I installed ISSPConfig 3.2.8p1 4 days ago. rkhunter reports /usr/sbin/tcpd /usr/sbin/tcpd /usr/bin/lynx /usr/bin/mail /usr/bin/bsd-mailx /usr/bin/lwp-request Checking for suspicious (large) shared memory segments Checking for passwd file changes Checking for group file changes all above with [ Warnings ] as well as the next following rkhunter warnings File properties checks... Files checked: 147 Suspect files: 6 Rootkit checks... Rootkits checked : 499 Possible rootkits: 1 --------------------------------------- I installed chkrootkit. chkrootkit is reporting: Searching for Linux.Xor.DDoS ... INFECTED: Possible Malicious Linux.Xor.DDoS installed and Checking `lkm'... OooPS, not expected 209739 value Are these Listed as bogus hits somewhere, or genuine Infected software? Thanks for any input. Cybermin
Hmmm, researching elsewhere might point that the Xor.DDS Might be a false hit on file /tmp/Maildir/subscriptions. I know that on my other servers(non ISPC's), I have for Many years received a false hit on Port 465 and so Perhaps this is a false with malicious looking strings within the /tmp/Maildir/subscriptions file.. Never had a chkrootkit hit before. Anyone else getting these? Investigating more,,,,
Those tools warn me about possible infection, but do not tell exactly why the tool thinks infection is present. So it is hard to make sure what is going on. Try to figure out what files are detected as possibly infected, and the examime those files.
AaaaHAH! The /tmp/Maildir/subscriptions is a FALSE! I Luckily only have a few clients on that server soo far, Rebooted, it's gone, and even it woulda been many clients added over, with a Infection Scare, I probably Still would have rebooted on them investigating.. Anyway, I still need to research the rkhunter hits above...
I know rkhunter is notoriously famous for false hits and so I have done a database update rkhunter --propupd and will know if I see any hits in the future, to pay more close attention.
