You are Here:
2023 - The Year of the Linux Lite Desktop



Are they false ?

Author (Read 19137 times)

0 Members and 1 Guest are viewing this topic.

Re: Are they false ?
« Reply #19 on: November 12, 2017, 10:24:19 AM »
 

trinidad

  • Platinum Level Poster
  • **********
  • 1414
    Posts
  • Reputation: 211
  • Linux Lite Member
    • dbts-analytics.com

  • Linux Lite: 6.2 64bit

  • CPU: AMD A8 5500 4 cores

  • MEMORY: 8Gb

  • VIDEO CARD: AMD/ATI Radeon HD 7560D

  • Kernel: 5.x
Okay friends.

I'm not going to assure someone that their computer is untouched by an incidence of ebury without being in the room with access to the particular box. I realize many here are deeply concerned with security but this thread seems to be headed as usual toward paranoia mode. To sum up again: rkhunter often returns false positives for shm files because it is aware of the newer version of ebury, and also reports obviated file paths, chkrootkit has had the bug in Debian to falsely detect ebury for some time now and is actually somewhat deprecated. I consider Linux itself to be a positive learning experience for anyone who wants to learn about it. The welivesecurity links are full of information which can direct you to the ebury files on your computer if you choose to look for them, which is the best way to be sure if the ebury infection is or is not present on your box. The hacker who invented it is in prison in the US, however newer versions now exist in the wild. It is unlikely that ebury is going away as it is still evolving, but as with all things of this type security people are also continuing to check its progress. The community nature of Linux itself makes successful zero day exploits very difficult to pull off. I cannot say that it is unlikely that a LL user could have contracted ebury, as LL is used in many different ways by many different users, and the likelihood of contracting ebury depends on user praxis. I can say that it is unlikely now that a US user with a broadband ISP (like Spectrum) could contract it unawares as their ISP would notify them, especially if they are looping ssh or samba through their connection.

TC     
All opinions expressed and all advice given by Trinidad Cruz on this forum are his responsibility alone and do not necessarily reflect the views or methods of the developers of Linux Lite. He is a citizen of the United States where it is acceptable to occasionally be uninformed and inept as long as you pay your taxes.
 

Re: Are they false ?
« Reply #18 on: November 12, 2017, 04:21:01 AM »
 

ian_r_h

  • Merchandise Supporter
  • Forum Regular
  • *****
  • 103
    Posts
  • Reputation: 10
  • Linux Lite Member

  • Linux Lite: 3.6 64bit
I assumed the lwp, java and pulse-shm reports from rkhunter are false positives (I don't use chkrootkit) given that these have occurred immediately after fresh installs of LL followed by rkhunter (and --update) and before Menu/Favourites/Install Updates on 3 different boxes every time; unless my copy of LL 3.6 64bit .iso downloaded from linuxlite.com and rkhunter downloaded via apt-get from the default repo (and different mirrors) were infected to begin with.

These persist even after sudo rkhunter --propupd

Googling found no evidence that these were anything to worry about.

I can't speak as to the rest.
Don't worry about artificial intelligence.  Worry about natural stupidity.  :)
 

Re: Are they false ?
« Reply #17 on: November 11, 2017, 11:44:03 PM »
 

rokytnji

  • Friganeer
  • Platinum Level Poster
  • **********
  • 1255
    Posts
  • Reputation: 138

  • Linux Lite: 3.6 64bit

  • CPU: Intel Core2 Duo U9600

  • MEMORY: 4Gb

  • VIDEO CARD: Intel Mobile 4
No need for rootkit hunter install for me.

Code: [Select]
[email protected]:~
$ groups
harry lp uucp dialout cdrom floppy sudo audio dip video plugdev users netdev lpadmin scanner bluetooth

I already covered "users"

Wanna look for zombies?

Run

Code: [Select]
top
Even if you see 1 or 2 zombies in the readout <it probably means nada>. I see zero on mine.
LL 3.6,2.8
Dell XT2 > Touchscreen Laptop
Dell 755 > Desktop
Acer 150 > Desktop
I am who I am. Your approval is not needed.
 

