there is not much have to do to produce this error other than install the
program and type : sudo chkrootkit
according to relevent websites i found this error occurs because ssh didn't use
implement -g so chkrootkits method of this rootkit is no longer valid. par the
following conversation on the ubuntu forums:
Thread Tools
Display
August 24th, 2015 #1
fthx
fthx is offline Spilled the Beans
Join Date
Jul 2015
Beans
14
Heartbreaking chkrootkit 'operation windigo' positive warning
Hi,
Was raining today but suddenly I got the sun in my face :
Code:
sudo chkrootkit
Searching for Linux/Ebury - Operation Windigo ssh...
Possible Linux/Ebury - Operation Windigo installetd
(original typo...)
Well... after some search I think it's a false positive. (I do not play
with fishy PPAs and do not use my system as a server.)
Sources :
http://www.eset.com/int/about/press/...net-uncovered/
https://www.cert-bund.de/ebury-faq
http://ubuntuforums.org/showthread.p...ration+windigo
https://bbs.archlinux.org/viewtopic.php?id=195395
https://github.com/openssh/openssh-p...75ab3b9cc84cba
If you run the "ssh -G" test in above links, you could be scared. But
the commit (link to github) seems to show that a new ssh option has been
introduced since the testing command line :
Code:
ssh -G 2>&1 | grep -e illegal -e unknown > /dev/null && echo
"System clean" || echo "System infected"
So this command does not return any error message, so you should
get "System infected" in your terminal...
I checked the sizes of the libraries (2nd link), ran ipcs
commands and everything seemed to be ok.
What do you think about this stuff ? Should I run some
additional tests ?
Advanced reply Adv Reply Reply With Quote Reply With Quote
August 24th, 2015 #2
runrickus's Avatar
runrickus
runrickus is offline Iced Almond Soy Ubuntu, No Foam
Join Date
Jun 2005
Location
The Front 9
Beans
Hidden!
Distro
Ubuntu Mate Development Release
Re: Heartbreaking chkrootkit 'operation windigo' positive warning
I would think you would be safe if you did not show "System
infected"
Also there is this to show if infected.
Code:
# netstat -nap | grep "@/proc/udevd"
Ebury version 1.5
On Linux-based systems, an additional shared library file 'libns2.so'
is installed and the existing libkeyutils file is patched to link against this
library instead of libc6. The malicious 'libns2.so' file can be located by
running the following command, which should not return any results on clean
systems.
# find /lib* -type f -name libns2.so
/lib64/libns2.so Ebury now uses Unix domain sockets instead of shared
memory segments for interprocess communication. The malicious socket can be
located using 'netstat' as follows. Again, this command should not return any
results on clean systems.
Do antivirus products or other security tools detect Ebury?Some
antivirus products are capable of detecting Ebury, usually as 'SSHDoor' or
'Sshdkit'. However,ClamAV or tools like chkrootkit or rkhunter currently do not
detect Ebury.
For Me
Code:
me-Aspire-M3300 me # netstat -nap | grep "@/proc/udevd"
me-Aspire-M3300 # exit
exit
me@me-Aspire-M3300:~$ ssh -G 2>&1 | grep -e illegal -e unknown >
/dev/null && echo "System clean" || echo "System infected"
System clean
Hope that helps
Regards
what i expect is an explation of why my conclusion is wrong, and this is a real
infection; or a fix to the software, so i get no more false positives. What i
need is a malware
by the way this seems not only affect ubuntu to affect not only has been
reported at Debian and and Red Hat three months ago but chkrootkit rootkit
scanner seems not be fixed for ubuntu
--
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to chkrootkit in Ubuntu.
https://bugs.launchpad.net/bugs/1508248
Title:
chkrootkit gives false positive ebury
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/chkrootkit/+bug/1508248/+subscriptions
--
Ubuntu-server-bugs mailing list
Ubuntu-server-bugs@lists.ubuntu.com
Modify settings or unsubscribe at:
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
