Bug 1234436 - Bogus Windigo reports
Summary: Bogus Windigo reports
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: chkrootkit
Version: 22
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Gwyn Ciesla
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
: 1279170 (view as bug list)
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2015-06-22 14:17 UTC by DaveG
Modified: 2016-06-30 21:29 UTC (History)
4 users (show)

Fixed In Version: chkrootkit-0.50-8.fc22 chkrootkit-0.50-8.fc23 chkrootkit-0.50-8.fc24
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2016-06-30 14:52:41 UTC


Attachments (Terms of Use)

Description DaveG 2015-06-22 14:17:58 UTC
Description of problem:
chkrootkit always reports:

Possible Linux/Ebury - Operation Windigo installetd


Version-Release number of selected component (if applicable):
chkrootkit-0.50-4.fc22.x86_64
openssh-6.8p1-8.fc22.x86_64

How reproducible:
Always.

Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:


Additional info:
The test uses $(ssh -G) (print configuration and exit) and looks for signatures in the output. ssh -G now requires a host argument.

ssh -G
prints usage and exit 255, triggering report.

ssh -G localhost
prints configuration and exit 0.

I assume that openssh has changed recently.

Comment 1 DaveG 2015-08-02 12:15:01 UTC
After a little investigation....

The Linux/Ebury root-kit infects ssh and can be identified by the way it handles illegal or unknown command-line options, not printing an information line before usage: ...

Accepted wisdom is to invoke ssh with an illegal option and check that the expected extra line is there (clean) or missing (infected).

chkrootkit uses $(ssh -G) as it's illegal invocation but OpenSSH added the '-G' option to print configuration back in 2014.

Long story short - chkrootkit needs to pick a different illegal option.

Currently unused options include djruzBHJUZ.

Changing the script (2 places) appears to work (I used -H, $(rpm -Vv openssh-clients) to check).

...
Searching for Linux/Ebury - Operation Windigo ssh... nothing found
...

Comment 2 Fedora Update System 2016-06-20 14:57:59 UTC
chkrootkit-0.50-7.fc23 has been submitted as an update to Fedora 23. https://bodhi.fedoraproject.org/updates/FEDORA-2016-a5f68c1854

Comment 3 Fedora Update System 2016-06-20 14:58:06 UTC
chkrootkit-0.50-7.fc24 has been submitted as an update to Fedora 24. https://bodhi.fedoraproject.org/updates/FEDORA-2016-afc728e85d

Comment 4 Fedora Update System 2016-06-20 14:58:11 UTC
chkrootkit-0.50-7.fc22 has been submitted as an update to Fedora 22. https://bodhi.fedoraproject.org/updates/FEDORA-2016-37fa8f9d3a

Comment 5 Gwyn Ciesla 2016-06-20 14:59:11 UTC
*** Bug 1279170 has been marked as a duplicate of this bug. ***

Comment 6 Fedora Update System 2016-06-20 20:09:45 UTC
chkrootkit-0.50-8.fc24 has been submitted as an update to Fedora 24. https://bodhi.fedoraproject.org/updates/FEDORA-2016-b93b991ea4

Comment 7 Fedora Update System 2016-06-20 20:09:53 UTC
chkrootkit-0.50-8.fc23 has been submitted as an update to Fedora 23. https://bodhi.fedoraproject.org/updates/FEDORA-2016-6c1a60982e

Comment 8 Fedora Update System 2016-06-20 20:10:00 UTC
chkrootkit-0.50-8.fc22 has been submitted as an update to Fedora 22. https://bodhi.fedoraproject.org/updates/FEDORA-2016-533e10ae24

Comment 9 Fedora Update System 2016-06-22 02:26:53 UTC
chkrootkit-0.50-8.fc22 has been pushed to the Fedora 22 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-533e10ae24

Comment 10 Fedora Update System 2016-06-22 02:27:20 UTC
chkrootkit-0.50-8.fc24 has been pushed to the Fedora 24 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-b93b991ea4

Comment 11 Fedora Update System 2016-06-22 02:55:22 UTC
chkrootkit-0.50-8.fc23 has been pushed to the Fedora 23 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-6c1a60982e

Comment 12 Fedora Update System 2016-06-30 14:52:33 UTC
chkrootkit-0.50-8.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report.

Comment 13 Fedora Update System 2016-06-30 19:53:20 UTC
chkrootkit-0.50-8.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.

Comment 14 Fedora Update System 2016-06-30 21:29:13 UTC
chkrootkit-0.50-8.fc24 has been pushed to the Fedora 24 stable repository. If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.