Possible Malicious Linux.Xor.DDoS installed

akern · 13 January 2023 16:26

Hallo,
chkrootkit meldete auf drei getesteten Manjaro-Installationen

(Kernel: 6.1.1-1-MANJARO arch: x86_64 bits: 64 compiler: gcc v: 12.2.0 Desktop: Cinnamon v: 5.6.5
    tk: GTK v: 3.24.36 dm: LightDM Distro: Manjaro Linux base: Arch Linux)
folgendes:
Searching for Linux.Xor.DDoS ... /usr/bin/chkrootkit: command substitution: Zeile 1287: Syntaxfehler beim unerwarteten Symbol »)«
/usr/bin/chkrootkit: command substitution: Zeile 1287: `${ls} ${ROOTDIR}etc/cron.hourly/udev.sh ${ROOTDIR}etc/cron.hourly/gcc.sh 2> /dev/null)'
INFECTED: Possible Malicious Linux.Xor.DDoS installed

Eine Suche mit rkhunter ergab
File properties checks...
    Required commands check failed
    Files checked: 126
    Suspect files: 4

Rootkit checks...
    Rootkits checked : 502
    Possible rootkits: 0

Applications checks...
    All checks skipped

Muss ich mir Sorgen machen?
Besten Dank für Hilfe im Voraus!
akern

Moderator edit: In the future, please use proper formatting: [HowTo] Post command output and file content as formatted text

TriMoon · 13 January 2023 16:50

It is finding itself.
At least that is very assuring of it’s functionality

Es findet sich selbst.
Zumindest ist das sehr beruhigend für seine Funktionalität

GaVenga · 13 January 2023 17:09

Habe dasselbe Ergebnis. (Ich) Mache mir keine Sorgen - das ist sinnlos.
https://www.linuxquestions.org/questions/slackware-14/possible-infection-chrootkit-reports-linux-xor-ddos-4175605450/
https://forums.linuxmint.com/viewtopic.php?t=342027

banjo · 13 January 2023 17:15

https://www.google.com/search?q=Linux.Xor.DDoS&oq=Linux.Xor.DDoS&aqs=chrome..69i57j69i61l3.1495j0j7&client=ms-android-google&sourceid=chrome-mobile&ie=UTF-8

kisun · 13 January 2023 17:50

Wenn es 4 verdächtige Dateien findet, welche sollen das dann sein?

akern · 13 January 2023 18:22

Mittlerweile habe ich ein frisch heruntergeladenes Live-System geprüft: gleiches Ergebnis.
Damit ibetrachte ich das Problem als gelöst und die Meldung als falsch.
Danke für eure Mühen!
akern

Nachlese · 13 January 2023 18:26

To me, this looks like a syntax error in the programs testing routine itself.
Just look at the file /usr/bin/chkrootkit
less /usr/bin/chkrootkit and go to that line

It’s throwing a syntax error for one of it’s own, built in procedures.

That file it is trying to analyze/test does not even exist in your system anyway

or

/etc/cron.hourly/gcc.sh

… it doesn’t even exist in an Arch/Manjaro installation

If you read the message - it’s not even a false positive, as it is a non existent file

If you really have this file/directory though … different story

You should also probably run this program from a known good source and have it check the target file system from there.

ps:
my comment came too late - issue already resolved
oh well

akern · 13 January 2023 18:29

That’s right, this file doesn’t exist in my system.

system · 16 January 2023 08:30

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.