Bug 1234436

Summary:	Bogus Windigo reports
Product:	[Fedora] Fedora	Reporter:	DaveG <daveg>
Component:	chkrootkit	Assignee:	Gwyn Ciesla <gwync>
Status:	CLOSED ERRATA	QA Contact:	Fedora Extras Quality Assurance <extras-qa>
Severity:	unspecified	Docs Contact:
Priority:	unspecified
Version:	22	CC:	a.galley, gwync, heldwin, manuel.wolfshant
Target Milestone:	---
Target Release:	---
Hardware:	Unspecified
OS:	Unspecified
Whiteboard:
Fixed In Version:	chkrootkit-0.50-8.fc22 chkrootkit-0.50-8.fc23 chkrootkit-0.50-8.fc24	Doc Type:	Bug Fix
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2016-06-30 14:52:41 UTC	Type:	Bug
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:

Description DaveG 2015-06-22 14:17:58 UTC

Description of problem:
chkrootkit always reports:

Possible Linux/Ebury - Operation Windigo installetd


Version-Release number of selected component (if applicable):
chkrootkit-0.50-4.fc22.x86_64
openssh-6.8p1-8.fc22.x86_64

How reproducible:
Always.

Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:


Additional info:
The test uses $(ssh -G) (print configuration and exit) and looks for signatures in the output. ssh -G now requires a host argument.

ssh -G
prints usage and exit 255, triggering report.

ssh -G localhost
prints configuration and exit 0.

I assume that openssh has changed recently.

Comment 1 DaveG 2015-08-02 12:15:01 UTC

After a little investigation....

The Linux/Ebury root-kit infects ssh and can be identified by the way it handles illegal or unknown command-line options, not printing an information line before usage: ...

Accepted wisdom is to invoke ssh with an illegal option and check that the expected extra line is there (clean) or missing (infected).

chkrootkit uses $(ssh -G) as it's illegal invocation but OpenSSH added the '-G' option to print configuration back in 2014.

Long story short - chkrootkit needs to pick a different illegal option.

Currently unused options include djruzBHJUZ.

Changing the script (2 places) appears to work (I used -H, $(rpm -Vv openssh-clients) to check).

...
Searching for Linux/Ebury - Operation Windigo ssh... nothing found
...

Comment 2 Fedora Update System 2016-06-20 14:57:59 UTC

chkrootkit-0.50-7.fc23 has been submitted as an update to Fedora 23. https://bodhi.fedoraproject.org/updates/FEDORA-2016-a5f68c1854

Comment 3 Fedora Update System 2016-06-20 14:58:06 UTC

chkrootkit-0.50-7.fc24 has been submitted as an update to Fedora 24. https://bodhi.fedoraproject.org/updates/FEDORA-2016-afc728e85d

Comment 4 Fedora Update System 2016-06-20 14:58:11 UTC

chkrootkit-0.50-7.fc22 has been submitted as an update to Fedora 22. https://bodhi.fedoraproject.org/updates/FEDORA-2016-37fa8f9d3a

Comment 5 Gwyn Ciesla 2016-06-20 14:59:11 UTC

*** Bug 1279170 has been marked as a duplicate of this bug. ***

Comment 6 Fedora Update System 2016-06-20 20:09:45 UTC

chkrootkit-0.50-8.fc24 has been submitted as an update to Fedora 24. https://bodhi.fedoraproject.org/updates/FEDORA-2016-b93b991ea4

Comment 7 Fedora Update System 2016-06-20 20:09:53 UTC

chkrootkit-0.50-8.fc23 has been submitted as an update to Fedora 23. https://bodhi.fedoraproject.org/updates/FEDORA-2016-6c1a60982e

Comment 8 Fedora Update System 2016-06-20 20:10:00 UTC

chkrootkit-0.50-8.fc22 has been submitted as an update to Fedora 22. https://bodhi.fedoraproject.org/updates/FEDORA-2016-533e10ae24

Comment 9 Fedora Update System 2016-06-22 02:26:53 UTC

chkrootkit-0.50-8.fc22 has been pushed to the Fedora 22 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-533e10ae24

Comment 10 Fedora Update System 2016-06-22 02:27:20 UTC

chkrootkit-0.50-8.fc24 has been pushed to the Fedora 24 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-b93b991ea4

Comment 11 Fedora Update System 2016-06-22 02:55:22 UTC

chkrootkit-0.50-8.fc23 has been pushed to the Fedora 23 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-6c1a60982e

Comment 12 Fedora Update System 2016-06-30 14:52:33 UTC

chkrootkit-0.50-8.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report.

Comment 13 Fedora Update System 2016-06-30 19:53:20 UTC

chkrootkit-0.50-8.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.

Comment 14 Fedora Update System 2016-06-30 21:29:13 UTC

chkrootkit-0.50-8.fc24 has been pushed to the Fedora 24 stable repository. If problems still persist, please make note of it in this bug report.