| 1 |
Mick wrote: |
| 2 |
> I noticed this beauty popping up a day ago: |
| 3 |
> |
| 4 |
> Rootkit checks... |
| 5 |
> Rootkits checked : 498 |
| 6 |
> Possible rootkits: 1 |
| 7 |
> Rootkit names : xorddos component |
| 8 |
> |
| 9 |
> Fair enough the log reported a suspect file: |
| 10 |
> |
| 11 |
> ==================================== |
| 12 |
> Checking for file '/var/run/sftp.pid' [ Not found ] |
| 13 |
> Checking for file '/var/run/udev.pid' [ Warning ] <==This one |
| 14 |
> Checking for file '/var/run/mount.pid' [ Not found ] |
| 15 |
> [snip ...] |
| 16 |
> |
| 17 |
> Warning: Checking for possible rootkit files and directories [ Warning ] |
| 18 |
> Found file '/var/run/udev.pid'. Possible rootkit: xorddos component |
| 19 |
> |
| 20 |
> =================================================================== |
| 21 |
> |
| 22 |
> I think it is a false positive, because none of the files mentioned in the |
| 23 |
> interwebs[1] are seen lurking in my system, but I thought it wiser to check |
| 24 |
> further. |
| 25 |
> |
| 26 |
> [1] http://hackermedicine.com/linux-ddos-trojan-hiding-itself-with-an-embedded-rootkit/ |
| 27 |
> |
| 28 |
> |
| 29 |
> The rkhunter report of this xorddos component seems to have arrived with: |
| 30 |
> |
| 31 |
> sys-fs/udev-init-scripts-33 |
| 32 |
> |
| 33 |
> or |
| 34 |
> |
| 35 |
> sys-apps/dbus-1.12.12-r1 |
| 36 |
> |
| 37 |
> |
| 38 |
> Could it be these versions are now launching /run/udev.pid? Is a file /run/ |
| 39 |
> udev.pid present in your system? |
| 40 |
> |
| 41 |
> In any case, the file merely contains the PID number of /lib/systemd/systemd- |
| 42 |
> udevd, rather than an ELF binary and /etc/init.d/ does not contain anything |
| 43 |
> suspicious. However, with armies generating variants of every conceivable |
| 44 |
> malware I don't know if it pays to be a bit paranoid about this. |
| 45 |
> |
| 46 |
|
| 47 |
|
| 48 |
Little info here. I don't run systemd here but I also have that file. |
| 49 |
I checked with equery b but obviously nothing owns it since it is a pid |
| 50 |
file generated when udev or something starts. This is my versions of |
| 51 |
udev, dbus and other friends: |
| 52 |
|
| 53 |
|
| 54 |
root@fireball / # equery list *udev* dbus |
| 55 |
* Searching for *udev* ... |
| 56 |
[IP-] [ ] dev-libs/libgudev-232:0/0 |
| 57 |
[IP-] [ ] sys-fs/eudev-3.2.5:0 |
| 58 |
[IP-] [ ] sys-fs/udev-init-scripts-33:0 |
| 59 |
[IP-] [ ] virtual/libgudev-232:0/0 |
| 60 |
[IP-] [ ] virtual/libudev-232:0/1 |
| 61 |
[IP-] [ ] virtual/udev-217:0 |
| 62 |
|
| 63 |
* Searching for dbus ... |
| 64 |
[IP-] [ ] sys-apps/dbus-1.10.24:0 |
| 65 |
root@fireball / # |
| 66 |
|
| 67 |
|
| 68 |
Like you, I sort of suspect a false positive but I don't know nearly |
| 69 |
enough to know for sure it is either. Maybe someone else can chime in |
| 70 |
and give more ideas. If enough people say they have it, then either |
| 71 |
someone is doing some coding on a very low level or it is a false |
| 72 |
positive. Let's hope for the later. |
| 73 |
|
| 74 |
Dale |
| 75 |
|
| 76 |
:-) :-) |
Archives