Re: Are they false ?
« Reply #16 on: November 11, 2017, 06:47:04 PM »
 

bitsnpcs

  • Platinum Level Poster
  • **********
  • 3237
    Posts
  • Reputation: 305
    • Try to Grow

  • Linux Lite: 3.2 64bit

  • Kernel: 4.x
@bitsnpcs  What I see are false positives, but to be sure read the documentation and try to locate the files of the infection itself. If they are not there you do not have the ebury rootkit infection. Has a network admin disallowed your use of the LL computer? If so refer him/her to the information I have just given you.

TC
@trinidad what is the documentation you write of , the links?
A Network admin has not disallowed me to use it.
My eldest brother and his wife disallowed me to use it/ told me not to plug it in the ethernet cable to LL machine.

@Vera Thank You for running the test.
 

Re: Are they false ?
« Reply #15 on: November 11, 2017, 04:26:08 PM »
 

trinidad

  • Platinum Level Poster
  • **********
  • 1414
    Posts
  • Reputation: 211
  • Linux Lite Member
    • dbts-analytics.com

  • Linux Lite: 6.2 64bit

  • CPU: AMD A8 5500 4 cores

  • MEMORY: 8Gb

  • VIDEO CARD: AMD/ATI Radeon HD 7560D

  • Kernel: 5.x
@Vera  Didn't need to do all that. Download and install from synaptic. Run sudo su. Then enter your sudo password and run chkrootkit from root.

TC
All opinions expressed and all advice given by Trinidad Cruz on this forum are his responsibility alone and do not necessarily reflect the views or methods of the developers of Linux Lite. He is a citizen of the United States where it is acceptable to occasionally be uninformed and inept as long as you pay your taxes.
 

Re: Are they false ?
« Reply #14 on: November 11, 2017, 04:00:06 PM »
 

Vera

  • PayPal Supporter
  • Forum Regular
  • *****
  • 140
    Posts
  • Reputation: 16
  • Enjoying Linux Lite.

  • Linux Lite: 3.4 64bit

  • CPU: Intel Quad Core 1.6GHz

  • MEMORY: 8Gb

  • VIDEO CARD: AMD Radeon
@newtusmaximus
Can some members run chkrootkit and rkhunter , (they are in Install/Remove Software, aka Synaptic) and reply back

OK, I installed both. My results from rkhunter are exactly the same as @newtusmaximus .

I tried to run chkrootkit but it says: can't find `awk'
To check if I have it on my system, when I type man awk, it directs me to the man pages for gawk. I then installed traditional awk via Synaptic but when I ran chkrootkit I still got the same message. This is true whether I run chkrootkit as user or as sudo. So, I had to give up on chkrootkit, but wanted to let you know my results of rkhunter as requested.
Using Linux Lite for everything now. I put it on my desktop and my laptop. Woohoo!
 

Re: Are they false ?
« Reply #13 on: November 11, 2017, 03:38:57 PM »
 

trinidad

  • Platinum Level Poster
  • **********
  • 1414
    Posts
  • Reputation: 211
  • Linux Lite Member
    • dbts-analytics.com

  • Linux Lite: 6.2 64bit

  • CPU: AMD A8 5500 4 cores

  • MEMORY: 8Gb

  • VIDEO CARD: AMD/ATI Radeon HD 7560D

  • Kernel: 5.x
@newtusmaximus  /etc/.java is created by OpenJDK. Not to worry and not normally editable. Rkhunter doesn't like it because of the obviated file path /etc/.java/.systemPrefs/.systemRootModFile

TC 
All opinions expressed and all advice given by Trinidad Cruz on this forum are his responsibility alone and do not necessarily reflect the views or methods of the developers of Linux Lite. He is a citizen of the United States where it is acceptable to occasionally be uninformed and inept as long as you pay your taxes.
 

Re: Are they false ?
« Reply #12 on: November 11, 2017, 03:00:33 PM »
 

trinidad

  • Platinum Level Poster
  • **********
  • 1414
    Posts
  • Reputation: 211
  • Linux Lite Member
    • dbts-analytics.com

  • Linux Lite: 6.2 64bit

  • CPU: AMD A8 5500 4 cores

  • MEMORY: 8Gb

  • VIDEO CARD: AMD/ATI Radeon HD 7560D

  • Kernel: 5.x
@bitsnpcs  What I see are false positives, but to be sure read the documentation and try to locate the files of the infection itself. If they are not there you do not have the ebury rootkit infection. Has a network admin disallowed your use of the LL computer? If so refer him/her to the information I have just given you.

TC
All opinions expressed and all advice given by Trinidad Cruz on this forum are his responsibility alone and do not necessarily reflect the views or methods of the developers of Linux Lite. He is a citizen of the United States where it is acceptable to occasionally be uninformed and inept as long as you pay your taxes.
 

Re: Are they false ?
« Reply #11 on: November 11, 2017, 01:34:42 PM »
 

bitsnpcs

  • Platinum Level Poster
  • **********
  • 3237
    Posts
  • Reputation: 305
    • Try to Grow

  • Linux Lite: 3.2 64bit

  • Kernel: 4.x
@trinidad  no notifications from isp.
It is having the ethernet cable removed, is not plugged in, I am not allowed to plug it in.
I am using windows computer.
« Last Edit: November 11, 2017, 01:44:06 PM by bitsnpcs »
 

Re: Are they false ?
« Reply #10 on: November 11, 2017, 11:35:59 AM »
 

newtusmaximus

  • Gold Level Poster
  • *******
  • 682
    Posts
  • Reputation: 67
  • Paypal Supporter.

  • Linux Lite: 3.8 64bit

  • CPU: Intel Core duo 6300 1.86GHz

  • MEMORY: 4Gb

  • VIDEO CARD: Intel 82Q963/Q965

  • Kernel: 5.x
[Highlights from my rkhunter log  scan of just now


15:50:21] Info: Found file '/usr/sbin/adduser': it is whitelisted for the 'script replacement' check.

[15:50:28] Info: Found file '/usr/bin/ldd': it is whitelisted for the 'script replacement' check.

[15:50:34] Warning: The command '/usr/bin/lwp-request' has been replaced by a script: /usr/bin/lwp-request: a /usr/bin/perl -w script, ASCII text executable

[15:50:40] Info: Found file '/bin/egrep': it is whitelisted for the 'script replacement' check.
[15:50:40]   /bin/fgrep                                      [ OK ]
[15:50:41] Info: Found file '/bin/fgrep': it is whitelisted for the 'script replacement' check.

[15:50:44] Info: Found file '/bin/which': it is whitelisted for the 'script replacement' check.

[15:51:55] Info: Found the 'unhide-tcp' command: /usr/sbin/unhide-tcp

[15:51:58] Info: SCAN_MODE_DEV set to 'THOROUGH'
[15:52:01]   Checking /dev for suspicious file types         [ Warning ]
[15:52:01] Warning: Suspicious file types found in /dev:
[15:52:01]          /dev/shm/pulse-shm-331478974: data
[15:52:01]          /dev/shm/pulse-shm-3524711130: data
[15:52:01]          /dev/shm/pulse-shm-1543249499: data
[15:52:01]          /dev/shm/pulse-shm-1019003171: data
[15:52:01]          /dev/shm/pulse-shm-3173629532: data
[15:52:01]          /dev/shm/pulse-shm-3776217293: data
[15:52:01]          /dev/shm/pulse-shm-1763800836: data
[15:52:01]   Checking for hidden files and directories       [ Warning ]
[15:52:01] Warning: Hidden directory found: /etc/.java

[15:52:07] System checks summary
[15:52:07] =====================
[15:52:07]
[15:52:07] File properties checks...
[15:52:07] Files checked: 150
[15:52:07] Suspect files: 1
[15:52:07]
[15:52:07] Rootkit checks...
[15:52:07] Rootkits checked : 365
[15:52:07] Possible rootkits: 0
[15:52:07]
[15:52:07] Applications checks...
[15:52:07] All checks skipped
[15:52:07]
[15:52:07] The system checks took: 1 minute and 56 seconds
[15:52:07]
[15:52:07] Info: End date is Sat Nov 11 15:52:07 GMT 2017

No idea what the significance of the above is.  help please in laypersons terms .
« Last Edit: November 11, 2017, 11:38:23 AM by newtusmaximus »
2006 - HP DC7700p ultraslim Desktop Intel 6300 cpu  4GB Ram LL3.8 64bit.
2007 - Fujitsu Siemens V3405 Laptop  2 GB Ram LL3.6 32bit. Now 32bit Debian 9 + nonfree.
2006 - Fujitsu Siemens Si1520 Laptop Intel T720 cpu 3GB Ram   LL5.6 64 Bit
2003 - RETIRED Toshiba Satellite Pro A10 1 GB RAM LL2.8 32bit
 

Re: Are they false ?
« Reply #9 on: November 11, 2017, 11:14:32 AM »
 

trinidad

  • Platinum Level Poster
  • **********
  • 1414
    Posts
  • Reputation: 211
  • Linux Lite Member
    • dbts-analytics.com

  • Linux Lite: 6.2 64bit

  • CPU: AMD A8 5500 4 cores

  • MEMORY: 8Gb

  • VIDEO CARD: AMD/ATI Radeon HD 7560D

  • Kernel: 5.x
If you got the same result with both rootkit checkers it is usually not a false positive however...

https://bugs.launchpad.net/ubuntu/+source/chkrootkit/+bug/1508248

Also have you received a notification from your ISP? Also this particularly involves ssh and other open port usages. To verify what's up on your system, read the documentation, and check for the presence of the malicious files manually. There are many discussions of this on the WWW. If you have the infection best to zero the drive and reinstall, though it can be repaired manually, that is considerably more time consuming and technical. Newer versions of this seem to be leaking out again. The shared memory SHM references in your rkhunter scan are indicative of the newer version of this infection, however the ones you show are for pulse audio so they are most likely a false postive. The operation Windigo entry is a long time bug in chkrootkit.

TC
« Last Edit: November 11, 2017, 11:40:05 AM by trinidad »
All opinions expressed and all advice given by Trinidad Cruz on this forum are his responsibility alone and do not necessarily reflect the views or methods of the developers of Linux Lite. He is a citizen of the United States where it is acceptable to occasionally be uninformed and inept as long as you pay your taxes.
 

Re: Are they false ?
« Reply #8 on: November 11, 2017, 10:54:59 AM »
 

newtusmaximus

  • Gold Level Poster
  • *******
  • 682
    Posts
  • Reputation: 67
  • Paypal Supporter.

  • Linux Lite: 3.8 64bit

  • CPU: Intel Core duo 6300 1.86GHz

  • MEMORY: 4Gb

  • VIDEO CARD: Intel 82Q963/Q965

  • Kernel: 5.x
chkrootkit - No warning reported.

rkhunter --check   
"System checks summary
=====================

File properties checks...
    Files checked: 150
    Suspect files: 1

Rootkit checks...
    Rootkits checked : 365
    Possible rootkits: 0

Applications checks...
    All checks skipped

The system checks took: 1 minute and 56 seconds

All results have been written to the log file: /var/log/rkhunter.log

One or more warnings have been found while checking the system.
Please check the log file (/var/log/rkhunter.log)

  /usr/bin/whoami                                          [ OK ]
    /usr/bin/gawk                                            [ OK ]
    /usr/bin/lwp-request                                     [ Warning ]
    /usr/bin/s-nail                                          [ OK ]
    /usr/bin/x86_64-linux-gnu-size                           [ OK ]
    /usr/bin/x86_64-linux-gnu-strings                        [ OK ]



  Performing filesystem checks
    Checking /dev for suspicious file types                  [ Warning ]
    Checking for hidden files and directories                [ Warning ]

