Description of problem: I had a little shock when I checked my chkrootkit output and saw: Searching for Linux/Ebury - Operation Windigo ssh... Possible Linux/Ebury - Operation Windigo installetd After looking into it, I'm sure this is a false positive. chkrootkit uses the command: ssh -G 2>&1 | grep -e illegal -e unknow > /dev/null; then if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi else echo "Possible Linux/Ebury - Operation Windigo installetd" IOW, if the ssh -G option isn't implemented stderr outputs "unknown option" or "illegal option". chkrootkit thinks all is good. But our version of ssh uses -G, so we see the "Possible..." message. All other tests on my system I tried were clear. For more info, see: http://www.welivesecurity.com/2014/03/18/operation-windigo-the-vivisection-of-a-large-linux-server-side-credential-stealing-malware-campaign/ http://www.welivesecurity.com/2014/04/10/windigo-not-windigone-linux-ebury-updated/ https://www.cert-bund.de/ebury-faq http://www.welivesecurity.com/2014/10/15/operation-windigo-good-job-eset-says-malware-author/ Reproducible: Steps to Reproduce:
(In reply to Curtis Hildebrand from comment #0) I kept getting confused over this line > But our version of ssh uses -G, so we see the "Possible..." message. It only makes sense to me if I replace that with: But our version of _chkrootkit_ uses "ssh -G", so we see the "Possible..." message. Which might imply there's a setting for chkrootkit that can be changed while packaging. Assigning to maintainer. @ Curtis If my interpretation of that line is wrong, then please say so!
CC: (none) => marja11Assignee: bugsquad => shlomif
This happens with the upstream chkrootkit as well (built from vanilla source) and should be reported there.
Status: NEW => ASSIGNED
(In reply to Marja van Waes from comment #1) > (In reply to Curtis Hildebrand from comment #0) > > I kept getting confused over this line > > > But our version of ssh uses -G, so we see the "Possible..." message. > > It only makes sense to me if I replace that with: > > But our version of _chkrootkit_ uses "ssh -G", so we see the "Possible..." > message. Nope. chkrootkit detects Ebury by testing the output of ssh with an invalid option. They based it off of an old version of ssh (before 6.8 IIRC) which didn't use -G. Our version of ssh (7.1) uses -G as a valid option. Seems like a primitive test, but I guess it worked for old versions of ssh (and Ebury). You're right that it's an upstream problem, but it gave me a bit of a shock so I thought I'd report it for other users.
Status: ASSIGNED => NEWKeywords: (none) => UPSTREAM
(In reply to Shlomi Fish from comment #2) > This happens with the upstream chkrootkit as well (built from vanilla > source) and should be reported there. (In reply to Curtis Hildebrand from comment #3) > > You're right that it's an upstream problem, but it gave me a bit of a shock > so I thought I'd report it for other users. Thanks :-) Well it's half a decade later, so I assume upstream has fixed it, or all users got used to it. Closing
Status: ASSIGNED => RESOLVEDResolution: (none) => OLDAssignee: shlomif => bugsquad