Unix & Linux Stack Exchange

Q&A for users of Linux, FreeBSD and other Unix-like operating systems

Latest Questions

0 votes

1 answers

116 views

WARNING: /etc/chkrootkit.conf is deprecated. Please put your settings in /etc/chkrootkit/chkrootkit.conf instead

chkrootkit

I just went through a few hundred messages in `root`'s `mail`, there were plenty of these: > `/etc/cron.daily/chkrootkit`: **WARNING**: `/etc/chkrootkit.conf` is deprecated. Please put your settings in `/etc/chkrootkit/chkrootkit.conf` instead: `/etc/chkrootkit.conf` will be ignored in a future rele...

                                  I just went through a few hundred messages in root's mail, there were plenty of these:

> /etc/cron.daily/chkrootkit: **WARNING**: /etc/chkrootkit.conf is deprecated. Please put your settings in /etc/chkrootkit/chkrootkit.conf instead: /etc/chkrootkit.conf will be ignored in a future release and should be deleted.

May I safely delete that obsoleted config file?

Vlastimil Burián (30515 rep)

Apr 12, 2024, 10:49 PM

18 votes

4 answers

30463 views

Invalid WEB_CMD configuration option: Relative pathname: "/bin/false"

ubuntu rkhunter chkrootkit

I am on Ubuntu, I am trying to install rkhunter. I've tried `apt-get install rkhunter` success But then, I did `rkhunter --update` I kept getting > Invalid WEB_CMD configuration option: Relative pathname: "/bin/false"

                                  I am on Ubuntu, I am trying to install rkhunter. 

I've tried 

apt-get install rkhunter

success 

But then, I did 

rkhunter --update

I kept getting 

> Invalid WEB_CMD configuration option: Relative pathname: "/bin/false"

code-8 (482 rep)

Jan 17, 2020, 04:23 AM • Last activity: Apr 2, 2024, 02:22 AM

0 votes

1 answers

484 views

chkrootkit unable to execute by shell

centos chkrootkit

I installed `chkrootkit` with yum (CentOS 6.5) server with plesk 12.5 but I'm unable to execute it. [root@~]# chkrootkit -bash: chkrootkit: command not found [root@~]# I cannot locate the application, but yum says it's installed.

                                  I installed chkrootkit with yum (CentOS 6.5) server with plesk 12.5
but I'm unable to execute it. 


    [root@~]# chkrootkit
    -bash: chkrootkit: command not found
    [root@~]#

I cannot locate the application, but yum says it's installed.
                                

antony (101 rep)

Nov 16, 2015, 08:51 PM • Last activity: Feb 4, 2024, 10:47 AM

0 votes

1 answers

215 views

Searching for rootkits with chkrootkit return unexpected results

debian terminal chkrootkit

I ran the [rootkit program][1] after his suggestion and noticed something on 1 line that said > Searching for Linux.Xor.DDoS ... INFECTED: Possible Malicious Linux.Xor.DDoS installed /tmp/RustDesk/ipc.pid Is there anything to be worried about? Do I have to change something? Or do something to get it...

                                  I ran the rootkit program  after his suggestion and noticed something on 1 line that said
 
> Searching for Linux.Xor.DDoS ...     INFECTED: Possible Malicious Linux.Xor.DDoS installed          /tmp/RustDesk/ipc.pid

Is there anything to be worried about? 

Do I have to change something? Or do something to get it fixed? 

1. Before trying to remove RustDesk using sudo apt remove RustDesk   

2. After running sudo apt remove RustDesk, I noticed 1 more line that said 

    >     Checking `lkm'...                                            OooPS, not expected 309900 value
    >     chkproc: Warning: Possible LKM Trojan installed

Brendon Gomes (1 rep)

Oct 31, 2023, 05:45 PM • Last activity: Nov 1, 2023, 06:04 PM

1 votes

2 answers

1466 views

chkrootkit reports possible malicious Linux.Xor.DDoS installed - how do I verify?

security chkrootkit

The files of concern it reports are below. I'm not worried about the ones in `/tmp/yarn*` as I believe that's the package manager for `NodeJS` but the ones in `tmp/_MEI*` are concerning. The other issue it reports is this: ``` Checking `chkutmp'... The tty of the following user process(es) were not...

The files of concern it reports are below. I'm not worried about the ones in /tmp/yarn* as I believe that's the package manager for NodeJS but the ones in tmp/_MEI* are concerning. The other issue it reports is this:

Checking `chkutmp'...                                        The tty of the following user process(es) were not found
 in /var/run/utmp !
! RUID          PID TTY    CMD
! ubuntu      10310 pts/0  /bin/bash