Folder for chkrootkit  was blank
« Last Edit: November 11, 2017, 11:35:01 AM by newtusmaximus »
2006 - HP DC7700p ultraslim Desktop Intel 6300 cpu  4GB Ram LL3.8 64bit.
2007 - Fujitsu Siemens V3405 Laptop  2 GB Ram LL3.6 32bit. Now 32bit Debian 9 + nonfree.
2006 - Fujitsu Siemens Si1520 Laptop Intel T720 cpu 3GB Ram   LL5.6 64 Bit
2003 - RETIRED Toshiba Satellite Pro A10 1 GB RAM LL2.8 32bit
 

Re: Are they false ?
« Reply #7 on: November 11, 2017, 10:29:12 AM »
 

newtusmaximus

  • Gold Level Poster
  • *******
  • 682
    Posts
  • Reputation: 67
  • Paypal Supporter.

  • Linux Lite: 3.8 64bit

  • CPU: Intel Core duo 6300 1.86GHz

  • MEMORY: 4Gb

  • VIDEO CARD: Intel 82Q963/Q965

  • Kernel: 5.x
Thanks trinidad. Way above my head.
So how vulnerable are we then?

Btsnpscs - will do
« Last Edit: November 11, 2017, 10:31:15 AM by newtusmaximus »
2006 - HP DC7700p ultraslim Desktop Intel 6300 cpu  4GB Ram LL3.8 64bit.
2007 - Fujitsu Siemens V3405 Laptop  2 GB Ram LL3.6 32bit. Now 32bit Debian 9 + nonfree.
2006 - Fujitsu Siemens Si1520 Laptop Intel T720 cpu 3GB Ram   LL5.6 64 Bit
2003 - RETIRED Toshiba Satellite Pro A10 1 GB RAM LL2.8 32bit
 

Re: Are they false ?
« Reply #6 on: November 11, 2017, 10:19:04 AM »
 

bitsnpcs

  • Platinum Level Poster
  • **********
  • 3237
    Posts
  • Reputation: 305
    • Try to Grow

  • Linux Lite: 3.2 64bit

  • Kernel: 4.x
@newtusmaximus the info came from my Linux Lite computer hard drive.
it is the only OS installed on it
it is not networked
no usb stick/ or disc that ever goes on another computer is attached to it.
The only website I visit using that LL computer is this forum
The only update method I use is Install Updates (part of LL).
LL that is installed was download from the main LL website, and MD5 checked before install.
Nobody uses the computer only me, some sit with me some times.

That computer has no wifi, it is physically unplugged from ethernet since the results.

The results are from chkrootkit, and also from rkhunter (root kit hunter) command line tools as recommended in the security section of the Linux Bible 9th Edition (current edition), followed exactly to the letter.

@trinidad thank you for the info and link.

Can some members run chkrootkit and rkhunter , (they are in Install/Remove Software, aka Synaptic) and reply back so I know if this is a overall security issue, such as the hosting company servers used by Linux Lite have been infected and are distributing it to the community,  or it is one directly targeted at me only on LL.
« Last Edit: November 11, 2017, 10:28:43 AM by bitsnpcs »
 

Re: Are they false ?
« Reply #5 on: November 11, 2017, 09:17:21 AM »
 

trinidad

  • Platinum Level Poster
  • **********
  • 1414
    Posts
  • Reputation: 211
  • Linux Lite Member
    • dbts-analytics.com

  • Linux Lite: 6.2 64bit

  • CPU: AMD A8 5500 4 cores

  • MEMORY: 8Gb

  • VIDEO CARD: AMD/ATI Radeon HD 7560D

  • Kernel: 5.x
« Last Edit: November 11, 2017, 09:34:12 AM by trinidad »
All opinions expressed and all advice given by Trinidad Cruz on this forum are his responsibility alone and do not necessarily reflect the views or methods of the developers of Linux Lite. He is a citizen of the United States where it is acceptable to occasionally be uninformed and inept as long as you pay your taxes.
 

 

-->
X Close Ad

2023 - The Year of the Linux Lite Desktop