Mick wrote: > I noticed this beauty popping up a day ago: > > Rootkit checks... > Rootkits checked : 498 > Possible rootkits: 1 > Rootkit names : xorddos component > > Fair enough the log reported a suspect file: > > ==================================== > Checking for file '/var/run/sftp.pid' [ Not found ] > Checking for file '/var/run/udev.pid' [ Warning ] <==This one > Checking for file '/var/run/mount.pid' [ Not found ] > [snip ...] > > Warning: Checking for possible rootkit files and directories [ Warning ] > Found file '/var/run/udev.pid'. Possible rootkit: xorddos component > > =================================================================== > > I think it is a false positive, because none of the files mentioned in the > interwebs[1] are seen lurking in my system, but I thought it wiser to check > further. > > [1] > http://hackermedicine.com/linux-ddos-trojan-hiding-itself-with-an-embedded-rootkit/ > > > The rkhunter report of this xorddos component seems to have arrived with: > > sys-fs/udev-init-scripts-33 > > or > > sys-apps/dbus-1.12.12-r1 > > > Could it be these versions are now launching /run/udev.pid? Is a file /run/ > udev.pid present in your system? > > In any case, the file merely contains the PID number of /lib/systemd/systemd- > udevd, rather than an ELF binary and /etc/init.d/ does not contain anything > suspicious. However, with armies generating variants of every conceivable > malware I don't know if it pays to be a bit paranoid about this. >
Little info here. I don't run systemd here but I also have that file. I checked with equery b but obviously nothing owns it since it is a pid file generated when udev or something starts. This is my versions of udev, dbus and other friends: root@fireball / # equery list *udev* dbus * Searching for *udev* ... [IP-] [ ] dev-libs/libgudev-232:0/0 [IP-] [ ] sys-fs/eudev-3.2.5:0 [IP-] [ ] sys-fs/udev-init-scripts-33:0 [IP-] [ ] virtual/libgudev-232:0/0 [IP-] [ ] virtual/libudev-232:0/1 [IP-] [ ] virtual/udev-217:0 * Searching for dbus ... [IP-] [ ] sys-apps/dbus-1.10.24:0 root@fireball / # Like you, I sort of suspect a false positive but I don't know nearly enough to know for sure it is either. Maybe someone else can chime in and give more ideas. If enough people say they have it, then either someone is doing some coding on a very low level or it is a false positive. Let's hope for the later. Dale :-) :-)