Searching for Linux.Xor.DDoS ...                            INFECTED: Possible Malicious Linux.Xor.DDoS installed
/tmp/_MEILouf0P/_bz2.cpython-37m-x86_64-linux-gnu.so
/tmp/_MEILouf0P/readline.cpython-37m-x86_64-linux-gnu.so
/tmp/_MEILouf0P/compose/config/config_schema_v1.json
/tmp/_MEILouf0P/compose/config/config_schema_compose_spec.json
/tmp/_MEILouf0P/compose/GITSHA
/tmp/_MEILouf0P/libffi-806b1a9d.so.6.0.4
/tmp/_MEILouf0P/base_library.zip
/tmp/_MEILouf0P/_codecs_iso2022.cpython-37m-x86_64-linux-gnu.so
/tmp/_MEILouf0P/binascii.cpython-37m-x86_64-linux-gnu.so
/tmp/_MEILouf0P/_ssl.cpython-37m-x86_64-linux-gnu.so
/tmp/_MEILouf0P/_heapq.cpython-37m-x86_64-linux-gnu.so
/tmp/_MEILouf0P/_random.cpython-37m-x86_64-linux-gnu.so
/tmp/_MEILouf0P/unicodedata.cpython-37m-x86_64-linux-gnu.so
/tmp/_MEILouf0P/_sha256.cpython-37m-x86_64-linux-gnu.so
/tmp/_MEILouf0P/_posixsubprocess.cpython-37m-x86_64-linux-gnu.so
/tmp/_MEILouf0P/_cffi_backend.cpython-37m-x86_64-linux-gnu.so
/tmp/_MEILouf0P/_multibytecodec.cpython-37m-x86_64-linux-gnu.so
/tmp/_MEILouf0P/_sha3.cpython-37m-x86_64-linux-gnu.so
/tmp/_MEILouf0P/libbz2.so.1.0
/tmp/_MEILouf0P/cryptography/hazmat/bindings/_openssl.abi3.so
/tmp/_MEILouf0P/_bisect.cpython-37m-x86_64-linux-gnu.so
/tmp/_MEILouf0P/nacl/_sodium.abi3.so
/tmp/_MEILouf0P/_codecs_jp.cpython-37m-x86_64-linux-gnu.so
/tmp/_MEILouf0P/_sha1.cpython-37m-x86_64-linux-gnu.so
/tmp/_MEILouf0P/libtinfo.so.5
/tmp/_MEILouf0P/array.cpython-37m-x86_64-linux-gnu.so
/tmp/_MEILouf0P/fcntl.cpython-37m-x86_64-linux-gnu.so
/tmp/_MEILouf0P/_opcode.cpython-37m-x86_64-linux-gnu.so
/tmp/_MEILouf0P/_json.cpython-37m-x86_64-linux-gnu.so
/tmp/_MEILouf0P/libcrypto.so.1.1
/tmp/_MEILouf0P/_pickle.cpython-37m-x86_64-linux-gnu.so
/tmp/_MEILouf0P/lib/python3.7/config-3.7m-x86_64-linux-gnu/Makefile
/tmp/_MEILouf0P/jsonschema/schemas/draft3.json
/tmp/_MEILouf0P/jsonschema/schemas/draft4.json
/tmp/_MEILouf0P/jsonschema/schemas/draft6.json
/tmp/_MEILouf0P/jsonschema/schemas/draft7.json
/tmp/_MEILouf0P/_queue.cpython-37m-x86_64-linux-gnu.so
/tmp/_MEILouf0P/_asyncio.cpython-37m-x86_64-linux-gnu.so
/tmp/_MEILouf0P/_contextvars.cpython-37m-x86_64-linux-gnu.so
/tmp/_MEILouf0P/_lzma.cpython-37m-x86_64-linux-gnu.so
/tmp/_MEILouf0P/termios.cpython-37m-x86_64-linux-gnu.so
/tmp/_MEILouf0P/certifi/cacert.pem
/tmp/_MEILouf0P/_struct.cpython-37m-x86_64-linux-gnu.so
/tmp/_MEILouf0P/_codecs_hk.cpython-37m-x86_64-linux-gnu.so
/tmp/_MEILouf0P/_uuid.cpython-37m-x86_64-linux-gnu.so
/tmp/_MEILouf0P/_hashlib.cpython-37m-x86_64-linux-gnu.so
/tmp/_MEILouf0P/libreadline.so.7
/tmp/_MEILouf0P/libpython3.7m.so.1.0
/tmp/_MEILouf0P/libexpat.so.1
/tmp/_MEILouf0P/liblzma.so.5
/tmp/_MEILouf0P/libz.so.1
/tmp/_MEILouf0P/libssl.so.1.1
/tmp/_MEILouf0P/_codecs_tw.cpython-37m-x86_64-linux-gnu.so
/tmp/_MEILouf0P/_blake2.cpython-37m-x86_64-linux-gnu.so
/tmp/_MEILouf0P/math.cpython-37m-x86_64-linux-gnu.so
/tmp/_MEILouf0P/_codecs_cn.cpython-37m-x86_64-linux-gnu.so
/tmp/_MEILouf0P/_ctypes.cpython-37m-x86_64-linux-gnu.so
/tmp/_MEILouf0P/_datetime.cpython-37m-x86_64-linux-gnu.so
/tmp/_MEILouf0P/_sha512.cpython-37m-x86_64-linux-gnu.so
/tmp/_MEILouf0P/pyexpat.cpython-37m-x86_64-linux-gnu.so
/tmp/_MEILouf0P/_codecs_kr.cpython-37m-x86_64-linux-gnu.so
/tmp/_MEILouf0P/cryptography-3.0-py3.7.egg-info/AUTHORS.rst
/tmp/_MEILouf0P/cryptography-3.0-py3.7.egg-info/WHEEL
/tmp/_MEILouf0P/cryptography-3.0-py3.7.egg-info/RECORD
/tmp/_MEILouf0P/cryptography-3.0-py3.7.egg-info/top_level.txt
/tmp/_MEILouf0P/cryptography-3.0-py3.7.egg-info/METADATA
/tmp/_MEILouf0P/cryptography-3.0-py3.7.egg-info/LICENSE.APACHE
/tmp/_MEILouf0P/cryptography-3.0-py3.7.egg-info/REQUESTED
/tmp/_MEILouf0P/cryptography-3.0-py3.7.egg-info/LICENSE.BSD
/tmp/_MEILouf0P/cryptography-3.0-py3.7.egg-info/LICENSE.PSF
/tmp/_MEILouf0P/cryptography-3.0-py3.7.egg-info/INSTALLER
/tmp/_MEILouf0P/cryptography-3.0-py3.7.egg-info/LICENSE
/tmp/_MEILouf0P/pvectorc.cpython-37m-x86_64-linux-gnu.so
/tmp/_MEILouf0P/_socket.cpython-37m-x86_64-linux-gnu.so
/tmp/_MEILouf0P/bcrypt/_bcrypt.abi3.so
/tmp/_MEILouf0P/_multiprocessing.cpython-37m-x86_64-linux-gnu.so
/tmp/_MEILouf0P/_md5.cpython-37m-x86_64-linux-gnu.so
/tmp/_MEILouf0P/include/python3.7m/pyconfig.h
/tmp/_MEILouf0P/resource.cpython-37m-x86_64-linux-gnu.so
/tmp/_MEILouf0P/mmap.cpython-37m-x86_64-linux-gnu.so
/tmp/_MEILouf0P/grp.cpython-37m-x86_64-linux-gnu.so
/tmp/_MEILouf0P/_decimal.cpython-37m-x86_64-linux-gnu.so
/tmp/_MEILouf0P/select.cpython-37m-x86_64-linux-gnu.so
/tmp/_MEILouf0P/jsonschema-3.2.0-py3.7.egg-info/WHEEL
/tmp/_MEILouf0P/jsonschema-3.2.0-py3.7.egg-info/RECORD
/tmp/_MEILouf0P/jsonschema-3.2.0-py3.7.egg-info/top_level.txt
/tmp/_MEILouf0P/jsonschema-3.2.0-py3.7.egg-info/METADATA
/tmp/_MEILouf0P/jsonschema-3.2.0-py3.7.egg-info/COPYING
/tmp/_MEILouf0P/jsonschema-3.2.0-py3.7.egg-info/REQUESTED
/tmp/_MEILouf0P/jsonschema-3.2.0-py3.7.egg-info/entry_points.txt
/tmp/_MEILouf0P/jsonschema-3.2.0-py3.7.egg-info/INSTALLER
/tmp/_MEILouf0P/zlib.cpython-37m-x86_64-linux-gnu.so
/tmp/_MEILouf0P/libuuid.so.1
/tmp/_MEILouf0P/importlib_metadata-2.0.0-py3.7.egg-info/WHEEL
/tmp/_MEILouf0P/importlib_metadata-2.0.0-py3.7.egg-info/RECORD
/tmp/_MEILouf0P/importlib_metadata-2.0.0-py3.7.egg-info/top_level.txt
/tmp/_MEILouf0P/importlib_metadata-2.0.0-py3.7.egg-info/METADATA
/tmp/_MEILouf0P/importlib_metadata-2.0.0-py3.7.egg-info/INSTALLER
/tmp/_MEILouf0P/importlib_metadata-2.0.0-py3.7.egg-info/LICENSE
/tmp/_MEILouf0P/_csv.cpython-37m-x86_64-linux-gnu.so
/tmp/_MEILouf0P/libffi.so.6
/tmp/yarn--1609279800756-0.33405718762260905/yarn
/tmp/yarn--1609279800756-0.33405718762260905/node
/tmp/yarn--1609191066355-0.8535292494076665/yarn
/tmp/yarn--1609191066355-0.8535292494076665/node
/tmp/yarn--1608588658536-0.42316004848610067/node
/tmp/yarn--1608588767050-0.858125045173411/yarn
/tmp/yarn--1608588767050-0.858125045173411/node
/tmp/_MEImKelGf/_bz2.cpython-37m-x86_64-linux-gnu.so
/tmp/_MEImKelGf/readline.cpython-37m-x86_64-linux-gnu.so
/tmp/_MEImKelGf/compose/config/config_schema_v1.json
/tmp/_MEImKelGf/compose/config/config_schema_compose_spec.json
/tmp/_MEImKelGf/compose/GITSHA
/tmp/_MEImKelGf/libffi-806b1a9d.so.6.0.4
/tmp/_MEImKelGf/base_library.zip
/tmp/_MEImKelGf/_codecs_iso2022.cpython-37m-x86_64-linux-gnu.so
/tmp/_MEImKelGf/binascii.cpython-37m-x86_64-linux-gnu.so
/tmp/_MEImKelGf/_ssl.cpython-37m-x86_64-linux-gnu.so
/tmp/_MEImKelGf/_heapq.cpython-37m-x86_64-linux-gnu.so
/tmp/_MEImKelGf/_random.cpython-37m-x86_64-linux-gnu.so
/tmp/_MEImKelGf/unicodedata.cpython-37m-x86_64-linux-gnu.so
/tmp/_MEImKelGf/_sha256.cpython-37m-x86_64-linux-gnu.so
/tmp/_MEImKelGf/_posixsubprocess.cpython-37m-x86_64-linux-gnu.so
/tmp/_MEImKelGf/_cffi_backend.cpython-37m-x86_64-linux-gnu.so
/tmp/_MEImKelGf/_multibytecodec.cpython-37m-x86_64-linux-gnu.so
/tmp/_MEImKelGf/_sha3.cpython-37m-x86_64-linux-gnu.so
/tmp/_MEImKelGf/libbz2.so.1.0
/tmp/_MEImKelGf/cryptography/hazmat/bindings/_openssl.abi3.so
/tmp/_MEImKelGf/_bisect.cpython-37m-x86_64-linux-gnu.so
/tmp/_MEImKelGf/nacl/_sodium.abi3.so
/tmp/_MEImKelGf/_codecs_jp.cpython-37m-x86_64-linux-gnu.so
/tmp/_MEImKelGf/_sha1.cpython-37m-x86_64-linux-gnu.so
/tmp/_MEImKelGf/libtinfo.so.5
/tmp/_MEImKelGf/array.cpython-37m-x86_64-linux-gnu.so
/tmp/_MEImKelGf/fcntl.cpython-37m-x86_64-linux-gnu.so
/tmp/_MEImKelGf/_opcode.cpython-37m-x86_64-linux-gnu.so
/tmp/_MEImKelGf/_json.cpython-37m-x86_64-linux-gnu.so
/tmp/_MEImKelGf/libcrypto.so.1.1
/tmp/_MEImKelGf/_pickle.cpython-37m-x86_64-linux-gnu.so
/tmp/_MEImKelGf/lib/python3.7/config-3.7m-x86_64-linux-gnu/Makefile
/tmp/_MEImKelGf/jsonschema/schemas/draft3.json
/tmp/_MEImKelGf/jsonschema/schemas/draft4.json
/tmp/_MEImKelGf/jsonschema/schemas/draft6.json
/tmp/_MEImKelGf/jsonschema/schemas/draft7.json
/tmp/_MEImKelGf/_queue.cpython-37m-x86_64-linux-gnu.so
/tmp/_MEImKelGf/_asyncio.cpython-37m-x86_64-linux-gnu.so
/tmp/_MEImKelGf/_contextvars.cpython-37m-x86_64-linux-gnu.so
/tmp/_MEImKelGf/_lzma.cpython-37m-x86_64-linux-gnu.so
/tmp/_MEImKelGf/termios.cpython-37m-x86_64-linux-gnu.so
/tmp/_MEImKelGf/certifi/cacert.pem
/tmp/_MEImKelGf/_struct.cpython-37m-x86_64-linux-gnu.so
/tmp/_MEImKelGf/_codecs_hk.cpython-37m-x86_64-linux-gnu.so
/tmp/_MEImKelGf/_uuid.cpython-37m-x86_64-linux-gnu.so
/tmp/_MEImKelGf/_hashlib.cpython-37m-x86_64-linux-gnu.so
/tmp/_MEImKelGf/libreadline.so.7
/tmp/_MEImKelGf/libpython3.7m.so.1.0
/tmp/_MEImKelGf/libexpat.so.1
/tmp/_MEImKelGf/liblzma.so.5
/tmp/_MEImKelGf/libz.so.1
/tmp/_MEImKelGf/libssl.so.1.1
/tmp/_MEImKelGf/_codecs_tw.cpython-37m-x86_64-linux-gnu.so
/tmp/_MEImKelGf/_blake2.cpython-37m-x86_64-linux-gnu.so
/tmp/_MEImKelGf/math.cpython-37m-x86_64-linux-gnu.so
