chkrootkit-0.53 "INFECTED: Possible Malicious Linux.Xor.DDoS installed" - false positive?
by Rava from LinuxQuestions.org on (#515B9)
I ran the most recent chkrootkit (chkrootkit-0.53-x86_64) and it reported a possible Linux.Xor.DDoS infection:
Code:Searching for Linux.Xor.DDoS ... INFECTED: Possible Malicious Linux.Xor.DDoS installedThis was due to a jpg in the /tmp folder. The jpg I took with my own camera, and I edited it to crop it and make it smaller for sending via email.
I moved it into another folder, in which I also created a tmp/ folder (resulting in the path of /tmp/mc-guest/chkrootkit/tmp/DSCF2268.JPG ) and ran chkrootkit with these parameters to catch the result in a "log file":
Code:./chkrootkit -d -r /tmp/mc-guest/chkrootkit/ >/tmp/mc-root/chkrootkit-dr_tmp_mc-guest_chkrootkit 2>&1This is what gets reported as "Possible Malicious Linux.Xor.DDoS installed"
Code:+ '[' /tmp/mc-guest/chkrootkit/tmp/DSCF2268.JPG = '' ']'
+ echo 'INFECTED: Possible Malicious Linux.Xor.DDoS installed'
INFECTED: Possible Malicious Linux.Xor.DDoS installed
+ echo /tmp/mc-guest/chkrootkit/tmp/DSCF2268.JPG
/tmp/mc-guest/chkrootkit/tmp/DSCF2268.JPGI presume this is a false positive?
What exactly is chkrootkit doing with the
Code:'[' /tmp/mc-guest/chkrootkit/tmp/DSCF2268.JPG = '' ']'test?
file DSCF2268.JPG reports this:
Code:DSCF2268.JPG: JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 1000x416, components 3and I can edit or view the jpeg with mtpaint or viewnior just fine.
Code:Searching for Linux.Xor.DDoS ... INFECTED: Possible Malicious Linux.Xor.DDoS installedThis was due to a jpg in the /tmp folder. The jpg I took with my own camera, and I edited it to crop it and make it smaller for sending via email.
I moved it into another folder, in which I also created a tmp/ folder (resulting in the path of /tmp/mc-guest/chkrootkit/tmp/DSCF2268.JPG ) and ran chkrootkit with these parameters to catch the result in a "log file":
Code:./chkrootkit -d -r /tmp/mc-guest/chkrootkit/ >/tmp/mc-root/chkrootkit-dr_tmp_mc-guest_chkrootkit 2>&1This is what gets reported as "Possible Malicious Linux.Xor.DDoS installed"
Code:+ '[' /tmp/mc-guest/chkrootkit/tmp/DSCF2268.JPG = '' ']'
+ echo 'INFECTED: Possible Malicious Linux.Xor.DDoS installed'
INFECTED: Possible Malicious Linux.Xor.DDoS installed
+ echo /tmp/mc-guest/chkrootkit/tmp/DSCF2268.JPG
/tmp/mc-guest/chkrootkit/tmp/DSCF2268.JPGI presume this is a false positive?
What exactly is chkrootkit doing with the
Code:'[' /tmp/mc-guest/chkrootkit/tmp/DSCF2268.JPG = '' ']'test?
file DSCF2268.JPG reports this:
Code:DSCF2268.JPG: JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 1000x416, components 3and I can edit or view the jpeg with mtpaint or viewnior just fine.