You are Here:
Linux Lite 4.0 Final has been released. See the Release Announcements Section.




[ SECURITY ] Are they false ?

Author (Read 3545 times)

0 Members and 2 Guests are viewing this topic.

Re: Are they false ?
« Reply #15 on: November 11, 2017, 06:47:04 PM »
 

bitsnpcs

  • Platinum Level Poster
  • **********
  • 2514
    Posts
  • Country: ie
  • Reputation: 264

  • Linux Lite: 3.2 64bit
@bitsnpcs  What I see are false positives, but to be sure read the documentation and try to locate the files of the infection itself. If they are not there you do not have the ebury rootkit infection. Has a network admin disallowed your use of the LL computer? If so refer him/her to the information I have just given you.

TC
@trinidad what is the documentation you write of , the links?
A Network admin has not disallowed me to use it.
My eldest brother and his wife disallowed me to use it/ told me not to plug it in the ethernet cable to LL machine.

@Vera Thank You for running the test.
I use no computer in work, I am just a home user, at beginner/learning Linux stage.
Trying to join in with community and assist where it may be possible :)
 


Re: Are they false ?
« Reply #16 on: November 11, 2017, 11:44:03 PM »
 

rokytnji

  • Friganeer
  • Platinum Level Poster
  • **********
  • 1257
    Posts
  • Country: us
  • Reputation: 134

  • Linux Lite: 3.6 64bit

  • CPU: Intel Core2 Duo U9600

  • MEMORY: 4Gb

  • VIDEO CARD: Intel Mobile 4
No need for rootkit hunter install for me.

Code: [Select]
harry@biker:~
$ groups
harry lp uucp dialout cdrom floppy sudo audio dip video plugdev users netdev lpadmin scanner bluetooth

I already covered "users"

Wanna look for zombies?

Run

Code: [Select]
top
Even if you see 1 or 2 zombies in the readout <it probably means nada>. I see zero on mine.
LL 3.6,2.8
Dell XT2 > Touchscreen Laptop
Dell 755 > Desktop
Acer 150 > Desktop
I am who I am. Your approval is not needed.
 

Re: Are they false ?
« Reply #17 on: November 12, 2017, 04:21:01 AM »
 

ian_r_h

  • Merchandise Supporter
  • Occasional Poster
  • *****
  • 87
    Posts
  • Country: gb
  • Reputation: 10
  • Linux Lite Member

  • Linux Lite: 3.6 64bit
I assumed the lwp, java and pulse-shm reports from rkhunter are false positives (I don't use chkrootkit) given that these have occurred immediately after fresh installs of LL followed by rkhunter (and --update) and before Menu/Favourites/Install Updates on 3 different boxes every time; unless my copy of LL 3.6 64bit .iso downloaded from linuxlite.com and rkhunter downloaded via apt-get from the default repo (and different mirrors) were infected to begin with.

These persist even after sudo rkhunter --propupd

Googling found no evidence that these were anything to worry about.

I can't speak as to the rest.
Don't worry about artificial intelligence.  Worry about natural stupidity.  :)
 

Re: Are they false ?
« Reply #18 on: November 12, 2017, 10:24:19 AM »
 

trinidad

  • Gold Level Poster
  • *******
  • 807
    Posts
  • Country: us
  • Reputation: 148
  • Linux Lite Member
    • dbts-analytics.com

  • Linux Lite: 4.0 64bit

  • CPU: AMD A8 5500 4 cores

  • MEMORY: 8Gb

  • VIDEO CARD: AMD/ATI Radeon HD 7560D
Okay friends.

I'm not going to assure someone that their computer is untouched by an incidence of ebury without being in the room with access to the particular box. I realize many here are deeply concerned with security but this thread seems to be headed as usual toward paranoia mode. To sum up again: rkhunter often returns false positives for shm files because it is aware of the newer version of ebury, and also reports obviated file paths, chkrootkit has had the bug in Debian to falsely detect ebury for some time now and is actually somewhat deprecated. I consider Linux itself to be a positive learning experience for anyone who wants to learn about it. The welivesecurity links are full of information which can direct you to the ebury files on your computer if you choose to look for them, which is the best way to be sure if the ebury infection is or is not present on your box. The hacker who invented it is in prison in the US, however newer versions now exist in the wild. It is unlikely that ebury is going away as it is still evolving, but as with all things of this type security people are also continuing to check its progress. The community nature of Linux itself makes successful zero day exploits very difficult to pull off. I cannot say that it is unlikely that a LL user could have contracted ebury, as LL is used in many different ways by many different users, and the likelihood of contracting ebury depends on user praxis. I can say that it is unlikely now that a US user with a broadband ISP (like Spectrum) could contract it unawares as their ISP would notify them, especially if they are looping ssh or samba through their connection.

TC     
"You can't depend on your eyes when your imagination is out of focus."
 

Re: Are they false ?
« Reply #19 on: November 12, 2017, 06:43:37 PM »
 

newtusmaximus

  • Gold Level Poster
  • *******
  • 606
    Posts
  • Country: gb
  • Reputation: 59
  • Paypal Supporter.

