have this malware/virus would an antivirus for linux be able to detect it and dissinfect it?
There is no valid answer to a question asked in so general terms and no tool can do a sysadmin's job. I suggest that you first read this.

Last edited by Didier Spaier; 05-08-2017 at 11:03 AM.
 
1 members found this post helpful.
Old 05-09-2017, 08:10 PM   #8
Slakerlife
Member
 
Registered: May 2016
Location: somewhere in the world!
Distribution: slackware
Posts: 63

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by Didier Spaier View Post
There is no valid answer to a question asked in so general terms and no tool can do a sysadmin's job. I suggest that you first read this.
Thanks for the link
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
LXer: XOR DDoS Malware for Linux Attacks Have Been Greatly Exaggerated LXer Syndicated Linux News 0 10-02-2015 02:33 AM
[SOLVED] Chrootkit and Synaptic Ztcoracat Linux - General 4 09-16-2012 01:30 AM
[SOLVED] Some tips on chrootkit, please ButterflyMelissa Linux - Software 7 03-12-2011 05:27 AM
How to run chrootkit LarryFrigginWachs Linux - Newbie 2 02-13-2006 01:37 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Slackware

All times are GMT -5. The time now is 08:37 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration