You are not logged in.
- Topics: Active | Unanswered
Pages: 1
#1 2024-08-20 20:43:44
- VH
- Member
- Registered: 2018-07-31
- Posts: 38
[SOLVED] Possible Malware
My computer spec is this:
`':ddd;:,. ------------
`'dPPd:,. OS: Devuan GNU/Linux 5 (daedalus) x86_64
`:b$$b`. Host: X401A1 1.0
'P$$$d` Kernel: 6.1.0-23-amd64
.$$$$$` Uptime: 4 hours, 17 mins
;$$$$$P Packages: 1718 (dpkg)
.:P$$$$$$` Shell: bash 5.2.15
.,:b$$$$$$$;' Resolution: 1366x768
.,:dP$$$$$$$$b:' DE: Xfce 4.18
.,:;db$$$$$$$$$$Pd'` WM: Xfwm4
,db$$$$$$$$$$$$$$b:'` WM Theme: Clearlooks-Phenix-Sapphire
:$$$$$$$$$$$$b:'` Theme: Clearlooks-Phenix-Sapphire [GTK2]
`$$$$$bd:''` Icons: Deepsea [GTK2]
`'''` Terminal: xfce4-terminal
Terminal Font: Monospace 12
CPU: Intel Pentium B970 (2) @ 2.300GHz
GPU: Intel 2nd Generation Core Processor Fam
Memory: 2108MiB / 3799MiBI scanned my computer with rkhunter and chkrootkit and got following result.
rkhunter
$ sudo rkhunter -c
Invalid SCRIPTWHITELIST configuration option: Non-existent pathname: /usr/bin/egrep
Invalid SCRIPTWHITELIST configuration option: Non-existent pathname: /usr/bin/fgrepI couldn't find file or folder named egrep or fgrep in /usr/bin/ folder
:/usr/bin$ ls *grep*
lzegrep lzgrep ptargrep xzegrep xzgrep zstdgrep
lzfgrep pgrep rgrep xzfgrep zipgrepOk, so I suppose it is giving me that message because it could not find either file egrep or fgrep. Where can I find SCRIPTWHITELIST configuration? What can I do about it. Also any idea what may have caused this?
chkrootkit
$ sudo chkrootkit
ROOTDIR is `/'
Checking `amd'... not found
Checking `basename'... not infected
Checking `biff'... not found
Checking `chfn'... not infected
Checking `chsh'... not infected
Checking `cron'... not infected
Checking `crontab'... not infected
Checking `date'... not infected
Checking `du'... not infected
Checking `dirname'... not infected
Checking `echo'... not infected
Checking `egrep'... not infected
Checking `env'... not infected
Checking `find'... not infected
Checking `fingerd'... not found
Checking `gpm'... not found
Checking `grep'... not infected
Checking `hdparm'... not found
Checking `su'... not infected
Checking `ifconfig'... not infected
Checking `inetd'... not infected
Checking `inetdconf'... not found
Checking `identd'... not found
Checking `init'... not infected
Checking `killall'... not infected
Checking `ldsopreload'... not infected
Checking `login'... not infected
Checking `ls'... not infected
Checking `lsof'... not infected
Checking `mail'... not infected
Checking `mingetty'... not found
Checking `netstat'... not infected
Checking `named'... not found
Checking `passwd'... not infected
Checking `pidof'... not infected
Checking `pop2'... not found
Checking `pop3'... not found
Checking `ps'... not infected
Checking `pstree'... not infected
Checking `rpcinfo'... not found
Checking `rlogind'... not found
Checking `rshd'... not found
Checking `slogin'... not infected
Checking `sendmail'... not infected
Checking `sshd'... not infected
Checking `syslogd'... not found
Checking `tar'... not infected
Checking `tcpd'... not found
Checking `tcpdump'... not infected
Checking `top'... not infected
Checking `telnetd'... not found
Checking `timed'... not found
Checking `traceroute'... not infected
Checking `vdir'... not infected
Checking `w'... not infected
Checking `write'... not infected
Checking `aliens'... started
Searching for suspicious files in /dev... not found
Searching for known suspicious directories... not found
Searching for known suspicious files... not found
Searching for sniffer's logs... not found
Searching for HiDrootkit rootkit... not found
Searching for t0rn rootkit... not found
Searching for t0rn v8 (or variation)... not found
Searching for Lion rootkit... not found
Searching for RSHA rootkit... not found
Searching for RH-Sharpe rootkit... not found
Searching for Ambient (ark) rootkit... not found
Searching for suspicious files and dirs... WARNING
WARNING: The following suspicious files and directories were found:
/usr/lib/libreoffice/share/.registry
/usr/lib/ruby/vendor_ruby/rubygems/ssl_certs/.document
/usr/lib/ruby/vendor_ruby/rubygems/tsort/.document
/usr/lib/ruby/vendor_ruby/rubygems/optparse/.document
/usr/lib/ruby/gems/3.1.0/gems/typeprof-0.21.2/vscode/.gitignore
/usr/lib/ruby/gems/3.1.0/gems/typeprof-0.21.2/vscode/.vscode
/usr/lib/ruby/gems/3.1.0/gems/typeprof-0.21.2/vscode/.vscodeignore
/usr/lib/python3/dist-packages/numpy/core/include/numpy/.doxyfile
/usr/lib/python3/dist-packages/numpy/f2py/tests/src/assumed_shape/.f2py_f2cmap
/usr/lib/python3/dist-packages/numpy/f2py/tests/src/f2cmap/.f2py_f2cmap
/lib/elogind/system-sleep/.keep_dir
/lib/elogind/system-shutdown/.keep_dir
Searching for LPD Worm... not found
Searching for Ramen Worm rootkit... not found
Searching for Maniac rootkit... not found
Searching for RK17 rootkit... not found
Searching for Ducoci rootkit... not found
Searching for Adore Worm... not found
Searching for ShitC Worm... not found
Searching for Omega Worm... not found
Searching for Sadmind/IIS Worm... not found
Searching for MonKit... not found
Searching for Showtee rootkit... not found
Searching for OpticKit... not found
Searching for T.R.K... not found
Searching for Mithra rootkit... not found
Searching for OBSD rootkit v1... not tested
Searching for LOC rootkit... not found
Searching for Romanian rootkit... not found
Searching for HKRK rootkit... not found
Searching for Suckit rootkit... not found
Searching for Volc rootkit... not found
Searching for Gold2 rootkit... not found
Searching for TC2 rootkit... not found
Searching for Anonoying rootkit... not found
Searching for ZK rootkit... not found
Searching for ShKit rootkit... not found
Searching for AjaKit rootkit... not found
Searching for zaRwT rootkit... not found
Searching for Madalin rootkit... not found
Searching for Fu rootkit... not found
Searching for Kenga3 rootkit... not found
Searching for ESRK rootkit... not found
Searching for rootedoor... not found
Searching for ENYELKM rootkit... not found
Searching for common ssh-scanners... not found
Searching for Linux/Ebury 1.4 - Operation Windigo... not tested
Searching for Linux/Ebury 1.6... not found
Searching for 64-bit Linux Rootkit... not found
Searching for 64-bit Linux Rootkit modules... not found
Searching for Mumblehard... not found
Searching for Backdoor.Linux.Mokes.a... not found
Searching for Malicious TinyDNS... not found
Searching for Linux.Xor.DDoS... not found
Searching for Linux.Proxy.1.0... not found
Searching for CrossRAT... not found
Searching for Hidden Cobra... not found
Searching for Rocke Miner rootkit... not found
Searching for PWNLNX4 lkm rootkit... not found
Searching for PWNLNX6 lkm rootkit... not found
Searching for Umbreon lrk... not found
Searching for Kinsing.a backdoor rootkit... not found
Searching for RotaJakiro backdoor rootkit... not found
Searching for Syslogk LKM rootkit... not found
Searching for Kovid LKM rootkit... not tested
Searching for suspect PHP files... not found
Searching for zero-size shell history files... not found
Searching for hardlinked shell history files... not found
Checking `aliens'... finished
Checking `asp'... not infected
Checking `bindshell'... not found
Checking `lkm'... started
Searching for Adore LKM... not tested
Searching for sebek LKM (Adore based)... not tested
Searching for knark LKM rootkit... not found
