Chkrootkit says "Searching for Linux/Ebury - Operation Windigo ssh... Possible Linux/Ebury - Operation Windigo installetd", should I be worried?
Solution 1:
The problem you have is that in Wily, the command "ssh -G" doesn't output the "Illegal Operation" string at the top, but it still does show the command help, so I think you are fine. All my Wily installs are reporting the same issue. It's a detection flaw. chkrootkit needs to be updated to change it's suspicion detection mechanism.
Solution 2:
I also received that "possible" infestation result running OpenSSH_7.2p2 Ubuntu-4ubuntu2.1, OpenSSL 1.0.2g-fips on Ubuntu 16.04 . Looking on-line for this issue I found the site:
https://www.cert-bund.de/ebury-faq
which gives some tests to perform. The shared memory tests where not conclusive, but the other three test results were indicative of a false positive. I've created a small simple script to run after the possible positive result shows up on chkrootkit:
#! /bin/bash
#
# Result filesize should be less that 15KB.
sudo find /lib* -type f -name libkeyutils.so* -exec ls -la {} \;
# Result should return null.
sudo find /lib* -type f -name libns2.so
# Result should return null.
sudo netstat -nap | grep "@/proc/udevd"
I would also recommend installing rkhunter as a further check for rootkits.
Solution 3:
The correct version of the test is:
ssh -G 2>&1 | grep -e illegal -e unknown -e Gg > /dev/null && echo "System clean" || echo "System infected"
As a -G
option has been added to ssh, the -e Gg
is needed to prevent false positives.