/tmp/_MEImKelGf/_codecs_cn.cpython-37m-x86_64-linux-gnu.so
/tmp/_MEImKelGf/_ctypes.cpython-37m-x86_64-linux-gnu.so
/tmp/_MEImKelGf/_datetime.cpython-37m-x86_64-linux-gnu.so
/tmp/_MEImKelGf/_sha512.cpython-37m-x86_64-linux-gnu.so
/tmp/_MEImKelGf/pyexpat.cpython-37m-x86_64-linux-gnu.so
/tmp/_MEImKelGf/_codecs_kr.cpython-37m-x86_64-linux-gnu.so
/tmp/_MEImKelGf/cryptography-3.0-py3.7.egg-info/AUTHORS.rst
/tmp/_MEImKelGf/cryptography-3.0-py3.7.egg-info/WHEEL
/tmp/_MEImKelGf/cryptography-3.0-py3.7.egg-info/RECORD
/tmp/_MEImKelGf/cryptography-3.0-py3.7.egg-info/top_level.txt
/tmp/_MEImKelGf/cryptography-3.0-py3.7.egg-info/METADATA
/tmp/_MEImKelGf/cryptography-3.0-py3.7.egg-info/LICENSE.APACHE
/tmp/_MEImKelGf/cryptography-3.0-py3.7.egg-info/REQUESTED
/tmp/_MEImKelGf/cryptography-3.0-py3.7.egg-info/LICENSE.BSD
/tmp/_MEImKelGf/cryptography-3.0-py3.7.egg-info/LICENSE.PSF
/tmp/_MEImKelGf/cryptography-3.0-py3.7.egg-info/INSTALLER
/tmp/_MEImKelGf/cryptography-3.0-py3.7.egg-info/LICENSE
/tmp/_MEImKelGf/pvectorc.cpython-37m-x86_64-linux-gnu.so
/tmp/_MEImKelGf/_socket.cpython-37m-x86_64-linux-gnu.so
/tmp/_MEImKelGf/bcrypt/_bcrypt.abi3.so
/tmp/_MEImKelGf/_multiprocessing.cpython-37m-x86_64-linux-gnu.so
/tmp/_MEImKelGf/_md5.cpython-37m-x86_64-linux-gnu.so
/tmp/_MEImKelGf/include/python3.7m/pyconfig.h
/tmp/_MEImKelGf/resource.cpython-37m-x86_64-linux-gnu.so
/tmp/_MEImKelGf/mmap.cpython-37m-x86_64-linux-gnu.so
/tmp/_MEImKelGf/grp.cpython-37m-x86_64-linux-gnu.so
/tmp/_MEImKelGf/_decimal.cpython-37m-x86_64-linux-gnu.so
/tmp/_MEImKelGf/select.cpython-37m-x86_64-linux-gnu.so
/tmp/_MEImKelGf/jsonschema-3.2.0-py3.7.egg-info/WHEEL
/tmp/_MEImKelGf/jsonschema-3.2.0-py3.7.egg-info/RECORD
/tmp/_MEImKelGf/jsonschema-3.2.0-py3.7.egg-info/top_level.txt
/tmp/_MEImKelGf/jsonschema-3.2.0-py3.7.egg-info/METADATA
/tmp/_MEImKelGf/jsonschema-3.2.0-py3.7.egg-info/COPYING
/tmp/_MEImKelGf/jsonschema-3.2.0-py3.7.egg-info/REQUESTED
/tmp/_MEImKelGf/jsonschema-3.2.0-py3.7.egg-info/entry_points.txt
/tmp/_MEImKelGf/jsonschema-3.2.0-py3.7.egg-info/INSTALLER
/tmp/_MEImKelGf/zlib.cpython-37m-x86_64-linux-gnu.so
/tmp/_MEImKelGf/libuuid.so.1
/tmp/_MEImKelGf/importlib_metadata-2.0.0-py3.7.egg-info/WHEEL
/tmp/_MEImKelGf/importlib_metadata-2.0.0-py3.7.egg-info/RECORD
/tmp/_MEImKelGf/importlib_metadata-2.0.0-py3.7.egg-info/top_level.txt
/tmp/_MEImKelGf/importlib_metadata-2.0.0-py3.7.egg-info/METADATA
/tmp/_MEImKelGf/importlib_metadata-2.0.0-py3.7.egg-info/INSTALLER
/tmp/_MEImKelGf/importlib_metadata-2.0.0-py3.7.egg-info/LICENSE
/tmp/_MEImKelGf/_csv.cpython-37m-x86_64-linux-gnu.so
/tmp/_MEImKelGf/libffi.so.6
/tmp/yarn--1609263723673-0.6031838839525887/yarn
/tmp/yarn--1609263723673-0.6031838839525887/node
/tmp/yarn--1609277998119-0.8745144750321017/yarn
/tmp/yarn--1609277998119-0.8745144750321017/node
/tmp/yarn--1608588658537-0.13657552414741292/node
/tmp/yarn--1609279495677-0.46573089763830744/yarn
/tmp/yarn--1609279495677-0.46573089763830744/node
/tmp/yarn--1608604249272-0.2771300551326392/yarn
/tmp/yarn--1608604249272-0.2771300551326392/node
/tmp/yarn--1608588658537-0.6820815653744035/yarn
/tmp/yarn--1608588658537-0.6820815653744035/node
/tmp/yarn--1608601183847-0.8705271739263436/yarn
/tmp/yarn--1608601183847-0.8705271739263436/node
/tmp/_MEIj3d49T/_bz2.cpython-37m-x86_64-linux-gnu.so
/tmp/_MEIj3d49T/readline.cpython-37m-x86_64-linux-gnu.so
/tmp/_MEIj3d49T/compose/config/config_schema_v1.json
/tmp/_MEIj3d49T/compose/config/config_schema_compose_spec.json
/tmp/_MEIj3d49T/compose/GITSHA
/tmp/_MEIj3d49T/libffi-806b1a9d.so.6.0.4
/tmp/_MEIj3d49T/base_library.zip
/tmp/_MEIj3d49T/_codecs_iso2022.cpython-37m-x86_64-linux-gnu.so
/tmp/_MEIj3d49T/binascii.cpython-37m-x86_64-linux-gnu.so
/tmp/_MEIj3d49T/_ssl.cpython-37m-x86_64-linux-gnu.so
/tmp/_MEIj3d49T/_heapq.cpython-37m-x86_64-linux-gnu.so
/tmp/_MEIj3d49T/_random.cpython-37m-x86_64-linux-gnu.so
/tmp/_MEIj3d49T/unicodedata.cpython-37m-x86_64-linux-gnu.so
/tmp/_MEIj3d49T/_sha256.cpython-37m-x86_64-linux-gnu.so
/tmp/_MEIj3d49T/_posixsubprocess.cpython-37m-x86_64-linux-gnu.so
/tmp/_MEIj3d49T/_cffi_backend.cpython-37m-x86_64-linux-gnu.so
/tmp/_MEIj3d49T/_multibytecodec.cpython-37m-x86_64-linux-gnu.so
/tmp/_MEIj3d49T/_sha3.cpython-37m-x86_64-linux-gnu.so
/tmp/_MEIj3d49T/libbz2.so.1.0
/tmp/_MEIj3d49T/cryptography/hazmat/bindings/_openssl.abi3.so
/tmp/_MEIj3d49T/_bisect.cpython-37m-x86_64-linux-gnu.so
/tmp/_MEIj3d49T/nacl/_sodium.abi3.so
/tmp/_MEIj3d49T/_codecs_jp.cpython-37m-x86_64-linux-gnu.so
/tmp/_MEIj3d49T/_sha1.cpython-37m-x86_64-linux-gnu.so
/tmp/_MEIj3d49T/libtinfo.so.5
/tmp/_MEIj3d49T/array.cpython-37m-x86_64-linux-gnu.so
/tmp/_MEIj3d49T/fcntl.cpython-37m-x86_64-linux-gnu.so
/tmp/_MEIj3d49T/_opcode.cpython-37m-x86_64-linux-gnu.so
/tmp/_MEIj3d49T/_json.cpython-37m-x86_64-linux-gnu.so
/tmp/_MEIj3d49T/libcrypto.so.1.1
/tmp/_MEIj3d49T/_pickle.cpython-37m-x86_64-linux-gnu.so
/tmp/_MEIj3d49T/lib/python3.7/config-3.7m-x86_64-linux-gnu/Makefile
/tmp/_MEIj3d49T/jsonschema/schemas/draft3.json
/tmp/_MEIj3d49T/jsonschema/schemas/draft4.json
/tmp/_MEIj3d49T/jsonschema/schemas/draft6.json
/tmp/_MEIj3d49T/jsonschema/schemas/draft7.json
/tmp/_MEIj3d49T/_queue.cpython-37m-x86_64-linux-gnu.so
/tmp/_MEIj3d49T/_asyncio.cpython-37m-x86_64-linux-gnu.so
/tmp/_MEIj3d49T/_contextvars.cpython-37m-x86_64-linux-gnu.so
/tmp/_MEIj3d49T/_lzma.cpython-37m-x86_64-linux-gnu.so
/tmp/_MEIj3d49T/termios.cpython-37m-x86_64-linux-gnu.so
/tmp/_MEIj3d49T/certifi/cacert.pem
/tmp/_MEIj3d49T/_struct.cpython-37m-x86_64-linux-gnu.so
/tmp/_MEIj3d49T/_codecs_hk.cpython-37m-x86_64-linux-gnu.so
/tmp/_MEIj3d49T/_uuid.cpython-37m-x86_64-linux-gnu.so
/tmp/_MEIj3d49T/_hashlib.cpython-37m-x86_64-linux-gnu.so
/tmp/_MEIj3d49T/libreadline.so.7
/tmp/_MEIj3d49T/libpython3.7m.so.1.0
/tmp/_MEIj3d49T/libexpat.so.1
/tmp/_MEIj3d49T/liblzma.so.5
/tmp/_MEIj3d49T/libz.so.1
/tmp/_MEIj3d49T/libssl.so.1.1
/tmp/_MEIj3d49T/_codecs_tw.cpython-37m-x86_64-linux-gnu.so
/tmp/_MEIj3d49T/_blake2.cpython-37m-x86_64-linux-gnu.so
/tmp/_MEIj3d49T/math.cpython-37m-x86_64-linux-gnu.so
/tmp/_MEIj3d49T/_codecs_cn.cpython-37m-x86_64-linux-gnu.so
/tmp/_MEIj3d49T/_ctypes.cpython-37m-x86_64-linux-gnu.so
/tmp/_MEIj3d49T/_datetime.cpython-37m-x86_64-linux-gnu.so
/tmp/_MEIj3d49T/_sha512.cpython-37m-x86_64-linux-gnu.so
/tmp/_MEIj3d49T/pyexpat.cpython-37m-x86_64-linux-gnu.so
/tmp/_MEIj3d49T/_codecs_kr.cpython-37m-x86_64-linux-gnu.so
/tmp/_MEIj3d49T/cryptography-3.0-py3.7.egg-info/AUTHORS.rst
/tmp/_MEIj3d49T/cryptography-3.0-py3.7.egg-info/WHEEL
/tmp/_MEIj3d49T/cryptography-3.0-py3.7.egg-info/RECORD
/tmp/_MEIj3d49T/cryptography-3.0-py3.7.egg-info/top_level.txt
/tmp/_MEIj3d49T/cryptography-3.0-py3.7.egg-info/METADATA
/tmp/_MEIj3d49T/cryptography-3.0-py3.7.egg-info/LICENSE.APACHE
/tmp/_MEIj3d49T/cryptography-3.0-py3.7.egg-info/REQUESTED
/tmp/_MEIj3d49T/cryptography-3.0-py3.7.egg-info/LICENSE.BSD
/tmp/_MEIj3d49T/cryptography-3.0-py3.7.egg-info/LICENSE.PSF
/tmp/_MEIj3d49T/cryptography-3.0-py3.7.egg-info/INSTALLER
/tmp/_MEIj3d49T/cryptography-3.0-py3.7.egg-info/LICENSE
/tmp/_MEIj3d49T/pvectorc.cpython-37m-x86_64-linux-gnu.so
/tmp/_MEIj3d49T/_socket.cpython-37m-x86_64-linux-gnu.so
/tmp/_MEIj3d49T/bcrypt/_bcrypt.abi3.so
/tmp/_MEIj3d49T/_multiprocessing.cpython-37m-x86_64-linux-gnu.so
/tmp/_MEIj3d49T/_md5.cpython-37m-x86_64-linux-gnu.so
/tmp/_MEIj3d49T/include/python3.7m/pyconfig.h
/tmp/_MEIj3d49T/resource.cpython-37m-x86_64-linux-gnu.so
/tmp/_MEIj3d49T/mmap.cpython-37m-x86_64-linux-gnu.so
/tmp/_MEIj3d49T/grp.cpython-37m-x86_64-linux-gnu.so
/tmp/_MEIj3d49T/_decimal.cpython-37m-x86_64-linux-gnu.so
/tmp/_MEIj3d49T/select.cpython-37m-x86_64-linux-gnu.so
/tmp/_MEIj3d49T/jsonschema-3.2.0-py3.7.egg-info/WHEEL
/tmp/_MEIj3d49T/jsonschema-3.2.0-py3.7.egg-info/RECORD
/tmp/_MEIj3d49T/jsonschema-3.2.0-py3.7.egg-info/top_level.txt
/tmp/_MEIj3d49T/jsonschema-3.2.0-py3.7.egg-info/METADATA
/tmp/_MEIj3d49T/jsonschema-3.2.0-py3.7.egg-info/COPYING
/tmp/_MEIj3d49T/jsonschema-3.2.0-py3.7.egg-info/REQUESTED
/tmp/_MEIj3d49T/jsonschema-3.2.0-py3.7.egg-info/entry_points.txt
/tmp/_MEIj3d49T/jsonschema-3.2.0-py3.7.egg-info/INSTALLER
/tmp/_MEIj3d49T/zlib.cpython-37m-x86_64-linux-gnu.so
/tmp/_MEIj3d49T/libuuid.so.1
/tmp/_MEIj3d49T/importlib_metadata-2.0.0-py3.7.egg-info/WHEEL
/tmp/_MEIj3d49T/importlib_metadata-2.0.0-py3.7.egg-info/RECORD
/tmp/_MEIj3d49T/importlib_metadata-2.0.0-py3.7.egg-info/top_level.txt
/tmp/_MEIj3d49T/importlib_metadata-2.0.0-py3.7.egg-info/METADATA
/tmp/_MEIj3d49T/importlib_metadata-2.0.0-py3.7.egg-info/INSTALLER
/tmp/_MEIj3d49T/importlib_metadata-2.0.0-py3.7.egg-info/LICENSE
/tmp/_MEIj3d49T/_csv.cpython-37m-x86_64-linux-gnu.so
/tmp/_MEIj3d49T/libffi.so.6

I ran lynis and rkhunter but they didn't report this. How do I know if I actually have this rootkit installed or not?

Gezim (111 rep)

Dec 30, 2020, 10:18 PM • Last activity: Sep 20, 2023, 01:54 AM

0 votes

3 answers

3052 views

Can I remove "Linux/Ebury Operation Windigo" without wiping the entire drive?

osx malware chkrootkit

I used `chkrootkit`, which told me that I had "Linux/Ebury Operation Windigo" installed, I doubled checked by running `ssh -G` which printed out usage, without "illegal option". I removed all ssh files and reinstalled it, but when I ran `ssh -G` again I still had it, also detected by `chkrootkit`. C...

                                  I used chkrootkit, which told me that I had "Linux/Ebury Operation Windigo" installed, I doubled checked by running ssh -G which printed out usage, without "illegal option". I removed all ssh files and reinstalled it, but when I ran ssh -G again I still had it, also detected by chkrootkit.

Can you remove this without wiping the entire drive? Are there any files I should be looking for?

DisplayName (12016 rep)

Mar 7, 2016, 10:07 PM • Last activity: Apr 28, 2022, 11:54 AM

0 votes

1 answers

72 views

Help in interpreting chkrootkit analysis for MS Teams package

security chkrootkit microsoft-teams

I run from time to time a `chkrootkit` to make sure my install does not get infected. Today I ran it while MS team was on (I need to use it for my classes). Here is what I found: ``` Checking `chkutmp'... The tty of the following user process(es) were not found in /var/run/utmp ! ! RUID PID TTY CMD...

