Bug 1279170 - chkrootkit indicates possible Linux/Ebury
chkrootkit indicates possible Linux/Ebury
Status: CLOSED DUPLICATE of bug 1234436
Product: Fedora
Classification: Fedora
Component: chkrootkit (Show other bugs)
23
x86_64 Linux
unspecified Severity medium
: ---
: ---
Assigned To: Gwyn Ciesla
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2015-11-08 06:10 EST by a.galley
Modified: 2016-06-20 10:59 EDT (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2016-06-20 10:59:11 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description a.galley 2015-11-08 06:10:00 EST
Description of problem:
Run 'chkrootkit', result indicates possible Linux/Ebury.

Version-Release number of selected component (if applicable):
LABEL=Fedora-Live-Dsgn-x86_64-23_B-1

How reproducible:
New install, USB HD; do 'dnf install chkrootkit';
run 'chkrootkit'; do 'dnf update'; run 'chkrootkit';
problem persists.

Steps to Reproduce:
1. New install, USB HD; install chkrootkit:
2. Do 'dnf update';
3. Run 'chkrootkit'.

Actual results:
"Searching for Linux/Ebury - Operation Windigo ssh... Possible
Linux/Ebury - Operation Windigo installetd".

Expected results:
No infection.

Additional info:
Try 'dnf update', problem persists;
Try 32-bit version, same problem.

\/

[root@localhost nbtt]# chkrootkit
ROOTDIR is `/'
Checking `amd'... not found
Checking `basename'... not infected
Checking `biff'... not found
Checking `chfn'... not infected
Checking `chsh'... not infected
Checking `cron'... not infected
Checking `crontab'... not infected
Checking `date'... not infected
Checking `du'... not infected
Checking `dirname'... not infected
Checking `echo'... not infected
Checking `egrep'... not infected
Checking `env'... not infected
Checking `find'... not infected
Checking `fingerd'... not found
Checking `gpm'... not found
Checking `grep'... not infected
Checking `hdparm'... not found
Checking `su'... not infected
Checking `ifconfig'... not infected
Checking `inetd'... not found
Checking `inetdconf'... not found
Checking `identd'... not found
Checking `init'... not infected
Checking `killall'... not infected
Checking `ldsopreload'... not infected
Checking `login'... not infected
Checking `ls'... not infected
Checking `lsof'... not infected
Checking `mail'... not found
Checking `mingetty'... not found
Checking `netstat'... not infected
Checking `named'... not found
Checking `passwd'... not infected
Checking `pidof'... not infected
Checking `pop2'... not found
Checking `pop3'... not found
Checking `ps'... not infected
Checking `pstree'... not infected
Checking `rpcinfo'... not infected
Checking `rlogind'... not found
Checking `rshd'... not found
Checking `slogin'... not infected
Checking `sendmail'... not found
Checking `sshd'... not infected
Checking `syslogd'... not tested
Checking `tar'... not infected
Checking `tcpd'... not infected
Checking `tcpdump'... not infected
Checking `top'... not infected
Checking `telnetd'... not found
Checking `timed'... not found
Checking `traceroute'... not infected
Checking `vdir'... not infected
Checking `w'... not infected
Checking `write'... not infected
Checking `aliens'... no suspect files
Searching for sniffer's logs, it may take a while... nothing found
Searching for HiDrootkit's default dir... nothing found
Searching for t0rn's default files and dirs... nothing found
Searching for t0rn's v8 defaults... nothing found
Searching for Lion Worm default files and dirs... nothing found
Searching for RSHA's default files and dir... nothing found
Searching for RH-Sharpe's default files... nothing found
Searching for Ambient's rootkit (ark) default files and dirs... nothing found
Searching for suspicious files and dirs, it may take a while... 
/usr/lib/debug/usr/.dwz /usr/lib/modules/4.2.5-300.fc23.x86_64/.vmlinuz.hmac /usr/lib/modules/4.2.0-300.fc23.x86_64/.vmlinuz.hmac

