You are Here:
Linux Lite 6.2 RC1 Released - See Release Announcements



Are they false ?

Author (Read 17672 times)

0 Members and 2 Guests are viewing this topic.

Re: Are they false ?
« Reply #34 on: November 17, 2017, 01:26:19 AM »
 

JmaCWQ

  • Forum Regular
  • ***
  • 227
    Posts
  • Reputation: 44

  • Linux Lite: 1.0.0
Thank You for answering and explaining it to me :)

You are welcome.

One reason I love Linux is I never have to worry about all this virus/rootkit stuff.
 

Re: Are they false ?
« Reply #33 on: November 16, 2017, 05:22:28 PM »
 

bitsnpcs

  • Platinum Level Poster
  • **********
  • 3237
    Posts
  • Reputation: 305
    • Try to Grow

  • Linux Lite: 3.2 64bit

  • Kernel: 4.x
@trinidad  Thank You, it is very good to know the first one is enough :)
 

Re: Are they false ?
« Reply #32 on: November 16, 2017, 04:53:20 PM »
 

TheDead

  • Gold Level Poster
  • *******
  • 936
    Posts
  • Reputation: 91
  • Linux Lite Worshipper
    • My OpenDesktop Projects

  • Linux Lite: 3.8 32bit

  • CPU: HAL9000

  • MEMORY: 2Gb

  • VIDEO CARD: Quantum State VR v.3

  • Kernel: 4.x
If these are real rootkits, would a Linux antivirus software "clean" the problem? (rootkits are not always cleaned by default on Window's AV :( ) . Ralated but curving the OP a bit, what would be the "Avira" for Linux ? (i.e. free and good). -TD
- TheDead (TheUxNo0b)

If my blabbering was helpful, please click my [Thank] link.
 

Re: Are they false ?
« Reply #31 on: November 16, 2017, 04:16:06 PM »
 

trinidad

  • Platinum Level Poster
  • **********
  • 1380
    Posts
  • Reputation: 210
  • Linux Lite Member
    • dbts-analytics.com

  • Linux Lite: 6.0 64bit

  • CPU: AMD A8 5500 4 cores

  • MEMORY: 8Gb

  • VIDEO CARD: AMD/ATI Radeon HD 7560D

  • Kernel: 5.x
Nicely done @bitsnpcs
The first lib command you cite is enough to know whether or not ebury is installed.

TC
All opinions expressed and all advice given by Trinidad Cruz on this forum are his responsibility alone and do not necessarily reflect the views or methods of the developers of Linux Lite. He is a citizen of the United States where it is acceptable to occasionally be uninformed and inept as long as you pay your taxes.
 

Re: Are they false ?
« Reply #30 on: November 16, 2017, 03:35:26 PM »
 

bitsnpcs

  • Platinum Level Poster
  • **********
  • 3237
    Posts
  • Reputation: 305
    • Try to Grow

  • Linux Lite: 3.2 64bit

  • Kernel: 4.x
I have done searching it says chkrootkit Ebury is a known false positive, relate to -G

To test for Ebury older versions using shared memory segments I ran

Code: [Select]
sudo find /lib* -type f -name libns2.so
Clean

To test for Ebury newer version using Unix domain sockets I ran

Code: [Select]
sudo netstat -nap | grep "@/proc/udevd"
Clean

To prevent false positive due to added -G it uses -e Gg in this command, where I found an explanation of the command on Ubuntu threads.

Code: [Select]
ssh -G 2>&1 | grep -e illegal -e unknown -e Gg > /dev/null && echo "System clean" || echo "System infected"
The result was -

« Last Edit: November 16, 2017, 03:39:29 PM by bitsnpcs »
 

Re: Are they false ?
« Reply #29 on: November 16, 2017, 02:32:32 PM »
 

bitsnpcs

  • Platinum Level Poster
  • **********
  • 3237
    Posts
  • Reputation: 305
    • Try to Grow

  • Linux Lite: 3.2 64bit

  • Kernel: 4.x
For some reason there are auth.log and auth.log.1, the same occurs for many other logs, I am unsure if this is normal, I have not found info on that yet.

