Rootkit detected (SOLVED)

digger44 · Post by **digger44** » Sun Jan 16, 2022 1:47 am

I have a Lenovo Z580 with Linux Mint 20.2 Uma \n \l.
I ran sudo rkhunter --update --check and then sudo chkrootkit . I got (this is a partial of the report)

Code: Select all

Searching for suspicious files and dirs, it may take a while... The following suspicious files and directories were found:  
/usr/lib/jvm/.java-1.11.0-openjdk-amd64.jinfo 
/usr/lib/debug/.dwz 
/usr/lib/debug/.build-id 
/usr/lib/python3/dist-packages/PyQt5/uic/widget-plugins/.noinit 
/usr/lib/python3/dist-packages/tldextract/.tld_set_snapshot 
/lib/modules/5.11.0-44-generic/vdso/.build-id /lib/modules/5.11.0-46-generic/vdso/.build-id
/usr/lib/debug/.dwz /usr/lib/debug/.build-id /lib/modules/5.11.0-44-generic/vdso/.build-id 
/lib/modules/5.11.0-46-generic/vdso/.build-id

also

Code: Select all

Searching for Linux.Xor.DDoS ...                            INFECTED: Possible Malicious Linux.Xor.DDoS installed

How can I tell if these are real or false positives? and if real how do I get rid of them short of reinstalling my entire system?
Thanks for any help. Although I've used Linux for many years I am still a novice at understanding its intricacies.

MikeNovember · Post by **MikeNovember** » Sun Jan 16, 2022 5:01 am

digger44 wrote: ⤴Sun Jan 16, 2022 1:47 am I have a Lenovo Z580 with Linux Mint 20.2 Uma \n \l.
I ran sudo rkhunter --update --check and then sudo chkrootkit . I got (this is a partial of the report)
Code: Select all
Searching for suspicious files and dirs, it may take a while... The following suspicious files and directories were found:  
/usr/lib/jvm/.java-1.11.0-openjdk-amd64.jinfo 
/usr/lib/debug/.dwz 
/usr/lib/debug/.build-id 
/usr/lib/python3/dist-packages/PyQt5/uic/widget-plugins/.noinit 
/usr/lib/python3/dist-packages/tldextract/.tld_set_snapshot 
/lib/modules/5.11.0-44-generic/vdso/.build-id /lib/modules/5.11.0-46-generic/vdso/.build-id
/usr/lib/debug/.dwz /usr/lib/debug/.build-id /lib/modules/5.11.0-44-generic/vdso/.build-id 
/lib/modules/5.11.0-46-generic/vdso/.build-id
also
Code: Select all
Searching for Linux.Xor.DDoS ...                            INFECTED: Possible Malicious Linux.Xor.DDoS installed
How can I tell if these are real or false positives? and if real how do I get rid of them short of reinstalling my entire system?
Thanks for any help. Although I've used Linux for many years I am still a novice at understanding its intricacies.

Hi,

The first list of "suspicious files and directories" is juts a warning that unexpected files and directories have been found. It is generally a false alarm.

The second "Possible Malicious..." is more serious: rkhunter has found files whose signature matches Linux.Xor.DDoS' one.

Googling "Linux.Xor.DDoS" will give you information on the malware, way to confirm it is present, and way to remove it.

You have a tutorial here: https://monovm.com/blog/how-to-remove-x ... rom-linux/

Note that this malware was active in the years 2014 - 2015, and it might be a false detection. However, it seems that in 2021 there have been lot of web pages about it, mentioning detection with rkhunter or chkrootkit; it may be a sign it has been reused by a group of attackers (it is used to make denial of service attacks; 1st attackers take the control of a maximum number of computers by spreading the viruses, 2nd a denial of service attack is launched to prevent the connection to a given website, target of the attack).

In case of doubt, a fresh reinstall of Linux Mint could solve the problem.

Regards,

MN

digger44 · Post by **digger44** » Sun Jan 16, 2022 5:36 am

Thank you MikeNovember for your quick reply. I will read the link and follow your suggestions.

Post by **karlchen** » Sun Jan 16, 2022 5:43 am

Hello, digger44.

Actually, it is pretty unclear from your post, which of the 2 rootkit checkers, which you executed, reported what.
Which of the shared warnings/alerts have been made by rkhunter?
Which of the shared warnings/alerts have been made by chkrootkit?