I run from time to time a chkrootkit to make sure my install does not get infected. Today I ran it while MS team was on (I need to use it for my classes). Here is what I found:

Checking `chkutmp'...
The tty of the following user process(es) were not found in /var/run/utmp !
! RUID          PID TTY    CMD

! ted-code-mitigations
0 -id=6  --shared-files=v8_snapshot_data:100 --msteams-process-type=notificationsManager
! ent-id=4
0 n-frame-before-activation --no-v8-untrusted-code-mitigations --shared-files=v8_snapshot_data:100 --msteams-process-type=mainWindow
! tron-site-instance-overrides
0 derer  --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --shared-files=v8_snapshot_data:100 --msteams-process-type=experience-renderer
! =v8_snapshot_data:100
0 usted-code-mitigations --msteams-process-type=pluginHost

Any expert analysis/advice beyond "Don't use this Microsoft/evil corp. software"?

matemathieu (1 rep)

Oct 26, 2021, 08:52 AM • Last activity: Oct 26, 2021, 11:18 AM

1 votes

1 answers

578 views

CentOS 7 Malware? - User "impress+" executes a command ("cron") with a high CPU consumption

centos security malware chkrootkit

One of my "CentOS 7" servers is showing very *strange behavior*. A user named "**impress+**" executes a command called "**cron**". This "cron" command is executed with a **high CPU consumption**. I worry because I suspect it may be **malware**... This server has nothing installed, just "sshd" runnin...

                                  One of my "CentOS 7" servers is showing very *strange behavior*. A user named "**impress+**" executes a command called "**cron**". This "cron" command is executed with a **high CPU consumption**.

I worry because I suspect it may be **malware**...

This server has nothing installed, just "sshd" running.

**QUESTION:** What can I do to find out more about this "impress+" user and this "cron" command?

**Thanks! =D**

Eduardo Lúcio (713 rep)

Feb 13, 2020, 02:05 PM • Last activity: Feb 17, 2020, 12:34 AM

3 votes

2 answers

3702 views

rkhunter /usr/bin/ssh && /usr/sbin/sshd [Warning]

debian ssh process sshd chkrootkit

My last rkhunter scan reported a couple of warnings that deserve to be checked. Main reason for my suspect is that I wasn't on the machine at (03-Apr-2014 01:12:12) ->AM I googled for understand what's the purpose of the 2 files I mentioned in question title, but I didn't find very helpful answers....

                                  My last rkhunter scan reported a couple of warnings that deserve to be checked. Main reason for my suspect is that I wasn't on the machine at (03-Apr-2014 01:12:12) ->AM

I googled for understand what's the purpose of the 2 files I mentioned in question title, but I didn't find very helpful answers. Can anybody tell me what's the aim of those files, and maybe also why/when it would be modified by the system itself?

    [10:17:11] Warning: The file properties have changed:
    [10:17:11]          File: /usr/sbin/sshd
    [10:17:11]          Current hash: 900e153506754ceb7b19f3a01a3ad5e36d43d958
    [10:17:11]          Stored hash : 55a1a63a46d84eb9d0322f96bd9a61f070e90698
    [10:17:11]          Current inode: 149998    Stored inode: 142248
    [10:17:11]          Current file modification time: 1396480332 (03-Apr-2014 01:12:12)
    [10:17:11]          Stored file modification time : 1360359087 (08-Feb-2013 22:31:27)
_________________________________
    [10:17:34] Warning: The file properties have changed:
    [10:17:34]          File: /usr/bin/ssh
    [10:17:34]          Current hash: 60366d414c711a70f9e313f5ff26213ca513b565
    [10:17:34]          Stored hash : 1b410fb0de841737f963e1ee011989f155f41259
    [10:17:34]          Current inode: 150030    Stored inode: 142203
    [10:17:34]          Current file modification time: 1396480332 (03-Apr-2014 01:12:12)
    [10:17:34]          Stored file modification time : 1360359087 (08-Feb-2013 22:31:27)

the apt logs files making me worry, I censored couple of info. Apparently in the 03-Apr-2014 I didn't installed nothing.

    Start-Date: 2014-04-01  15:49:18
    Commandline:  ***********
    Install:  ***********
    End-Date: 2014-04-01  15:49:29
    
    Start-Date: 2014-04-08  14:03:52
    Commandline:  ***********
    Install:  ***********
    End-Date: 2014-04-08  14:04:04

By the way I think (hope) they are false positives [edit:not anymore]. Maybe files edited by some process of the system and normally not recorded in the .dat file of rkhunter because I didn't updated. I came here to find some confirmation or some more paranoia.
                                

lese (2756 rep)

Apr 18, 2014, 09:23 AM • Last activity: Dec 14, 2019, 03:38 PM

1 votes

0 answers

163 views

What process is accessing this laptops webcam? Is it a rootkit?

linux camera malware chkrootkit

Old laptop, running minecraft for the kids. Noticed the webcam light blinking for half a second randomly. Assumed it was a minecraft mod, nuked everything off and did a fresh Ubuntu install. Sure enough, the webcam light starting coming on randomly again on this fresh install. Nothing on it except b...

----
time->Wed Sep 25 17:18:40 2019
type=PROCTITLE msg=audit(1569395920.450:4111): proctitle=2F6C69622F756465762F76346C5F6964002F6465762F766964656F30
type=PATH msg=audit(1569395920.450:4111): item=0 name="/dev/video0" inode=403 dev=00:06 mode=020600 ouid=0 ogid=0 rdev=51:00 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0
type=CWD msg=audit(1569395920.450:4111): cwd="/"
type=SYSCALL msg=audit(1569395920.450:4111): arch=c000003e syscall=257 success=yes exit=3 a0=ffffff9c a1=7ffe354c0f20 a2=0 a3=0 items=1 ppid=4586 pid=4594 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="v4l_id" exe="/lib/udev/v4l_id" key=(null)
----
time->Wed Sep 25 17:18:40 2019
type=PROCTITLE msg=audit(1569395920.454:4112): proctitle="/lib/systemd/systemd-udevd"
type=PATH msg=audit(1569395920.454:4112): item=0 name="/dev/video0" inode=403 dev=00:06 mode=020660 ouid=0 ogid=44 rdev=51:00 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0
type=CWD msg=audit(1569395920.454:4112): cwd="/"
type=SYSCALL msg=audit(1569395920.454:4112): arch=c000003e syscall=191 success=no exit=-61 a0=5575798fd820 a1=7f6717f12b5f a2=7ffcdd292950 a3=84 items=1 ppid=336 pid=4586 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="systemd-udevd" exe="/lib/systemd/systemd-udevd" key=(null)
----
time->Wed Sep 25 17:18:40 2019
type=CONFIG_CHANGE msg=audit(1569395920.418:4109): auid=4294967295 ses=4294967295op=updated_rules path="/dev/video0" key=(null) list=4 res=1
----
time->Wed Sep 25 17:18:48 2019
type=CONFIG_CHANGE msg=audit(1569395928.358:4115): auid=4294967295 ses=4294967295op=updated_rules path="/dev/video0" key=(null) list=4 res=1
----
time->Wed Sep 25 17:19:15 2019
type=CONFIG_CHANGE msg=audit(1569395955.686:4267): auid=4294967295 ses=4294967295op=updated_rules path="/dev/video0" key=(null) list=4 res=1
----
time->Wed Sep 25 17:19:15 2019
type=PROCTITLE msg=audit(1569395955.738:4269): proctitle=2F6C69622F756465762F76346C5F6964002F6465762F766964656F30
type=PATH msg=audit(1569395955.738:4269): item=0 name="/dev/video0" inode=403 dev=00:06 mode=020600 ouid=0 ogid=0 rdev=51:00 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0
type=CWD msg=audit(1569395955.738:4269): cwd="/"
type=SYSCALL msg=audit(1569395955.738:4269): arch=c000003e syscall=257 success=yes exit=3 a0=ffffff9c a1=7ffe60335f20 a2=0 a3=0 items=1 ppid=4673 pid=4681 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="v4l_id" exe="/lib/udev/v4l_id" key=(null)
----
time->Wed Sep 25 17:19:15 2019
type=PROCTITLE msg=audit(1569395955.750:4270): proctitle="/lib/systemd/systemd-udevd"
type=PATH msg=audit(1569395955.750:4270): item=0 name="/dev/video0" inode=403 dev=00:06 mode=020660 ouid=0 ogid=44 rdev=51:00 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0
type=CWD msg=audit(1569395955.750:4270): cwd="/"
type=SYSCALL msg=audit(1569395955.750:4270): arch=c000003e syscall=191 success=no exit=-61 a0=55757990d960 a1=7f6717f12b5f a2=7ffcdd292950 a3=84 items=1 ppid=336 pid=4673 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="systemd-udevd" exe="/lib/systemd/systemd-udevd" key=(null)
----
time->Wed Sep 25 17:19:18 2019
type=CONFIG_CHANGE msg=audit(1569395958.534:4273): auid=4294967295 ses=4294967295op=updated_rules path="/dev/video0" key=(null) list=4 res=1
----
time->Wed Sep 25 17:19:26 2019
type=PROCTITLE msg=audit(1569395966.278:4344): proctitle=2F6C69622F756465762F76346C5F6964002F6465762F766964656F30
type=PATH msg=audit(1569395966.278:4344): item=0 name="/dev/video0" inode=403 dev=00:06 mode=020600 ouid=0 ogid=0 rdev=51:00 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0
type=CWD msg=audit(1569395966.278:4344): cwd="/"
type=SYSCALL msg=audit(1569395966.278:4344): arch=c000003e syscall=257 success=yes exit=3 a0=ffffff9c a1=7ffedb72bf20 a2=0 a3=0 items=1 ppid=4712 pid=4721 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="v4l_id" exe="/lib/udev/v4l_id" key=(null)
----
time->Wed Sep 25 17:19:26 2019
type=PROCTITLE msg=audit(1569395966.298:4345): proctitle="/lib/systemd/systemd-udevd"
type=PATH msg=audit(1569395966.298:4345): item=0 name="/dev/video0" inode=403 dev=00:06 mode=020660 ouid=0 ogid=44 rdev=51:00 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0
type=CWD msg=audit(1569395966.298:4345): cwd="/"
type=SYSCALL msg=audit(1569395966.298:4345): arch=c000003e syscall=191 success=no exit=-61 a0=557579915450 a1=7f6717f12b5f a2=7ffcdd292950 a3=84 items=1 ppid=336 pid=4712 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="systemd-udevd" exe="/lib/systemd/systemd-udevd" key=(null)
----

of interest is the proctitle alternating between 2F6C69622F756465762F76346C5F6964002F6465762F766964656F30 and /lib/systemd/systemd-udevd Here's some more timestamps, showing the somewhat random access:

grep -B1 proctitle /tmp/ausearch-output.txt 
time->Tue Sep 24 07:33:52 2019
type=PROCTITLE msg=audit(1569274432.897:65): proctitle=2F6C69622F756465762F76346C5F6964002F6465762F766964656F30
--
time->Tue Sep 24 07:33:52 2019
type=PROCTITLE msg=audit(1569274432.909:66): proctitle="/lib/systemd/systemd-udevd"
--
time->Tue Sep 24 07:34:18 2019
type=PROCTITLE msg=audit(1569274458.676:134): proctitle=2F6C69622F756465762F76346C5F6964002F6465762F766964656F30
--
time->Tue Sep 24 07:34:18 2019
type=PROCTITLE msg=audit(1569274458.692:135): proctitle="/lib/systemd/systemd-udevd"
--
time->Tue Sep 24 07:36:07 2019
type=PROCTITLE msg=audit(1569274567.921:190): proctitle=2F6C69622F756465762F76346C5F6964002F6465762F766964656F30
--
time->Tue Sep 24 07:36:07 2019
type=PROCTITLE msg=audit(1569274567.937:193): proctitle="/lib/systemd/systemd-udevd"
--
time->Tue Sep 24 09:28:22 2019
type=PROCTITLE msg=audit(1569281302.545:262): proctitle=2F6C69622F756465762F76346C5F6964002F6465762F766964656F30
--
time->Tue Sep 24 09:28:22 2019
type=PROCTITLE msg=audit(1569281302.549:263): proctitle="/lib/systemd/systemd-udevd"
--
time->Wed Sep 25 12:07:23 2019
type=PROCTITLE msg=audit(1569377243.215:324): proctitle=2F6C69622F756465762F76346C5F6964002F6465762F766964656F30
--
time->Wed Sep 25 12:07:23 2019
type=PROCTITLE msg=audit(1569377243.219:325): proctitle="/lib/systemd/systemd-udevd"
--
time->Wed Sep 25 12:07:37 2019
type=PROCTITLE msg=audit(1569377257.219:461): proctitle=2F6C69622F756465762F76346C5F6964002F6465762F766964656F30
--
time->Wed Sep 25 12:07:37 2019
type=PROCTITLE msg=audit(1569377257.231:462): proctitle="/lib/systemd/systemd-udevd"
--
time->Wed Sep 25 17:18:40 2019
type=PROCTITLE msg=audit(1569395920.450:4111): proctitle=2F6C69622F756465762F76346C5F6964002F6465762F766964656F30
--
time->Wed Sep 25 17:18:40 2019
type=PROCTITLE msg=audit(1569395920.454:4112): proctitle="/lib/systemd/systemd-udevd"
--
time->Wed Sep 25 17:19:15 2019
type=PROCTITLE msg=audit(1569395955.738:4269): proctitle=2F6C69622F756465762F76346C5F6964002F6465762F766964656F30
--
time->Wed Sep 25 17:19:15 2019
type=PROCTITLE msg=audit(1569395955.750:4270): proctitle="/lib/systemd/systemd-udevd"
--
time->Wed Sep 25 17:19:26 2019
type=PROCTITLE msg=audit(1569395966.278:4344): proctitle=2F6C69622F756465762F76346C5F6964002F6465762F766964656F30
--
time->Wed Sep 25 17:19:26 2019
type=PROCTITLE msg=audit(1569395966.298:4345): proctitle="/lib/systemd/systemd-udevd"

I have not yet run an offline rootkit search from a liveusb, but chkrootkit and rkhunter showed nothing in an online search. I'm curious as to what could be causing the webcam light to blink, and what is trying to access /dev/video0 How do I debug this further? Is this something in Ubuntu that is hunting for new devices, or is it something more sinister? Thanks!

dtbaker (111 rep)

Sep 25, 2019, 08:28 AM

-1 votes

1 answers

235 views

Mint 19 tcpd INFECTED sha1sum

malware rkhunter chkrootkit

When I use rkhunter it always shows two warnings and possible 4 rootkit information: Checking for suspicious (large) shared memory segments [ Warning ] Checking for hidden files and directories [ Warning ] File properties checks... Files checked: 149 Suspect files: 0 Rootkit checks... Rootkits check...

                                  When I use rkhunter it always shows two warnings and possible 4 rootkit information:

    Checking for suspicious (large) shared memory segments   [ Warning ]
    Checking for hidden files and directories                [ Warning ]
    File properties checks...
        Files checked: 149
        Suspect files: 0
    
    Rootkit checks...
        Rootkits checked : 480
        Possible rootkits: 4
    
    Applications checks...
        All checks skipped

The rest is ok. Using chkrootkit i always get only one alert: tcpd INFECTED. I used:

    sudo sha1sum /usr/sbin/tcpd

and the answer was:

    9ee346a9400f52e16576db35c310a72af391e199  /usr/sbin/tcpd

I found out that it should be:

    cd9cfc19df7f0e4b7f9adfa4fe8c5d74caa53d86  /usr/sbin/tcpd

Is it posible that my system is infected? I have Linux Mint 19 mate. 
                                

Daniel (1 rep)

Feb 15, 2019, 12:47 AM • Last activity: Feb 15, 2019, 09:53 AM

1 votes

0 answers

1376 views

What is "invalid argument" by a rootkit check?

debian chkrootkit

I thought I should run a rootkit in connection to [the recent Debian `apt` vulnerability][1], which I think I have fixed though. I used `chkrootkit` and get these two lines, which I'm not sure what to do with: Checking `lkm'... find: ‘/proc/7952/task/7952/net’: Invalid argument find: ‘/proc/7952/net...

                                  I thought I should run a rootkit in connection to the recent Debian apt vulnerability , which I think I have fixed though. I used chkrootkit and get these two lines, which I'm not sure what to do with:

    Checking `lkm'...                                           find: ‘/proc/7952/task/7952/net’: Invalid argument
    find: ‘/proc/7952/net’: Invalid argument

They stand out in the otherwise clean listing.

user147505

Jan 26, 2019, 04:44 PM • Last activity: Jan 26, 2019, 05:17 PM

2 votes

1 answers

3928 views

Chkrootkit found a lot of suspicious files and directories, and /sbin/init INFECTED

linux security chkrootkit

I was just running `chkrootkit` on my Fedora 20 x86_64. Here are some dubious results. Anyone know if these are false positives? Do I have a compromised system? Here are the suspect files and directories: Searching for suspicious files and dirs, it may take a while... /usr/lib/.libgcrypt.so.11.hmac...

                                  I was just running chkrootkit on my Fedora 20 x86_64. Here are some dubious results. Anyone know if these are false positives?
Do I have a compromised system?

Here are the suspect files and directories:

    Searching for suspicious files and dirs, it may take a while... 

