Gentoo Archives: gentoo-user

From: Mick <michaelkintzios@×××××.com>
To: gentoo-user@l.g.o
Subject: [gentoo-user] rkhunter reports xorddos component
Date: Wed, 27 Feb 2019 12:28:25
Message-Id: 1813413.zpEh7hltbW@dell_xps
I noticed this beauty popping up a day ago:

Rootkit checks...
    Rootkits checked : 498
    Possible rootkits: 1
    Rootkit names    : xorddos component

Fair enough the log reported a suspect file:

====================================
Checking for file '/var/run/sftp.pid'         [ Not found ]
Checking for file '/var/run/udev.pid'         [ Warning ]    <==This one
Checking for file '/var/run/mount.pid'        [ Not found ]
[snip ...]

Warning: Checking for possible rootkit files and directories [ Warning ]
Found file '/var/run/udev.pid'. Possible rootkit: xorddos component

===================================================================

I think it is a false positive, because none of the files mentioned in the 
interwebs[1] are seen lurking in my system, but I thought it wiser to check 
further.

[1] http://hackermedicine.com/linux-ddos-trojan-hiding-itself-with-an-embedded-rootkit/


The rkhunter report of this xorddos component seems to have arrived with:

 sys-fs/udev-init-scripts-33

or

 sys-apps/dbus-1.12.12-r1


Could it be these versions are now launching /run/udev.pid?  Is a file /run/
udev.pid present in your system?

In any case, the file merely contains the PID number of /lib/systemd/systemd-
udevd, rather than an ELF binary and /etc/init.d/ does not contain anything 
suspicious.  However, with armies generating variants of every conceivable 
malware I don't know if it pays to be a bit paranoid about this.

-- 
Regards,
Mick

Attachments

File name MIME type
signature.asc application/pgp-signature

Replies

Subject Author
Re: [gentoo-user] rkhunter reports xorddos component Peter Humphrey <peter@××××××××××××.uk>
Re: [gentoo-user] rkhunter reports xorddos component Dale <rdalek1967@×××××.com>