Note on both:
Without understanding pretty well, how they work and how to verify whether their warnings really spell danger or are false alerts, both rootkit checkers are pretty likely to give you fit of heart attacks.

Question:
You have marked your thread as "(Solved)". But you have not told whether it is solved, because
+ the warnings/alerts turned out to be false positives or
+ at least 1 warning/alert turned out to be true - in this case, what was your way to resolve that one?

Regards,
Karl

digger44 · Post by **digger44** » Wed Jan 19, 2022 10:17 am

Thank you Karlchen for your reply. I marked it solved because I followed MikeNovember's advise and assumede that the items marked suspicious were false positives. As for the DDOS malware I ran chkrootkit again and it did not appear. It first appeared when I ran rkhunter. I am running sudo rkhunter --check again and I will give you the results. So this time the rkhunter reports "System checks summary
=====================

File properties checks...
Files checked: 145
Suspect files: 0

Rootkit checks...
Rootkits checked : 479
Possible rootkits: 30

Applications checks...
All checks skipped
So I went to (/var/log/rkhunter.log) which I have attached, but frankly I have no idea where to go from here in terms of determining if I have problems.

Post by **karlchen** » Thu Jan 20, 2022 6:38 pm

Hello, digger44.

Extracted the section from rkhunter.log, where rkhunter checks for processes, which use large shared memory segments (what rkhunter considers large):

Code: Select all

[21:56:19] Info: Starting test name 'ipc_shared_mem'
[21:56:19] Info: The minimum shared memory segment size to be checked (in bytes): 1048576 (1.0MB)
[21:56:20]   Checking for suspicious (large) shared memory segments [ Warning ]
[21:56:20] Warning: The following suspicious (large) shared memory segments have been found:
[21:56:20]          Process: /usr/lib/firefox/firefox-bin    PID: 2239    Owner: foobar    Size: 1.2MB (configured size allowed: 1.0MB)
[21:56:20]          Process: /usr/lib/firefox/firefox-bin    PID: 2239    Owner: foobar    Size: 1.2MB (configured size allowed: 1.0MB)
[21:56:20]          Process: /usr/bin/mate-screensaver    PID: 5185    Owner: foobar    Size: 64MB (configured size allowed: 1.0MB)
[21:56:20]          Process: /usr/lib/firefox/firefox-bin    PID: 2239    Owner: foobar    Size: 1.2MB (configured size allowed: 1.0MB)
[21:56:20]          Process: /usr/lib/firefox/firefox-bin    PID: 2239    Owner: foobar    Size: 1.2MB (configured size allowed: 1.0MB)
[21:56:20]          Process: /usr/lib/mate-panel/wnck-applet    PID: 1913    Owner: foobar    Size: 32MB (configured size allowed: 1.0MB)
[21:56:20]          Process: /usr/bin/ghb    PID: 44870    Owner: foobar    Size: 4.0MB (configured size allowed: 1.0MB)
[21:56:20]          Process: /usr/lib/mate-panel/wnck-applet    PID: 1913    Owner: foobar    Size: 32MB (configured size allowed: 1.0MB)
[21:56:20]          Process: /usr/lib/firefox/firefox-bin    PID: 2239    Owner: foobar    Size: 1.3MB (configured size allowed: 1.0MB)
[21:56:21]          Process: /usr/lib/firefox/firefox-bin    PID: 2239    Owner: foobar    Size: 1.3MB (configured size allowed: 1.0MB)
[21:56:21]          Process: /usr/lib/firefox/firefox-bin    PID: 2239    Owner: foobar    Size: 1.1MB (configured size allowed: 1.0MB)
[21:56:21]          Process: /usr/lib/firefox/firefox-bin    PID: 2239    Owner: foobar    Size: 1.1MB (configured size allowed: 1.0MB)
[21:56:21]          Process: /usr/bin/mate-settings-daemon    PID: 1832    Owner: foobar    Size: 64MB (configured size allowed: 1.0MB)
[21:56:21]          Process: /usr/lib/thunderbird/thunderbird    PID: 5041    Owner: foobar    Size: 3.9MB (configured size allowed: 1.0MB)
[21:56:21]          Process: /usr/bin/caja    PID: 1880    Owner: foobar    Size: 4.0MB (configured size allowed: 1.0MB)
[21:56:21]          Process: /usr/bin/caja    PID: 1880    Owner: foobar    Size: 64MB (configured size allowed: 1.0MB)
[21:56:21]          Process: /usr/lib/thunderbird/thunderbird    PID: 5041    Owner: foobar    Size: 3.8MB (configured size allowed: 1.0MB)
[21:56:21]          Process: /usr/bin/ghb    PID: 44870    Owner: foobar    Size: 16MB (configured size allowed: 1.0MB)
[21:56:21]          Process: /usr/lib/firefox/firefox-bin    PID: 2239    Owner: foobar    Size: 1.4MB (configured size allowed: 1.0MB)
[21:56:21]          Process: /usr/lib/firefox/firefox-bin    PID: 2239    Owner: foobar    Size: 1.4MB (configured size allowed: 1.0MB)
[21:56:21]          Process: /usr/lib/mate-panel/wnck-applet    PID: 1913    Owner: foobar    Size: 32MB (configured size allowed: 1.0MB)
[21:56:21]          Process: /usr/lib/firefox/firefox-bin    PID: 2239    Owner: foobar    Size: 1.2MB (configured size allowed: 1.0MB)
[21:56:21]          Process: /usr/lib/firefox/firefox-bin    PID: 2239    Owner: foobar    Size: 1.2MB (configured size allowed: 1.0MB)
[21:56:21]          Process: /usr/lib/firefox/firefox-bin    PID: 2239    Owner: foobar    Size: 1.2MB (configured size allowed: 1.0MB)
[21:56:21]          Process: /usr/lib/x86_64-linux-gnu/polkit-mate/polkit-mate-authentication-agent-1    PID: 1948    Owner: foobar    Size: 4.0MB (configured size allowed: 1.0MB)
[21:56:21]          Process: /usr/lib/firefox/firefox-bin    PID: 2239    Owner: foobar    Size: 1.2MB (configured size allowed: 1.0MB)
[21:56:21]          Process: /usr/bin/ghb    PID: 44870    Owner: foobar    Size: 32MB (configured size allowed: 1.0MB)
[21:56:21]          Process: /usr/lib/firefox/firefox-bin    PID: 2239    Owner: foobar    Size: 1.2MB (configured size allowed: 1.0MB)
[21:56:21]          Process: /usr/lib/firefox/firefox-bin    PID: 2239    Owner: foobar    Size: 1.2MB (configured size allowed: 1.0MB)
[21:56:21]          Process: /usr/bin/mate-terminal    PID: 86935    Owner: foobar    Size: 4.0MB (configured size allowed: 1.0MB)
[21:56:21]

