I noticed this beauty popping up a day ago:
Rootkit checks...
Rootkits checked : 498
Possible rootkits: 1
Rootkit names : xorddos componentFair enough the log reported a suspect file: ==================================== Checking for file '/var/run/sftp.pid' [ Not found ] Checking for file '/var/run/udev.pid' [ Warning ] <==This one Checking for file '/var/run/mount.pid' [ Not found ] [snip ...] Warning: Checking for possible rootkit files and directories [ Warning ] Found file '/var/run/udev.pid'. Possible rootkit: xorddos component =================================================================== I think it is a false positive, because none of the files mentioned in the interwebs[1] are seen lurking in my system, but I thought it wiser to check further. [1] http://hackermedicine.com/linux-ddos-trojan-hiding-itself-with-an-embedded-rootkit/ The rkhunter report of this xorddos component seems to have arrived with: sys-fs/udev-init-scripts-33 or sys-apps/dbus-1.12.12-r1 Could it be these versions are now launching /run/udev.pid? Is a file /run/ udev.pid present in your system? In any case, the file merely contains the PID number of /lib/systemd/systemd- udevd, rather than an ELF binary and /etc/init.d/ does not contain anything suspicious. However, with armies generating variants of every conceivable malware I don't know if it pays to be a bit paranoid about this. -- Regards, Mick
signature.asc
Description: This is a digitally signed message part.