That is normal, just the logs being rotated auto by the system, the .1's are the older logs.

Thank You for answering and explaining it to me :)
 

Re: Are they false ?
« Reply #28 on: November 15, 2017, 11:23:52 PM »
 

JmaCWQ

  • Forum Regular
  • ***
  • 227
    Posts
  • Reputation: 44

  • Linux Lite: 1.0.0
For some reason there are auth.log and auth.log.1, the same occurs for many other logs, I am unsure if this is normal, I have not found info on that yet.

That is normal, just the logs being rotated auto by the system, the .1's are the older logs.
 

Re: Are they false ?
« Reply #27 on: November 15, 2017, 07:23:53 PM »
 

bitsnpcs

  • Platinum Level Poster
  • **********
  • 3237
    Posts
  • Reputation: 305
    • Try to Grow

  • Linux Lite: 3.2 64bit

  • Kernel: 4.x
Still on the first of security links.

I have solved the above one, in that it is something internal in distro, and it is not trying access externally. Its common behaviour in many Linux distros.

ufw logs clear.

netstat

Code: [Select]
sudo watch netstat -anlp
shows no foreign connection or any to /bin/sh or /bin/su

trace backs running clear currently. ( I was allowed to connect LL, for this and can show them montoring and ufw results)

rkhunter, I have discovered it is false positive, something to do with package manager, Debian say its been fixed.

rkhunter wiki has this for updates which I had done before using it and since then.

Code: [Select]
sudo rkhunter --propupd
On ubuntu forums notice the help

Code: [Select]
sudo rkhunter - h
from this I found a way to update the database

Code: [Select]
sudo rkhunter --update
Neither are on the rkhunter wiki it is a different method and commands.

This found and updated the list of false positives in rkhunter that propupd didn't find.

I then edited the rkhunter.conf file as admin saved and used

Code: [Select]
sudo rkhunter -C
As per the conf to update rkhunter with these changes.

It now runs with no results detected, only everything Okay, not found, or clear.

I have updated LL and notice that both Perl and Pulse have many updates it may help in chkrootkit which I'll start on tomorrow.

Update -
.bash_profile, .bash_rc, .profile, /etc/profile - all clear of other uses

Update 2 -
samba activity noted above, this is a cron job to back up samba password each day.
no cron jobs set at root
cron.d empty/no issues found
cron.daily / all clean no issues found
cron.hourly, cron.monthly empty/no issues found
cron.weekly all clean no issues found
All checking manually.

Code: [Select]
printenvno backdoors, hooks escalated priviledges found , all clean.

/etc/ld.so.conf.d
no malicious linkages found

/etc/rc.local clean
/etc/rc0 thru 6 all files checked all clean
/etc/init.d clean
/etc/network all files clean
/etc/NetworkManager all files clean  :)
« Last Edit: November 15, 2017, 08:17:54 PM by bitsnpcs »
 

Re: Are they false ?
« Reply #26 on: November 15, 2017, 05:20:10 PM »
 

bitsnpcs

  • Platinum Level Poster
  • **********
  • 3237
    Posts
  • Reputation: 305
    • Try to Grow

  • Linux Lite: 3.2 64bit

  • Kernel: 4.x
So far I am still manually doing the checks from Ubuntu security page.

For some reason there are auth.log and auth.log.1, the same occurs for many other logs, I am unsure if this is normal, I have not found info on that yet.

One thing I noticed in the both auth.log is login at 06:25:01 hours, every day for same duration since the 8th November (my oldest log date), it takes root/su, using a default in the distro, Linuxquestions says this is used as default for "Samba and Apache to run services in distros", then afterwards it removes its session.
I am unsure why or which services it is running at this time each day ?

It can also be used to backdoor distros, they advice using /dev/null instead to prevent that possibility.
I am not sure on that.

These are the only unknowns in auth.log/s.
Syslog is clear.