If you take the time to read those lines above closely, you will realize that they all give the names of applications, which you had open at the same time, when rkhunter was checking the system.
They all are false positives.
There you have what rkhunter flags as 30 possible rootkits in its summary.

Code: Select all

[21:57:52] System checks summary
[21:57:52] =====================
[21:57:52]
[21:57:52] File properties checks...
[21:57:52] Files checked: 145
[21:57:52] Suspect files: 0
[21:57:53]
[21:57:53] Rootkit checks...
[21:57:53] Rootkits checked : 479
[21:57:53] Possible rootkits: 30
[21:57:53]
[21:57:53] Applications checks...
[21:57:53] All checks skipped
[21:57:53]
[21:57:53] The system checks took: 4 minutes and 58 seconds
[21:57:53]
[21:57:53] Info: End date is Wednesday, 19 January, 2022 09:57:53 PM PST

Nothing detected by rkhunter which you have to be worried about.

You can avoid most of these false positives by closing all graphical applications, before you launch an rkhunter check, and leaving the system alone for the 5 minutes which the rkhunter check takes.

Regards,
Karl

digger44 · Post by **digger44** » Tue Jan 25, 2022 10:41 am

Thank you once again Karlchen. I will take your advice next time and check that I have minimal items running. It was a relief to learn that these were false positives.

Linux Mint Forums

Rootkit detected (SOLVED)

Rootkit detected (SOLVED)

Re: Rootkit detected

Re: Rootkit detected (SOLVED)

Re: Rootkit detected SOLVED)

Re: Rootkit detected

Re: Rootkit detected

Re: Rootkit detected