  • Linux Lite: 3.6 64bit

  • CPU: Intel Core duo 6300 1.86GHz

  • MEMORY: 4Gb

  • VIDEO CARD: Intel 82Q963/Q965
Thanks Trinidad..  learned a lot from this exercise so time not wasted. :)
2006 - HP DC7700p ultraslim Desktop Intel 6300 cpu  4GB Ram LL3.6 64bit.
2007 - Fujitsu Siemens V3405 Laptop  2 GB Ram LL3.6 32bit. Now Trialling Alpha 32bit Debian.
2006 - Fujitsu Siemens Si1520 Laptop Intel T720 cpu 3GB Ram LL4.0 64bit
2003 - RETIRED Toshiba Satellite Pro A10 1 GB RAM LL2.8 32bit
 

Re: Are they false ?
« Reply #20 on: November 14, 2017, 03:54:25 PM »
 

bitsnpcs

  • Platinum Level Poster
  • **********
  • 2514
    Posts
  • Country: ie
  • Reputation: 264

  • Linux Lite: 3.2 64bit
@trinidad I do not feel able to cope with the links at this time. I do not think it will be possible for me to do this level of Linux discussed on them either. It is above beginner level.
I will try to work through the links and tasks at a future time, when I rebuild some confidence in using computers.

I am not confident there will be any success at all for me in trying that, but I will try at some stage.

Even though it is highly unlikely to be solved, I will say it as solved as there is nothing else that can be done. There is no marking option etc.
I use no computer in work, I am just a home user, at beginner/learning Linux stage.
Trying to join in with community and assist where it may be possible :)
 

Re: Are they false ?
« Reply #21 on: November 14, 2017, 09:41:22 PM »
 

Jerry

  • Linux Lite Creator
  • Administrator
  • Platinum Level Poster
  • *****
  • 6219
    Posts
  • Country: nz
  • Reputation: 564
  • Linux Lite Member
    • Linux Lite OS

  • Linux Lite: 3.8 64bit

  • CPU: Intel Xeon Dual CPU's E5645 2.4GHz 12 Cores

  • MEMORY: 16Gb

  • VIDEO CARD: nVidia GeForce GTX 960
Whenever I look at my reports from rkhunter and chkrootkit I simply Google them. They always turn out to be false positives and are usually widely known/discussed.
Download your free copy of Linux Lite today.

Jerry Bezencon
Linux Lite Creator

Learn to use your emotions to think, not think with your emotions.



 

Re: Are they false ?
« Reply #22 on: November 14, 2017, 11:52:08 PM »
 

bitsnpcs

  • Platinum Level Poster
  • **********
  • 2514
    Posts
  • Country: ie
  • Reputation: 264

  • Linux Lite: 3.2 64bit
I will do this.
I use no computer in work, I am just a home user, at beginner/learning Linux stage.
Trying to join in with community and assist where it may be possible :)
 

Re: Are they false ?
« Reply #23 on: November 15, 2017, 07:47:01 AM »
 

trinidad

  • Gold Level Poster
  • *******
  • 807
    Posts
  • Country: us
  • Reputation: 148
  • Linux Lite Member
    • dbts-analytics.com

  • Linux Lite: 4.0 64bit

  • CPU: AMD A8 5500 4 cores

  • MEMORY: 8Gb

  • VIDEO CARD: AMD/ATI Radeon HD 7560D
@bitnpcs  Yes!!! There is so much information on the web about Linux that you can often just copy and paste the code to a search box, especially if it concerns security. Linux is a vast global community.

TC
"You can't depend on your eyes when your imagination is out of focus."
 

Re: Are they false ?
« Reply #24 on: November 15, 2017, 09:12:17 AM »
 

bitsnpcs

  • Platinum Level Poster
  • **********
  • 2514
    Posts
  • Country: ie
  • Reputation: 264

  • Linux Lite: 3.2 64bit
Thanks, I'll post back once completed
I use no computer in work, I am just a home user, at beginner/learning Linux stage.
Trying to join in with community and assist where it may be possible :)
 

Re: Are they false ?
« Reply #25 on: November 15, 2017, 05:20:10 PM »
 

bitsnpcs

  • Platinum Level Poster
  • **********
  • 2514
    Posts
  • Country: ie
  • Reputation: 264

  • Linux Lite: 3.2 64bit
So far I am still manually doing the checks from Ubuntu security page.

For some reason there are auth.log and auth.log.1, the same occurs for many other logs, I am unsure if this is normal, I have not found info on that yet.

One thing I noticed in the both auth.log is login at 06:25:01 hours, every day for same duration since the 8th November (my oldest log date), it takes root/su, using a default in the distro, Linuxquestions says this is used as default for "Samba and Apache to run services in distros", then afterwards it removes its session.
I am unsure why or which services it is running at this time each day ?

It can also be used to backdoor distros, they advice using /dev/null instead to prevent that possibility.
I am not sure on that.