Searching for LPD Worm files and dirs... nothing found
Searching for Ramen Worm files and dirs... nothing found
Searching for Maniac files and dirs... nothing found
Searching for RK17 files and dirs... nothing found
Searching for Ducoci rootkit... nothing found
Searching for Adore Worm... nothing found
Searching for ShitC Worm... nothing found
Searching for Omega Worm... nothing found
Searching for Sadmind/IIS Worm... nothing found
Searching for MonKit... nothing found
Searching for Showtee... nothing found
Searching for OpticKit... nothing found
Searching for T.R.K... nothing found
Searching for Mithra... nothing found
Searching for LOC rootkit... nothing found
Searching for Romanian rootkit... nothing found
Searching for HKRK rootkit... nothing found
Searching for Suckit rootkit... nothing found
Searching for Volc rootkit... nothing found
Searching for Gold2 rootkit... nothing found
Searching for TC2 Worm default files and dirs... nothing found
Searching for Anonoying rootkit default files and dirs... nothing found
Searching for ZK rootkit default files and dirs... nothing found
Searching for ShKit rootkit default files and dirs... nothing found
Searching for AjaKit rootkit default files and dirs... nothing found
Searching for zaRwT rootkit default files and dirs... nothing found
Searching for Madalin rootkit default files... nothing found
Searching for Fu rootkit default files... nothing found
Searching for ESRK rootkit default files... nothing found
Searching for rootedoor... nothing found
Searching for ENYELKM rootkit default files... nothing found
Searching for common ssh-scanners default files... nothing found
***
Searching for Linux/Ebury - Operation Windigo ssh... Possible Linux/Ebury - Operation Windigo installetd
***
Searching for 64-bit Linux Rootkit ... nothing found
Searching for 64-bit Linux Rootkit modules... nothing found
Searching for suspect PHP files... nothing found
Searching for anomalies in shell history files... nothing found
Checking `asp'... not infected
Checking `bindshell'... not infected
Checking `lkm'... chkproc: nothing detected
chkdirs: nothing detected
Checking `rexedcs'... not found
Checking `sniffer'... Checking `w55808'... not infected
Checking `wted'... chkwtmp: nothing deleted
Checking `scalper'... not infected
Checking `slapper'... not infected
Checking `z2'... chklastlog: nothing deleted
Checking `chkutmp'...  The tty of the following user process(es) were not found
 in /var/run/utmp !
! RUID          PID TTY    CMD
! gdm          1693 tty1   /usr/libexec/gdm-x-session /usr/bin/gnome-session --autostart /usr/share/gdm/greeter/autostart
! gdm          1696 tty1   /usr/libexec/Xorg vt1 -displayfd 3 -auth /run/user/42/gdm/Xauthority -nolisten tcp -background none -noreset -keeptty -verbose 3
! gdm          1713 tty1   dbus-daemon --print-address 4 --session
! gdm          1716 tty1   /usr/libexec/gnome-session-binary --autostart /usr/share/gdm/greeter/autostart
! gdm          1733 tty1   /usr/libexec/at-spi-bus-launcher
! gdm          1738 tty1   /bin/dbus-daemon --config-file=/etc/at-spi2/accessibility.conf --nofork --print-address 3
! gdm          1742 tty1   /usr/libexec/at-spi2-registryd --use-gnome-session
! gdm          1758 tty1   /usr/libexec/gnome-settings-daemon
! gdm          1781 tty1   /usr/libexec/gvfsd
! gdm          1789 tty1   gnome-shell --mode=gdm
! gdm          1821 tty1   ibus-daemon --xim --panel disable
! gdm          1826 tty1   /usr/libexec/ibus-dconf
! gdm          1828 tty1   /usr/libexec/ibus-x11 --kill-daemon
! gdm          1846 tty1   /usr/libexec/gvfs-udisks2-volume-monitor
! gdm          1857 tty1   /usr/libexec/gvfs-mtp-volume-monitor
! gdm          1862 tty1   /usr/libexec/gvfs-afc-volume-monitor
! gdm          1868 tty1   /usr/libexec/gvfs-gphoto2-volume-monitor
! gdm          1873 tty1   /usr/libexec/gvfs-goa-volume-monitor
! gdm          1877 tty1   /usr/libexec/goa-daemon
! gdm          1884 tty1   /usr/libexec/goa-identity-service
! gdm          1887 tty1   /usr/libexec/mission-control-5
! gdm          1938 tty1   /usr/libexec/ibus-engine-simple
! nbtt         2767 pts/0  bash
! nbtt         2800 pts/0  su
! root         2808 pts/0  bash
! root         2837 pts/0  /usr/sbin/userhelper -t -w chkrootkit
! root         2840 pts/0  /bin/sh /usr/lib64/chkrootkit-0.50/chkrootkit
! root         3863 pts/0  ./chkutmp
! root         3864 pts/0  ps ax -o tty,pid,ruser,args
chkutmp: nothing deleted
Checking `OSX_RSPLUG'... not infected
[root@localhost nbtt]# 

\/
.
=======================
Comment 1 Gwyn Ciesla 2016-06-20 10:59:11 EDT

*** This bug has been marked as a duplicate of bug 1234436 ***

Note You need to log in before you can comment on or make changes to this bug.