1 |
I noticed this beauty popping up a day ago: |
2 |
|
3 |
Rootkit checks... |
4 |
Rootkits checked : 498 |
5 |
Possible rootkits: 1 |
6 |
Rootkit names : xorddos component |
7 |
|
8 |
Fair enough the log reported a suspect file: |
9 |
|
10 |
==================================== |
11 |
Checking for file '/var/run/sftp.pid' [ Not found ] |
12 |
Checking for file '/var/run/udev.pid' [ Warning ] <==This one |
13 |
Checking for file '/var/run/mount.pid' [ Not found ] |
14 |
[snip ...] |
15 |
|
16 |
Warning: Checking for possible rootkit files and directories [ Warning ] |
17 |
Found file '/var/run/udev.pid'. Possible rootkit: xorddos component |
18 |
|
19 |
=================================================================== |
20 |
|
21 |
I think it is a false positive, because none of the files mentioned in the |
22 |
interwebs[1] are seen lurking in my system, but I thought it wiser to check |
23 |
further. |
24 |
|
25 |
[1] http://hackermedicine.com/linux-ddos-trojan-hiding-itself-with-an-embedded-rootkit/ |
26 |
|
27 |
|
28 |
The rkhunter report of this xorddos component seems to have arrived with: |
29 |
|
30 |
sys-fs/udev-init-scripts-33 |
31 |
|
32 |
or |
33 |
|
34 |
sys-apps/dbus-1.12.12-r1 |
35 |
|
36 |
|
37 |
Could it be these versions are now launching /run/udev.pid? Is a file /run/ |
38 |
udev.pid present in your system? |
39 |
|
40 |
In any case, the file merely contains the PID number of /lib/systemd/systemd- |
41 |
udevd, rather than an ELF binary and /etc/init.d/ does not contain anything |
42 |
suspicious. However, with armies generating variants of every conceivable |
43 |
malware I don't know if it pays to be a bit paranoid about this. |
44 |
|
45 |
-- |
46 |
Regards, |
47 |
Mick |