I will continue on with the processes and report back.
« Last Edit: November 15, 2017, 05:24:39 PM by bitsnpcs »
 

Re: Are they false ?
« Reply #25 on: November 15, 2017, 09:12:17 AM »
 

bitsnpcs

  • Platinum Level Poster
  • **********
  • 3237
    Posts
  • Reputation: 305
    • Try to Grow

  • Linux Lite: 3.2 64bit

  • Kernel: 4.x
Thanks, I'll post back once completed
 

Re: Are they false ?
« Reply #24 on: November 15, 2017, 07:47:01 AM »
 

trinidad

  • Platinum Level Poster
  • **********
  • 1380
    Posts
  • Reputation: 210
  • Linux Lite Member
    • dbts-analytics.com

  • Linux Lite: 6.0 64bit

  • CPU: AMD A8 5500 4 cores

  • MEMORY: 8Gb

  • VIDEO CARD: AMD/ATI Radeon HD 7560D

  • Kernel: 5.x
@bitnpcs  Yes!!! There is so much information on the web about Linux that you can often just copy and paste the code to a search box, especially if it concerns security. Linux is a vast global community.

TC
All opinions expressed and all advice given by Trinidad Cruz on this forum are his responsibility alone and do not necessarily reflect the views or methods of the developers of Linux Lite. He is a citizen of the United States where it is acceptable to occasionally be uninformed and inept as long as you pay your taxes.
 

Re: Are they false ?
« Reply #23 on: November 14, 2017, 11:52:08 PM »
 

bitsnpcs

  • Platinum Level Poster
  • **********
  • 3237
    Posts
  • Reputation: 305
    • Try to Grow

  • Linux Lite: 3.2 64bit

  • Kernel: 4.x
I will do this.
 

Re: Are they false ?
« Reply #22 on: November 14, 2017, 09:41:22 PM »
 

Jerry

  • Linux Lite Creator
  • Administrator
  • Platinum Level Poster
  • *****
  • 8494
    Posts
  • Reputation: 787
  • Linux Lite Member
    • Linux Lite OS

  • Linux Lite: 6.0 64bit

  • CPU: Intel Core i9-10850K CPU @ 3.60GHz

  • MEMORY: 32Gb

  • VIDEO CARD: nVidia GeForce GTX 1650

  • Kernel: 5.x
Whenever I look at my reports from rkhunter and chkrootkit I simply Google them. They always turn out to be false positives and are usually widely known/discussed.
 

Re: Are they false ?
« Reply #21 on: November 14, 2017, 03:54:25 PM »
 

bitsnpcs

  • Platinum Level Poster
  • **********
  • 3237
    Posts
  • Reputation: 305
    • Try to Grow

  • Linux Lite: 3.2 64bit

  • Kernel: 4.x
@trinidad I do not feel able to cope with the links at this time. I do not think it will be possible for me to do this level of Linux discussed on them either. It is above beginner level.
I will try to work through the links and tasks at a future time, when I rebuild some confidence in using computers.

I am not confident there will be any success at all for me in trying that, but I will try at some stage.

Even though it is highly unlikely to be solved, I will say it as solved as there is nothing else that can be done. There is no marking option etc.
 

Re: Are they false ?
« Reply #20 on: November 12, 2017, 06:43:37 PM »
 

newtusmaximus

  • Gold Level Poster
  • *******
  • 680
    Posts
  • Reputation: 67
  • Paypal Supporter.

  • Linux Lite: 3.8 64bit

  • CPU: Intel Core duo 6300 1.86GHz

  • MEMORY: 4Gb

  • VIDEO CARD: Intel 82Q963/Q965

  • Kernel: 5.x
Thanks Trinidad..  learned a lot from this exercise so time not wasted. :)
2006 - HP DC7700p ultraslim Desktop Intel 6300 cpu  4GB Ram LL3.8 64bit.
2007 - Fujitsu Siemens V3405 Laptop  2 GB Ram LL3.6 32bit. Now 32bit Debian 9 + nonfree.
2006 - Fujitsu Siemens Si1520 Laptop Intel T720 cpu 3GB Ram   LL5.6 64 Bit
2003 - RETIRED Toshiba Satellite Pro A10 1 GB RAM LL2.8 32bit
 

 

-->
X Close Ad

Linux Lite 6.2 RC1 Released - See Release Announcements