+- Linux Lite Forums (https://www.linuxliteos.com/forums)
+-- Forum: General (https://www.linuxliteos.com/forums/forumdisplay.php?fid=4)
+--- Forum: Security & Bug Fixes (https://www.linuxliteos.com/forums/forumdisplay.php?fid=16)
+--- Thread: Are they false ? (/showthread.php?tid=4633)
Re: Are they false ? - bitsnpcs - 11-11-2017
[member=5916]trinidad[/member] no notifications from isp.
It is having the ethernet cable removed, is not plugged in, I am not allowed to plug it in.
I am using windows computer.
Re: Are they false ? - trinidad - 11-11-2017
[member=411]bitsnpcs[/member] What I see are false positives, but to be sure read the documentation and try to locate the files of the infection itself. If they are not there you do not have the ebury rootkit infection. Has a network admin disallowed your use of the LL computer? If so refer him/her to the information I have just given you.
TC
Re: Are they false ? - trinidad - 11-11-2017
[member=149]newtusmaximus[/member] /etc/.java is created by OpenJDK. Not to worry and not normally editable. Rkhunter doesn't like it because of the obviated file path /etc/.java/.systemPrefs/.systemRootModFile
TC
Re: Are they false ? - Vera - 11-11-2017
(11-11-2017, 03:19 PM)bitsnpcs link Wrote: [member=149]newtusmaximus[/member]
Can some members run chkrootkit and rkhunter , (they are in Install/Remove Software, aka Synaptic) and reply back
OK, I installed both. My results from rkhunter are exactly the same as [member=149]newtusmaximus[/member] .
I tried to run chkrootkit but it says: can't find `awk'
To check if I have it on my system, when I type man awk, it directs me to the man pages for gawk. I then installed traditional awk via Synaptic but when I ran chkrootkit I still got the same message. This is true whether I run chkrootkit as user or as sudo. So, I had to give up on chkrootkit, but wanted to let you know my results of rkhunter as requested.
Re: Are they false ? - trinidad - 11-11-2017
[member=6960]Vera[/member] Didn't need to do all that. Download and install from synaptic. Run sudo su. Then enter your sudo password and run chkrootkit from root.
TC
Re: Are they false ? - bitsnpcs - 11-11-2017
(11-11-2017, 08:00 PM)trinidad link Wrote: [member=411]bitsnpcs[/member] What I see are false positives, but to be sure read the documentation and try to locate the files of the infection itself. If they are not there you do not have the ebury rootkit infection. Has a network admin disallowed your use of the LL computer? If so refer him/her to the information I have just given you.[member=5916]trinidad[/member] what is the documentation you write of , the links?
TC
A Network admin has not disallowed me to use it.
My eldest brother and his wife disallowed me to use it/ told me not to plug it in the ethernet cable to LL machine.
[member=6960]Vera[/member] Thank You for running the test.
Re: Are they false ? - rokytnji - 11-12-2017
No need for rootkit hunter install for me.
Code:
harry@biker:~
$ groups
harry lp uucp dialout cdrom floppy sudo audio dip video plugdev users netdev lpadmin scanner bluetoothI already covered "users"
Wanna look for zombies?
Run
Code:
topEven if you see 1 or 2 zombies in the readout <it probably means nada>. I see zero on mine.
Re: Are they false ? - ian_r_h - 11-12-2017
I assumed the lwp, java and pulse-shm reports from rkhunter are false positives (I don't use chkrootkit) given that these have occurred immediately after fresh installs of LL followed by rkhunter (and --update) and before Menu/Favourites/Install Updates on 3 different boxes every time; unless my copy of LL 3.6 64bit .iso downloaded from linuxlite.com and rkhunter downloaded via apt-get from the default repo (and different mirrors) were infected to begin with.
These persist even after sudo rkhunter --propupd
Googling found no evidence that these were anything to worry about.
I can't speak as to the rest.
Re: Are they false ? - trinidad - 11-12-2017
Okay friends.
I'm not going to assure someone that their computer is untouched by an incidence of ebury without being in the room with access to the particular box. I realize many here are deeply concerned with security but this thread seems to be headed as usual toward paranoia mode. To sum up again: rkhunter often returns false positives for shm files because it is aware of the newer version of ebury, and also reports obviated file paths, chkrootkit has had the bug in Debian to falsely detect ebury for some time now and is actually somewhat deprecated. I consider Linux itself to be a positive learning experience for anyone who wants to learn about it. The welivesecurity links are full of information which can direct you to the ebury files on your computer if you choose to look for them, which is the best way to be sure if the ebury infection is or is not present on your box. The hacker who invented it is in prison in the US, however newer versions now exist in the wild. It is unlikely that ebury is going away as it is still evolving, but as with all things of this type security people are also continuing to check its progress. The community nature of Linux itself makes successful zero day exploits very difficult to pull off. I cannot say that it is unlikely that a LL user could have contracted ebury, as LL is used in many different ways by many different users, and the likelihood of contracting ebury depends on user praxis. I can say that it is unlikely now that a US user with a broadband ISP (like Spectrum) could contract it unawares as their ISP would notify them, especially if they are looping ssh or samba through their connection.
TC
Re: Are they false ? - newtusmaximus - 11-12-2017
Thanks Trinidad.. learned a lot from this exercise so time not wasted.