    /usr/lib/.libgcrypt.so.11.hmac /usr/lib/python2.7/site-packages/martian
    /testswithbogusmodules/.bogussubpackage /usr/lib/python2.7/site-packages/fail2ban
    /tests/files/config/apache-auth/digest_time/.htaccess /usr/lib/python2.7/site-
    packages/fail2ban/tests/files/config/apache-auth/digest_time/.htpasswd /usr/lib
    /python2.7/site-packages/fail2ban/tests/files/config/apache-auth/noentry
    /.htaccess /usr/lib/python2.7/site-packages/fail2ban/tests/files/config/apache-
    auth/basic/file/.htaccess /usr/lib/python2.7/site-packages/fail2ban/tests/files
    /config/apache-auth/basic/file/.htpasswd /usr/lib/python2.7/site-packages/fail2ban
    /tests/files/config/apache-auth/basic/authz_owner/.htaccess /usr/lib/python2.7
    /site-packages/fail2ban/tests/files/config/apache-auth/basic/authz_owner
    /.htpasswd /usr/lib/python2.7/site-packages/fail2ban/tests/files/config/apache-
    auth/digest_anon/.htaccess /usr/lib/python2.7/site-packages/fail2ban/tests/files
    /config/apache-auth/digest_anon/.htpasswd /usr/lib/python2.7/site-packages
    /fail2ban/tests/files/config/apache-auth/digest_wrongrelm/.htaccess /usr/lib
    /python2.7/site-packages/fail2ban/tests/files/config/apache-auth/digest_wrongrelm
    /.htpasswd /usr/lib/python2.7/site-packages/fail2ban/tests/files/config/apache-
    auth/digest/.htaccess /usr/lib/python2.7/site-packages/fail2ban/tests/files/config
    /apache-auth/digest/.htpasswd /usr/lib/python2.7/site-packages/pylons/docs/en
    /.gitignore /usr/lib/python2.7/site-packages/pylons/templates/default_project
    /+package+/templates/.distutils_placeholder /usr/lib/python2.7/site-packages
    /pylons/templates/minimal_project/+package+/templates/.distutils_placeholder
     /usr/lib/.libssl.so.1.0.1e.hmac /usr/lib/.libcrypto.so.1.0.1e.hmac /usr/lib
    /.libssl.so.10.hmac /usr/lib/debug/.build-id /usr/lib/debug/usr/.dwz /usr/lib
    /debug/.dwz /usr/lib/mono/xbuild-frameworks/.NETFramework /usr/lib
    /.libcrypto.so.10.hmac
    
        /usr/lib/python2.7/site-packages/martian/tests/withbogusmodules
    /.bogussubpackage /usr/lib/debug/.build-id /usr/lib/debug/.dwz /usr/lib
    /mono/xbuild-frameworks/.NETFramework

------------
And then there was this:

    Searching for Suckit rootkit... Warning: /sbin/init INFECTED

------------

Finally:

    Checking `chkutmp'...  The tty of the following user process(es) were not found
     in /var/run/utmp !
    ! RUID          PID TTY    CMD
    ! root         1631 tty1   /usr/bin/X :0 vt1 -background none -nolisten tcp -seat seat0 -auth /var/run/kdm/A:0-EiPPra
    chkutmp: nothing deleted
    Checking `OSX_RSPLUG'... not infected
                                

somethingSomething (6209 rep)

Sep 3, 2014, 12:21 PM • Last activity: May 3, 2018, 10:33 AM

3 votes

2 answers

1236 views

Chkrootkit warning about infected port 600

linux debian chkrootkit tiger

I run the Tiger Automatic Auditor on my Debian Linux system, and recently got emailed the following: # Running chkrootkit (/usr/sbin/chkrootkit) to perform further checks... OLD: --ALERT-- [rootkit005a] Chkrootkit has found a file which seems to be infected because of a rootkit OLD: --ALERT-- [rootk...

                                  I run the Tiger Automatic Auditor on my Debian Linux system, and recently got emailed the following:

    # Running chkrootkit (/usr/sbin/chkrootkit) to perform further checks...
    OLD: --ALERT-- [rootkit005a] Chkrootkit has found a file which seems to be infected because of a rootkit
    OLD: --ALERT-- [rootkit009a] A rootkit seems to be installed in the system
    OLD: INFECTED (PORTS: 600)

I immediately ran chkrootkit manually, and didn't see any warnings or unusual results. How can I tell whether this was a false positive?
                                

jrdioko (860 rep)

Aug 31, 2011, 09:37 PM • Last activity: Feb 26, 2018, 10:03 PM

1 votes

1 answers

2353 views

How to treat supposed chkrootkit false positive

ubuntu chkrootkit

I installed chkrootkit with `apt-install` in a freshly installed Ubuntu server 16.04.3. chkrootkit found suspicious files and directories after first run: Searching for suspicious files and dirs, it may take a while... The following suspicious files and directories were found: /usr/lib/python3/dist-...

                                  I installed chkrootkit with apt-install in a freshly installed Ubuntu server 16.04.3. 

chkrootkit found suspicious files and directories after first run:

    Searching for suspicious files and dirs, it may take a while... The following suspicious files and directories were found: 
    /usr/lib/python3/dist-packages/fail2ban/tests/files/config/apache-auth/noentry/.htaccess /usr/lib/python3/dist-packages/fail2ban/tests/files/config/apache-auth/digest_time/.htaccess /usr/lib/python3/dist-packages/fail2ban/tests/files/config/apache-auth/digest_time/.htpasswd /usr/lib/python3/dist-packages/fail2ban/tests/files/config/apache-auth/digest_anon/.htaccess /usr/lib/python3/dist-packages/fail2ban/tests/files/config/apache-auth/digest_anon/.htpasswd /usr/lib/python3/dist-packages/fail2ban/tests/files/config/apache-auth/digest_wrongrelm/.htaccess /usr/lib/python3/dist-packages/fail2ban/tests/files/config/apache-auth/digest_wrongrelm/.htpasswd /usr/lib/python3/dist-packages/fail2ban/tests/files/config/apache-auth/digest/.htaccess /usr/lib/python3/dist-packages/fail2ban/tests/files/config/apache-auth/digest/.htpasswd /usr/lib/python3/dist-packages/fail2ban/tests/files/config/apache-auth/basic/authz_owner/.htaccess /usr/lib/python3/dist-packages/fail2ban/tests/files/config/apache-auth/basic/authz_owner/.htpasswd /usr/lib/python3/dist-packages/fail2ban/tests/files/config/apache-auth/basic/file/.htaccess /usr/lib/python3/dist-packages/fail2ban/tests/files/config/apache-auth/basic/file/.htpasswd /lib/modules/4.4.0-87-generic/vdso/.build-id /lib/modules/4.4.0-96-generic/vdso/.build-id
    /lib/modules/4.4.0-87-generic/vdso/.build-id /lib/modules/4.4.0-96-generic/vdso/.build-id

I noticed that three years ago another user at stackexchange found same false positives and posted Chkrootkit found alot of suspicious files and directories, and /sbin/init INFECTED .

In FAQ number 8  at the chkrootkit official website it is stated that they cannot whitelist false positives because an attacker might use this, since he knows that chkrootkit will ignore certain files and dirs.

What you suggest to do with this long list of files and directories?
How can I check that they are false positives? If they are false positives, Is there any way to compare these files against their original content (as with packages using dpkg -V)?

Asarluhi (337 rep)

Sep 27, 2017, 11:27 AM • Last activity: Nov 6, 2017, 11:09 AM

0 votes

2 answers

550 views

Better latest version or the package for rkhunter and chkrootkit?

ubuntu security webserver chkrootkit rkhunter

The `rkhunter` version of the ubuntu package is currently `1.4.0`, while the installer is version `1.4.4` The repo version of `chkrootkit` is `0.49`, while its installer is `0.52` Since security is a major concern for servers, what would be the best choice: install the latest version or my distribut...

                                  The rkhunter version of the ubuntu package is currently 1.4.0, while the installer is version 1.4.4 

The repo version of chkrootkit is 0.49, while its installer is 0.52 

Since security is a major concern for servers, what would be the best choice: install the latest version or my distribution's package, even if outdated?

Asarluhi (337 rep)

Sep 16, 2017, 12:36 PM • Last activity: Sep 16, 2017, 01:03 PM

0 votes

3 answers

856 views

chkrootkit throws Signal 13 when searching through /var/tmp

chkrootkit

On my debian squeeze server in the chkrootkit log I get loads of these errors: /usr/bin/find: Prozeß "head" wurde durch das Signal 13 abgebrochen. /usr/bin/find: Prozeß "head" wurde durch das Signal 13 abgebrochen. which means head terminated by signal 13 A [google search][1] gives a lot o...

                                  On my debian squeeze server in the chkrootkit log I get loads of these errors:

    /usr/bin/find: Prozeß "head" wurde durch das Signal 13 abgebrochen.
    /usr/bin/find: Prozeß "head" wurde durch das Signal 13 abgebrochen.

which means

    head terminated by signal 13

A google search  gives a lot of same problems, but no solution.

It comes from these lines in /usr/sbin/chkrootkit:

    if [ echo abc | head -n 1 = "abc" ]; then
          fileshead="${find} ${ROOTDIR}tmp ${ROOTDIR}var/tmp ${findargs} -type f -exec head -n 1 {} \; | $egrep '#!.*php' 2> /dev/null"
    else
          fileshead="${find} ${ROOTDIR}tmp ${ROOTDIR}var/tmp ${findargs} -type f -exec head -1 {} \; | grep '#!.*php' 2> /dev/null"
    fi

when I enter directly as root:

    /usr/bin/find /var/tmp -type f -exec head -1 {} \; | grep php 2> /dev/null;date

I get the same errors. egrep instead makes no difference.

rubo77 (30435 rep)

Aug 15, 2013, 01:47 PM • Last activity: Nov 4, 2016, 06:39 AM

1 votes

1 answers

2071 views

How to install a shared library in Linux

linux debian kernel libraries chkrootkit

As part of my research work I have to study a rootkit. So I downloaded [ncom][1] rootkit and tried installing. It didn't have any installation files. [1]: http://packetstormsecurity.org/files/99782/Ncom-Libcall-Hijacking-Rootkit.html

                                  As part of my research work I have to study a rootkit. So I downloaded ncom  rootkit and tried installing. It didn't have any installation files. 
                                

user3539 (4458 rep)

May 5, 2011, 04:08 AM • Last activity: Oct 4, 2016, 10:28 AM

0 votes

6 answers

4524 views

Linux Mint: I'm infected with a rootkit

security malware chkrootkit

I tried logging in to my admin account and it said password incorrect. There is no way it could have been incorrect since I copy-pasted it from a usb drive. I reset my password, installed chkrootkit and found out that I've been infected with a rootkit. So what do I do, just delete the files chkrootk...