Searching for for hidden processes with chkproc... not found
Searching for for hidden directories using chkdirs... not found
Checking `lkm'... finished
Checking `rexedcs'... not found
Checking `sniffer'... WARNING
WARNING: Output from ifpromisc:
lo: not promisc and no packet sniffer sockets
Checking `w55808'... not found
Checking `wted'... not found
Checking `scalper'... not found
Checking `slapper'... not found
Checking `z2'... not found
Checking `chkutmp'... not found
Checking `OSX_RSPLUG'... not testedCould anyone tell me what these mean? Esp. these three sections (below):
Searching for suspicious files and dirs... WARNING
WARNING: The following suspicious files and directories were found:
/usr/lib/libreoffice/share/.registry
/usr/lib/ruby/vendor_ruby/rubygems/ssl_certs/.document
/usr/lib/ruby/vendor_ruby/rubygems/tsort/.document
/usr/lib/ruby/vendor_ruby/rubygems/optparse/.document
/usr/lib/ruby/gems/3.1.0/gems/typeprof-0.21.2/vscode/.gitignore
/usr/lib/ruby/gems/3.1.0/gems/typeprof-0.21.2/vscode/.vscode
/usr/lib/ruby/gems/3.1.0/gems/typeprof-0.21.2/vscode/.vscodeignore
/usr/lib/python3/dist-packages/numpy/core/include/numpy/.doxyfile
/usr/lib/python3/dist-packages/numpy/f2py/tests/src/assumed_shape/.f2py_f2cmap
/usr/lib/python3/dist-packages/numpy/f2py/tests/src/f2cmap/.f2py_f2cmap
/lib/elogind/system-sleep/.keep_dir
/lib/elogind/system-shutdown/.keep_dirChecking `sniffer'... WARNING
WARNING: Output from ifpromisc:
lo: not promisc and no packet sniffer socketsChecking `OSX_RSPLUG'... not testedI have no idea how to interpret these three.
I am also getting a message in Thunar "it looks like gvfs is not available". Does this has any relation with these?
Any help would be appreciated.
Thanks.
Last edited by VH (2024-08-20 21:15:47)
Offline
#2 2024-08-21 00:00:56
- ralph.ronnquist
- Administrator
- From: Battery Point, Tasmania, AUS
- Registered: 2016-11-30
- Posts: 1,247
Re: [SOLVED] Possible Malware
The programs egrep and fgrep belong to the grep package.
Possibly you have them as /bin/grep and /bin/egrep where they have been residing since yonks. Now everything is supposed to reside in /usr/bin due to a reconfiguration of the root filesystem where all pathnames /bin, /sbin and /lib* are replaced with links to same-named directories under usr.
You may have heard about it as "usrmerge".
Most likely you have updated checking tools that expects/requires those silly-links.
Offline
#3 2024-08-21 06:50:08
- steve_v
- Member
- Registered: 2018-01-11
- Posts: 374
Re: [SOLVED] Possible Malware
chkrootkit
False positives, read /usr/share/doc/chkrootkit/README.FALSE-POSITIVES.gz (and the other documentation).
Where can I find SCRIPTWHITELIST configuration?
In /etc/rkhunter.conf, of course.
I have no idea how to interpret these three.
The first is a list of files you should check out and whitelist if they're benign.
The second is chkrootkit being dumb, and is explained in the documentation.
The third is irrelevant, because you are not running OSX.
Once is happenstance. Twice is coincidence. Three times is enemy action. Four times is Official GNOME Policy.
Offline
#4 2024-08-21 08:49:07
- VH
- Member
- Registered: 2018-07-31
- Posts: 38
Re: [SOLVED] Possible Malware
Thank you for the explanations.
Offline
#5 2024-08-21 09:33:58
- Ron
- Member
- Registered: 2018-04-22
- Posts: 517
Re: [SOLVED] Possible Malware
I would suggest reading the link below. Although it is written from a Mint/Ubuntu point of view, over 95% of it is applicable to any distro.
Offline
#6 2024-08-22 16:26:11
- chris2be8
- Member
- Registered: 2018-08-11
- Posts: 306
Re: [SOLVED] Possible Malware
Next time try which fgrep or whereis fgrep to find where they are on your system.
Offline
Pages: 1