These are the only unknowns in auth.log/s.
Syslog is clear.

I will continue on with the processes and report back.
Last Edit: November 15, 2017, 05:24:39 PM by bitsnpcs
I use no computer in work, I am just a home user, at beginner/learning Linux stage.
Trying to join in with community and assist where it may be possible :)
 

Re: Are they false ?
« Reply #26 on: November 15, 2017, 07:23:53 PM »
 

bitsnpcs

  • Platinum Level Poster
  • **********
  • 2514
    Posts
  • Country: ie
  • Reputation: 264

  • Linux Lite: 3.2 64bit
Still on the first of security links.

I have solved the above one, in that it is something internal in distro, and it is not trying access externally. Its common behaviour in many Linux distros.

ufw logs clear.

netstat

Code: [Select]
sudo watch netstat -anlp
shows no foreign connection or any to /bin/sh or /bin/su

trace backs running clear currently. ( I was allowed to connect LL, for this and can show them montoring and ufw results)

rkhunter, I have discovered it is false positive, something to do with package manager, Debian say its been fixed.

rkhunter wiki has this for updates which I had done before using it and since then.

Code: [Select]
sudo rkhunter --propupd
On ubuntu forums notice the help

Code: [Select]
sudo rkhunter - h
from this I found a way to update the database

Code: [Select]
sudo rkhunter --update
Neither are on the rkhunter wiki it is a different method and commands.

This found and updated the list of false positives in rkhunter that propupd didn't find.

I then edited the rkhunter.conf file as admin saved and used

Code: [Select]
sudo rkhunter -C
As per the conf to update rkhunter with these changes.

It now runs with no results detected, only everything Okay, not found, or clear.

I have updated LL and notice that both Perl and Pulse have many updates it may help in chkrootkit which I'll start on tomorrow.

Update -
.bash_profile, .bash_rc, .profile, /etc/profile - all clear of other uses

Update 2 -
samba activity noted above, this is a cron job to back up samba password each day.
no cron jobs set at root
cron.d empty/no issues found
cron.daily / all clean no issues found
cron.hourly, cron.monthly empty/no issues found
cron.weekly all clean no issues found
All checking manually.

Code: [Select]
printenvno backdoors, hooks escalated priviledges found , all clean.

/etc/ld.so.conf.d
no malicious linkages found

/etc/rc.local clean
/etc/rc0 thru 6 all files checked all clean
/etc/init.d clean
/etc/network all files clean
/etc/NetworkManager all files clean  :)
Last Edit: November 15, 2017, 08:17:54 PM by bitsnpcs
I use no computer in work, I am just a home user, at beginner/learning Linux stage.
Trying to join in with community and assist where it may be possible :)
 

Re: Are they false ?
« Reply #27 on: November 15, 2017, 11:23:52 PM »
 

JmaCWQ

  • Forum Regular
  • ***
  • 227
    Posts
  • Country: 00
  • Reputation: 44

  • Linux Lite: 1.0.0
For some reason there are auth.log and auth.log.1, the same occurs for many other logs, I am unsure if this is normal, I have not found info on that yet.

That is normal, just the logs being rotated auto by the system, the .1's are the older logs.
 

Re: Are they false ?
« Reply #28 on: November 16, 2017, 02:32:32 PM »
 

bitsnpcs

  • Platinum Level Poster
  • **********
  • 2514
    Posts
  • Country: ie
  • Reputation: 264

  • Linux Lite: 3.2 64bit
For some reason there are auth.log and auth.log.1, the same occurs for many other logs, I am unsure if this is normal, I have not found info on that yet.

That is normal, just the logs being rotated auto by the system, the .1's are the older logs.

Thank You for answering and explaining it to me :)
I use no computer in work, I am just a home user, at beginner/learning Linux stage.
Trying to join in with community and assist where it may be possible :)
 

Re: Are they false ?
« Reply #29 on: November 16, 2017, 03:35:26 PM »
 

bitsnpcs

  • Platinum Level Poster
  • **********
  • 2514
    Posts
  • Country: ie
  • Reputation: 264

  • Linux Lite: 3.2 64bit
I have done searching it says chkrootkit Ebury is a known false positive, relate to -G

To test for Ebury older versions using shared memory segments I ran

Code: [Select]
sudo find /lib* -type f -name libns2.so
Clean

To test for Ebury newer version using Unix domain sockets I ran

Code: [Select]
sudo netstat -nap | grep "@/proc/udevd"
Clean

To prevent false positive due to added -G it uses -e Gg in this command, where I found an explanation of the command on Ubuntu threads.

Code: [Select]
ssh -G 2>&1 | grep -e illegal -e unknown -e Gg > /dev/null && echo "System clean" || echo "System infected"
The result was -

Last Edit: November 16, 2017, 03:39:29 PM by bitsnpcs
I use no computer in work, I am just a home user, at beginner/learning Linux stage.
Trying to join in with community and assist where it may be possible :)
 


Tags:
 


Linux Lite 4.0 Final has been released. See the Release Announcements Section.