                                  I tried logging in to my admin account and it said password incorrect. There is no way it could have been incorrect since I copy-pasted it from a usb drive. I reset my password, installed chkrootkit and found out that I've been infected with a rootkit. So what do I do, just delete the files chkrootkit reported? Here is the terminal output:

    user1@user1-linux ~ $ sudo chkrootkit
    [sudo] password for username: 
    ROOTDIR is `/'
    Checking `amd'...                                           not found
    Checking `basename'...                                      not infected
    Checking `biff'...                                          not found
    Checking `chfn'...                                          not infected
    Checking `chsh'...                                          not infected
    Checking `cron'...                                          not infected
    Checking `crontab'...                                       not infected
    Checking `date'...                                          not infected
    Checking `du'...                                            not infected
    Checking `dirname'...                                       not infected
    Checking `echo'...                                          not infected
    Checking `egrep'...                                         not infected
    Checking `env'...                                           not infected
    Checking `find'...                                          not infected
    Checking `fingerd'...                                       not found
    Checking `gpm'...                                           not found
    Checking `grep'...                                          not infected
    Checking `hdparm'...                                        not infected
    Checking `su'...                                            not infected
    Checking `ifconfig'...                                      not infected
    Checking `inetd'...                                         not infected
    Checking `inetdconf'...                                     not found
    Checking `identd'...                                        not found
    Checking `init'...                                          not infected
    Checking `killall'...                                       not infected
    Checking `ldsopreload'...                                   not infected
    Checking `login'...                                         not infected
    Checking `ls'...                                            not infected
    Checking `lsof'...                                          not infected
    Checking `mail'...                                          not found
    Checking `mingetty'...                                      not found
    Checking `netstat'...                                       not infected
    Checking `named'...                                         not found
    Checking `passwd'...                                        not infected
    Checking `pidof'...                                         not infected
    Checking `pop2'...                                          not found
    Checking `pop3'...                                          not found
    Checking `ps'...                                            not infected
    Checking `pstree'...                                        not infected
    Checking `rpcinfo'...                                       not found
    Checking `rlogind'...                                       not found
    Checking `rshd'...                                          not found
    Checking `slogin'...                                        not infected
    Checking `sendmail'...                                      not found
    Checking `sshd'...                                          not found
    Checking `syslogd'...                                       not tested
    Checking `tar'...                                           not infected
    Checking `tcpd'...                                          not infected
    Checking `tcpdump'...                                       not infected
    Checking `top'...                                           not infected
    Checking `telnetd'...                                       not found
    Checking `timed'...                                         not found
    Checking `traceroute'...                                    not found
    Checking `vdir'...                                          not infected
    Checking `w'...                                             not infected
    Checking `write'...                                         not infected
    Checking `aliens'...                                        no suspect files
    Searching for sniffer's logs, it may take a while...        nothing found
    Searching for rootkit HiDrootkit's default files...         nothing found
    Searching for rootkit t0rn's default files...               nothing found
    Searching for t0rn's v8 defaults...                         nothing found
    Searching for rootkit Lion's default files...               nothing found
    Searching for rootkit RSHA's default files...               nothing found
    Searching for rootkit RH-Sharpe's default files...          nothing found
    Searching for Ambient's rootkit (ark) default files and dirs... nothing found
    Searching for suspicious files and dirs, it may take a while... The following suspicious files and directories were found:  
    /usr/lib/python3/dist-packages/PyQt4/uic/widget-plugins/.noinit /usr/lib/jvm/.java-1.7.0-openjdk-amd64.jinfo /usr/lib/python2.7/dist-packages/PyQt4/uic/widget-plugins/.noinit /usr/lib/pymodules/python2.7/.path /lib/modules/3.19.0-32-generic/vdso/.build-id
    /lib/modules/3.19.0-32-generic/vdso/.build-id
    Searching for LPD Worm files and dirs...                    nothing found
    Searching for Ramen Worm files and dirs...                  nothing found
    Searching for Maniac files and dirs...                      nothing found
    Searching for RK17 files and dirs...                        nothing found
    Searching for Ducoci rootkit...                             nothing found
    Searching for Adore Worm...                                 nothing found
    Searching for ShitC Worm...                                 nothing found
    Searching for Omega Worm...                                 nothing found
    Searching for Sadmind/IIS Worm...                           nothing found
    Searching for MonKit...                                     nothing found
    Searching for Showtee...                                    nothing found
    Searching for OpticKit...                                   nothing found
    Searching for T.R.K...                                      nothing found
    Searching for Mithra...                                     nothing found
    Searching for LOC rootkit...                                nothing found
    Searching for Romanian rootkit...                           nothing found
    Searching for Suckit rootkit...                             Warning: /sbin/init INFECTED
    Searching for Volc rootkit...                               nothing found
    Searching for Gold2 rootkit...                              nothing found
    Searching for TC2 Worm default files and dirs...            nothing found
    Searching for Anonoying rootkit default files and dirs...   nothing found
    Searching for ZK rootkit default files and dirs...          nothing found
    Searching for ShKit rootkit default files and dirs...       nothing found
    Searching for AjaKit rootkit default files and dirs...      nothing found
    Searching for zaRwT rootkit default files and dirs...       nothing found
    Searching for Madalin rootkit default files...              nothing found
    Searching for Fu rootkit default files...                   nothing found
    Searching for ESRK rootkit default files...                 nothing found
    Searching for rootedoor...                                  nothing found
    Searching for ENYELKM rootkit default files...              nothing found
    Searching for common ssh-scanners default files...          nothing found
    Searching for suspect PHP files...                          nothing found
    Searching for anomalies in shell history files...           nothing found
    Checking `asp'...                                           not infected
    Checking `bindshell'...                                     not infected
    Checking `lkm'...                                           chkproc: nothing detected
    chkdirs: nothing detected
    Checking `rexedcs'...                                       not found
    Checking `sniffer'...                                       lo: not promisc and no packet sniffer sockets
    eth0: PACKET SNIFFER(/sbin/dhclient)
    Checking `w55808'...                                        not infected
    Checking `wted'...                                          chkwtmp: nothing deleted
    Checking `scalper'...                                       not infected
    Checking `slapper'...                                       not infected
    Checking `z2'...                                            user user2 deleted or never logged from lastlog!
    user user1 deleted or never logged from lastlog!
    user user3 deleted or never logged from lastlog!
    Checking `chkutmp'...                                        The tty of the following user process(es) were not found
     in /var/run/utmp !
    ! RUID          PID TTY    CMD
    ! rasmus       2650 pts/0  /usr/bin/xflux -l 60° -k 3400 -nofork
    chkutmp: nothing deleted
    Checking `OSX_RSPLUG'...                                    not infected

Sorry about the messed up formatting, I don't know how to get it to display properly. Anyways, these files are infected:

    The following suspicious files and directories were found:  
    /usr/lib/python3/dist-packages/PyQt4/uic/widget-plugins/.noinit /usr/lib/jvm/.java-1.7.0-openjdk-amd64.jinfo /usr/lib/python2.7/dist-packages/PyQt4/uic/widget-plugins/.noinit /usr/lib/pymodules/python2.7/.path /lib/modules/3.19.0-32-generic/vdso/.build-id
    /lib/modules/3.19.0-32-generic/vdso/.build-id
    
    Searching for Suckit rootkit...                             Warning: /sbin/init INFECTED

I also changed the firewalls settings so that it logs any suspicious action. I'm on Windows right now; I hope it can't spread to my Windows partition?

EDIT: I'm using Linux Mint as my personal OS so no networks are affected. I'll just wipe the drive. 
                                

What's my name (115 rep)

Mar 7, 2016, 06:06 PM • Last activity: Mar 8, 2016, 08:10 AM

2 votes

1 answers

782 views

Verifying Debian/Ubuntu packages integrity when booting from a read-only DVD?

debian package-management checksum signature chkrootkit

Is there an easy way to boot a Debian-based Linux system from a read-only medium (say a Live Linux read-only DVD) and then use Debian's .deb checksums / signatures (?) to verify that the files installed do indeed come from properly signed Debian packages? In other words: is it possible to boot a sys...

                                  Is there an easy way to boot a Debian-based Linux system from a read-only medium (say a Live Linux read-only DVD) and then use Debian's .deb checksums / signatures (?) to verify that the files installed do indeed come from properly signed Debian packages?

In other words: is it possible to boot a system from a known clean Live CD and then use Debian's package format as a "poor man's intrusion detection system"?

If so, how should I go about it?

user57725 (123 rep)

Feb 16, 2014, 12:34 PM • Last activity: Oct 31, 2015, 11:33 PM

Showing page 1 of 20 total questions