On Wednesday, 27 February 2019 13:47:31 GMT Peter Humphrey wrote: > On Wednesday, 27 February 2019 12:27:59 GMT Mick wrote: > > I noticed this beauty popping up a day ago: > > > > Rootkit checks... > > > > Rootkits checked : 498 > > Possible rootkits: 1 > > Rootkit names : xorddos component > > > > Fair enough the log reported a suspect file: > > > > ==================================== > > Checking for file '/var/run/sftp.pid' [ Not found ] > > Checking for file '/var/run/udev.pid' [ Warning ] <==This one > > Checking for file '/var/run/mount.pid' [ Not found ] > > [snip ...] > > > > Warning: Checking for possible rootkit files and directories [ Warning ] > > Found file '/var/run/udev.pid'. Possible rootkit: xorddos component > > =================================================================== > > > I think it is a false positive, because none of the files mentioned in the > > interwebs[1] are seen lurking in my system, but I thought it wiser to > > check > > further. > > > > [1] > > http://hackermedicine.com/linux-ddos-trojan-hiding-itself-with-an-embedded > > -> rootkit/> > > The rkhunter report of this xorddos component seems to have arrived with: > > sys-fs/udev-init-scripts-33 > > > > or > > > > sys-apps/dbus-1.12.12-r1 > > > > Could it be these versions are now launching /run/udev.pid? Is a file > > /run/ udev.pid present in your system? > > Yes, I have such a text file, containing just a PID.
Thanks for this. At least I know it is not just me and mine. > > In any case, the file merely contains the PID number of > > /lib/systemd/systemd- udevd, rather than an ELF binary and /etc/init.d/ > > does not contain anything suspicious. However, with armies generating > > variants of every conceivable malware I don't know if it pays to be a bit > > paranoid about this. > > They really are out to get us... :-) -- Regards, Mick
signature.asc
Description: This is a digitally signed message part.
