1 |
On Wednesday, 27 February 2019 13:47:31 GMT Peter Humphrey wrote: |
2 |
> On Wednesday, 27 February 2019 12:27:59 GMT Mick wrote: |
3 |
> > I noticed this beauty popping up a day ago: |
4 |
> > |
5 |
> > Rootkit checks... |
6 |
> > |
7 |
> > Rootkits checked : 498 |
8 |
> > Possible rootkits: 1 |
9 |
> > Rootkit names : xorddos component |
10 |
> > |
11 |
> > Fair enough the log reported a suspect file: |
12 |
> > |
13 |
> > ==================================== |
14 |
> > Checking for file '/var/run/sftp.pid' [ Not found ] |
15 |
> > Checking for file '/var/run/udev.pid' [ Warning ] <==This one |
16 |
> > Checking for file '/var/run/mount.pid' [ Not found ] |
17 |
> > [snip ...] |
18 |
> > |
19 |
> > Warning: Checking for possible rootkit files and directories [ Warning ] |
20 |
> > Found file '/var/run/udev.pid'. Possible rootkit: xorddos component |
21 |
> |
22 |
> =================================================================== |
23 |
> |
24 |
> > I think it is a false positive, because none of the files mentioned in the |
25 |
> > interwebs[1] are seen lurking in my system, but I thought it wiser to |
26 |
> > check |
27 |
> > further. |
28 |
> > |
29 |
> > [1] |
30 |
> > http://hackermedicine.com/linux-ddos-trojan-hiding-itself-with-an-embedded |
31 |
> > -> rootkit/> |
32 |
> > The rkhunter report of this xorddos component seems to have arrived with: |
33 |
> > sys-fs/udev-init-scripts-33 |
34 |
> > |
35 |
> > or |
36 |
> > |
37 |
> > sys-apps/dbus-1.12.12-r1 |
38 |
> > |
39 |
> > Could it be these versions are now launching /run/udev.pid? Is a file |
40 |
> > /run/ udev.pid present in your system? |
41 |
> |
42 |
> Yes, I have such a text file, containing just a PID. |
43 |
|
44 |
Thanks for this. At least I know it is not just me and mine. |
45 |
|
46 |
|
47 |
> > In any case, the file merely contains the PID number of |
48 |
> > /lib/systemd/systemd- udevd, rather than an ELF binary and /etc/init.d/ |
49 |
> > does not contain anything suspicious. However, with armies generating |
50 |
> > variants of every conceivable malware I don't know if it pays to be a bit |
51 |
> > paranoid about this. |
52 |
> |
53 |
> They really are out to get us... |
54 |
|
55 |
:-) |
56 |
|
57 |
-- |
58 |
Regards, |
59 |
Mick |