chkrootkit gives false positive Linux/Ebury - Operation Windigo
Bug #1508248 reported by
sleek
This bug affects 14 people
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
chkrootkit |
Confirmed
|
Undecided
|
|||
chkrootkit (Debian) |
Fix Released
|
Unknown
|
|||
chkrootkit (Fedora) |
Fix Released
|
Undecided
|
|||
chkrootkit (Ubuntu) |
Fix Released
|
Low
|
Unassigned | ||
Xenial |
Confirmed
|
Low
|
Unassigned |
Bug Description
I tried from ubuntuforums.org:
sudo netstat -nap | grep "@/proc/udevd" returns nothing
sudo find /lib* -type f -name libns2.so returns nothing either
ProblemType: Bug
DistroRelease: Ubuntu 15.10
Package: chkrootkit 0.50-3.1ubuntu1
ProcVersionSign
Uname: Linux 4.2.0-16-generic x86_64
ApportVersion: 2.19.1-0ubuntu3
Architecture: amd64
CurrentDesktop: Unity
Date: Tue Oct 20 17:31:49 2015
InstallationDate: Installed on 2015-10-17 (3 days ago)
InstallationMedia: Ubuntu 15.04 "Vivid Vervet" - Release amd64 (20150422)
SourcePackage: chkrootkit
UpgradeStatus: Upgraded to wily on 2015-10-20 (0 days ago)
Changed in chkrootkit (Ubuntu): | |
status: | Incomplete → New |
Changed in chkrootkit (Ubuntu): | |
importance: | Undecided → Low |
no longer affects: | chkrootkit |
Changed in chkrootkit (Ubuntu): | |
status: | Confirmed → Triaged |
Changed in chkrootkit: | |
status: | New → Confirmed |
summary: |
- chkrootkit gives false positive ebury + chkrootkit gives false positive Linux/Ebury - Operation Windigo |
Changed in chkrootkit (Debian): | |
status: | Unknown → Confirmed |
Changed in chkrootkit (Debian): | |
status: | Confirmed → Fix Released |
Changed in chkrootkit (Fedora): | |
importance: | Unknown → Undecided |
status: | Unknown → Fix Released |
Changed in chkrootkit (Ubuntu): | |
assignee: | nobody → Adhar Maheshwari (addy-m) |
assignee: | Adhar Maheshwari (addy-m) → nobody |
Changed in chkrootkit (Ubuntu): | |
status: | Triaged → Fix Released |
Changed in chkrootkit (Ubuntu Xenial): | |
status: | New → Confirmed |
importance: | Undecided → Low |
To post a comment you must log in.
Description of problem:
chkrootkit always reports:
Possible Linux/Ebury - Operation Windigo installetd
Version-Release number of selected component (if applicable): 0.50-4. fc22.x86_ 64 6.8p1-8. fc22.x86_ 64
chkrootkit-
openssh-
How reproducible:
Always.
Steps to Reproduce:
1.
2.
3.
Actual results:
Expected results:
Additional info:
The test uses $(ssh -G) (print configuration and exit) and looks for signatures in the output. ssh -G now requires a host argument.
ssh -G
prints usage and exit 255, triggering report.
ssh -G localhost
prints configuration and exit 0.
I assume that openssh has changed recently.