Possible infection. Chrootkit reports linux.xor.ddos

Slakerlife · 05-07-2017, 03:10 PM

Hi everbody

So i just ran chrootkit and i get a line that reads
"Searching for linux.xor.ddos... Infected: Possible maliccious linux.xor.ddos installed"

Is this true? I have a brand new clean system version slackware 14.2 with the last kernal update from current and all i have installed is the defualt programs, my conputer has been running wierd, last time xfce wouldnt start and last time i got an irq shutdown with was tied to my ethernet card 1 but i think all those issues are due to me running the current updates instead of stable. After the upgrades pretty sure amy mkinitrd screen did not look like my picture. I did read that this virus requieres ssh to work on and i have verified i never had the ssh deamon enabled, can someone help me verify that my system is not infected
I was wondering would it be beneficial to install maybe eset antivirus for linux?
Ps: i also ran rkhunter and it did not find anything just some warning but no infections

Thanks

coralfang · 05-07-2017, 04:23 PM

Well i have just run chkrootkit on my own system, and i get:

Code:

Searching for Linux.Xor.DDoS ... INFECTED: Possible Malicious Linux.Xor.DDoS installed

I would assume it's a false positive.

RadicalDreamer · 05-07-2017, 04:44 PM

I ran Chrootkit and didn't get that.

Alien Bob · 05-07-2017, 05:03 PM

You will get this false positive anytime you have an executable file in your /tmp:

Code:

## Linux/Xor.DDoS 
   if [ "${QUIET}" != "t" ]; then
      printn "Searching for Linux.Xor.DDoS ... "; fi
   files="`${find} ${ROOTDIR}tmp/ ${findargs} -executable -type f 2> /dev/null`"
   if [ "${files}" = "" ]; then
      files="`${ls} ${ROOTDIR}etc/cron.hourly/udev.sh 2> /dev/null`"
      if [ "${files}" = "" ]; then 
         if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi
      else
         echo "INFECTED: Possible Malicious Linux.Xor.DDoS installed"
      fi
   else
     echo "INFECTED: Possible Malicious Linux.Xor.DDoS installed"
     echo "${files}"
   fi

And with Slackware creating its packages in /tmp when running a SlackBuild script, it is easy to trigger this...

Didier Spaier · 05-07-2017, 05:29 PM

Quote:

Originally Posted by Alien Bob

And with Slackware creating its packages in /tmp when running a SlackBuild script, it is easy to trigger this...

I have long ceased to do that, but build with fakeroot and TMP=$(pwd) instead. Yes there are a few cases where it's not possible (aaa_base comes to mind, and others for which you need to expand user's PATH) but then it is still possible to use a container or a VM. Off topic, I know

PS To be honest, that's also because I have messed / building a package a couple times by inattention

Slakerlife · 05-07-2017, 05:42 PM

ok i guess i wont worry to much, i did have the package for rkhunter and chrootkit in my tmp folder, i will delete them and re-run the program, thanks for the quick reply everyone, im still curious lets say i did have this malware/virus would an antivirus for linux be able to detect it and dissinfect it?

Didier Spaier · 05-08-2017, 05:42 AM

Quote:

Originally Posted by Slakerlife

im still curious lets say i did have this malware/virus would an antivirus for linux be able to detect it and dissinfect it?

There is no valid answer to a question asked in so general terms and no tool can do a sysadmin's job. I suggest that you first read this.

Slakerlife · 05-09-2017, 08:10 PM

Quote:

Originally Posted by Didier Spaier

There is no valid answer to a question asked in so general terms and no tool can do a sysadmin's job. I suggest that you first read this.

Thanks for the link