| Summary: | chkrootkit reports false positive with Ebury/Windigo | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | Curtis Hildebrand <curtis_mageia> |
| Component: | RPM Packages | Assignee: | Mageia Bug Squad <bugsquad> |
| Status: | RESOLVED OLD | QA Contact: | |
| Severity: | normal | ||
| Priority: | Normal | CC: | marja11 |
| Version: | Cauldron | Keywords: | UPSTREAM |
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Source RPM: | chkrootkit-0.50-8.mga6.src.rpm | CVE: | |
| Status comment: | |||
(In reply to Curtis Hildebrand from comment #0) I kept getting confused over this line > But our version of ssh uses -G, so we see the "Possible..." message. It only makes sense to me if I replace that with: But our version of _chkrootkit_ uses "ssh -G", so we see the "Possible..." message. Which might imply there's a setting for chkrootkit that can be changed while packaging. Assigning to maintainer. @ Curtis If my interpretation of that line is wrong, then please say so! CC:
(none) =>
marja11 This happens with the upstream chkrootkit as well (built from vanilla source) and should be reported there. Status:
NEW =>
ASSIGNED (In reply to Marja van Waes from comment #1) > (In reply to Curtis Hildebrand from comment #0) > > I kept getting confused over this line > > > But our version of ssh uses -G, so we see the "Possible..." message. > > It only makes sense to me if I replace that with: > > But our version of _chkrootkit_ uses "ssh -G", so we see the "Possible..." > message. Nope. chkrootkit detects Ebury by testing the output of ssh with an invalid option. They based it off of an old version of ssh (before 6.8 IIRC) which didn't use -G. Our version of ssh (7.1) uses -G as a valid option. Seems like a primitive test, but I guess it worked for old versions of ssh (and Ebury). You're right that it's an upstream problem, but it gave me a bit of a shock so I thought I'd report it for other users. Status:
ASSIGNED =>
NEW
Curtis Hildebrand
2016-02-08 02:36:35 CET
Status:
NEW =>
ASSIGNED (In reply to Shlomi Fish from comment #2) > This happens with the upstream chkrootkit as well (built from vanilla > source) and should be reported there. (In reply to Curtis Hildebrand from comment #3) > > You're right that it's an upstream problem, but it gave me a bit of a shock > so I thought I'd report it for other users. Thanks :-) Well it's half a decade later, so I assume upstream has fixed it, or all users got used to it. Closing Status:
ASSIGNED =>
RESOLVED |
Description of problem: I had a little shock when I checked my chkrootkit output and saw: Searching for Linux/Ebury - Operation Windigo ssh... Possible Linux/Ebury - Operation Windigo installetd After looking into it, I'm sure this is a false positive. chkrootkit uses the command: ssh -G 2>&1 | grep -e illegal -e unknow > /dev/null; then if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi else echo "Possible Linux/Ebury - Operation Windigo installetd" IOW, if the ssh -G option isn't implemented stderr outputs "unknown option" or "illegal option". chkrootkit thinks all is good. But our version of ssh uses -G, so we see the "Possible..." message. All other tests on my system I tried were clear. For more info, see: http://www.welivesecurity.com/2014/03/18/operation-windigo-the-vivisection-of-a-large-linux-server-side-credential-stealing-malware-campaign/ http://www.welivesecurity.com/2014/04/10/windigo-not-windigone-linux-ebury-updated/ https://www.cert-bund.de/ebury-faq http://www.welivesecurity.com/2014/10/15/operation-windigo-good-job-eset-says-malware-author/ Reproducible: Steps to Reproduce: