Need help checking if my system got "infected"

5 replies [Last post]
GNUser
Offline
Joined: 07/17/2013

Hey,

In light of the fact that for some time I went without security updates, I decided to check my system with rkhunter and chkrootkit. Which I know have always been known to deliver some "false positives" which usually needs further inspection. For which I am asking help from other people here who can maybe run these tests and help comparing results, or even speak from their experience.

I got these results:

sudo rkhunter --check | grep Warning

/usr/bin/lwp-request [ Warning ]
Checking /dev for suspicious file types [ Warning ]
Checking for hidden files and directories [ Warning ]
System checks summary
=====================
File properties checks...
Files checked: 148
Suspect files: 1
Rootkit checks...
Rootkits checked : 364
Possible rootkits: 0
Applications checks...
All checks skipped
The system checks took: 1 minute and 43 seconds

As for chkrootkit

sudo chkrootkit

Searching for suspicious files and dirs, it may take a while... The following suspicious files and directories were found:
/usr/lib/python3/dist-packages/PyQt5/uic/widget-plugins/.noinit /usr/lib/python2.7/dist-packages/PyQt4/uic/widget-plugins/.noinit /usr/lib/jvm/.java-1.8.0-op$
/lib/modules/4.4.0-141-generic/vdso/.build-id /lib/modules/4.4.0-143-generic/vdso/.build-id /lib/modules/4.4.0-142-generic/vdso/.build-id

Searching for Linux/Ebury - Operation Windigo ssh... Possible Linux/Ebury - Operation Windigo installetd

SO..... Does anyone else gets this warnings in their Trisquel 8 machine? What should be my next step? Any help is greatly appreciated.

GNUser
Offline
Joined: 07/17/2013

OK, so using the help from this site https://www.dedoimedo.com/computers/chkrootkit-ebury-false-positive.html
I run
$ locate libns2.so
Didn't output anything.

$ sudo netstat -nap | grep "@/proc/udevd"
Didn't output anything.

I couldn't run the first command, so I am unsure as to the filesize mentioned. However, I do have chkrootkit version 0.50 installed (default in Trisquel 8) so it might be the issue.

Still, would like to have other people's test results to compare.

Thanks.

Magic Banana

I am a member!

I am a translator!

Offline
Joined: 07/24/2010

$ sudo chkrootkit
(...)
Searching for suspicious files and dirs, it may take a while... The following suspicious files and directories were found:
/usr/lib/python3/dist-packages/fail2ban/tests/files/config/apache-auth/digest/.htaccess /usr/lib/python3/dist-packages/fail2ban/tests/files/config/apache-auth/digest/.htpasswd /usr/lib/python3/dist-packages/fail2ban/tests/files/config/apache-auth/digest_wrongrelm/.htaccess /usr/lib/python3/dist-packages/fail2ban/tests/files/config/apache-auth/digest_wrongrelm/.htpasswd /usr/lib/python3/dist-packages/fail2ban/tests/files/config/apache-auth/basic/file/.htaccess /usr/lib/python3/dist-packages/fail2ban/tests/files/config/apache-auth/basic/file/.htpasswd /usr/lib/python3/dist-packages/fail2ban/tests/files/config/apache-auth/basic/authz_owner/.htaccess /usr/lib/python3/dist-packages/fail2ban/tests/files/config/apache-auth/basic/authz_owner/.htpasswd /usr/lib/python3/dist-packages/fail2ban/tests/files/config/apache-auth/digest_anon/.htaccess /usr/lib/python3/dist-packages/fail2ban/tests/files/config/apache-auth/digest_anon/.htpasswd /usr/lib/python3/dist-packages/fail2ban/tests/files/config/apache-auth/noentry/.htaccess /usr/lib/python3/dist-packages/fail2ban/tests/files/config/apache-auth/digest_time/.htaccess /usr/lib/python3/dist-packages/fail2ban/tests/files/config/apache-auth/digest_time/.htpasswd /usr/lib/python2.7/dist-packages/PyQt4/uic/widget-plugins/.noinit /usr/lib/jvm/.java-1.8.0-openjdk-amd64.jinfo /usr/lib/debug/.build-id /lib/modules/4.4.0-142-generic/vdso/.build-id /lib/modules/4.4.0-143-generic/vdso/.build-id /lib/modules/4.4.0-141-generic/vdso/.build-id /lib/modules/4.4.0-138-generic/vdso/.build-id
/usr/lib/debug/.build-id /lib/modules/4.4.0-142-generic/vdso/.build-id /lib/modules/4.4.0-143-generic/vdso/.build-id /lib/modules/4.4.0-141-generic/vdso/.build-id /lib/modules/4.4.0-138-generic/vdso/.build-id
(...)
Searching for Linux/Ebury - Operation Windigo ssh... Possible Linux/Ebury - Operation Windigo installetd
(...)

GNUser
Offline
Joined: 07/17/2013

Thanks.
Your also got the Windigo warning thing. That was the one that made me really worry the most. However from what I read in that link above, it seems to be ok.

As for "suspect files" you even got more warnings than me though. Anything that you didn't expect or got worried about?

Thanks once again.

P.S.: Is it possible to remove SSH access from my Trisquel installation, since I never use it, so it can never be used by an attacker?

Thanks.

loldier
Offline
Joined: 02/17/2016

Remove openssh-server.

GNUser
Offline
Joined: 07/17/2013

Trisquel doesn't have OpenSSH-Server installed by default I think. I don't have it anyway. But that's enough? I mean... the warning seems a lot less threatening if that's all I have to do :P