Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.
Bug 1234436
Summary: | Bogus Windigo reports | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | DaveG <daveg> |
Component: | chkrootkit | Assignee: | Gwyn Ciesla <gwync> |
Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | unspecified | Docs Contact: | |
Priority: | unspecified | ||
Version: | 22 | CC: | a.galley, gwync, heldwin, wolfy |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | chkrootkit-0.50-8.fc22 chkrootkit-0.50-8.fc23 chkrootkit-0.50-8.fc24 | Doc Type: | Bug Fix |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2016-06-30 14:52:41 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
DaveG
2015-06-22 14:17:58 UTC
After a little investigation.... The Linux/Ebury root-kit infects ssh and can be identified by the way it handles illegal or unknown command-line options, not printing an information line before usage: ... Accepted wisdom is to invoke ssh with an illegal option and check that the expected extra line is there (clean) or missing (infected). chkrootkit uses $(ssh -G) as it's illegal invocation but OpenSSH added the '-G' option to print configuration back in 2014. Long story short - chkrootkit needs to pick a different illegal option. Currently unused options include djruzBHJUZ. Changing the script (2 places) appears to work (I used -H, $(rpm -Vv openssh-clients) to check). ... Searching for Linux/Ebury - Operation Windigo ssh... nothing found ... chkrootkit-0.50-7.fc23 has been submitted as an update to Fedora 23. https://bodhi.fedoraproject.org/updates/FEDORA-2016-a5f68c1854 chkrootkit-0.50-7.fc24 has been submitted as an update to Fedora 24. https://bodhi.fedoraproject.org/updates/FEDORA-2016-afc728e85d chkrootkit-0.50-7.fc22 has been submitted as an update to Fedora 22. https://bodhi.fedoraproject.org/updates/FEDORA-2016-37fa8f9d3a *** Bug 1279170 has been marked as a duplicate of this bug. *** chkrootkit-0.50-8.fc24 has been submitted as an update to Fedora 24. https://bodhi.fedoraproject.org/updates/FEDORA-2016-b93b991ea4 chkrootkit-0.50-8.fc23 has been submitted as an update to Fedora 23. https://bodhi.fedoraproject.org/updates/FEDORA-2016-6c1a60982e chkrootkit-0.50-8.fc22 has been submitted as an update to Fedora 22. https://bodhi.fedoraproject.org/updates/FEDORA-2016-533e10ae24 chkrootkit-0.50-8.fc22 has been pushed to the Fedora 22 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-533e10ae24 chkrootkit-0.50-8.fc24 has been pushed to the Fedora 24 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-b93b991ea4 chkrootkit-0.50-8.fc23 has been pushed to the Fedora 23 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-6c1a60982e chkrootkit-0.50-8.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report. chkrootkit-0.50-8.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report. chkrootkit-0.50-8.fc24 has been pushed to the Fedora 24 stable repository. If problems still persist, please make note of it in this bug report. |