Linux.Xor.DDoS INFECTED: Possible Malicious Linux.Xor.DDoS installed

Discussion in 'Server Operation' started by CyberMaster, Jul 2, 2022.

  1. CyberMaster

    CyberMaster New Member

    I installed ISSPConfig 3.2.8p1 4 days ago.
    rkhunter reports
    Checking for suspicious (large) shared memory segments
    Checking for passwd file changes
    Checking for group file changes
    all above with [ Warnings ] as well as the next following rkhunter warnings

    File properties checks...
    Files checked: 147
    Suspect files: 6

    Rootkit checks...
    Rootkits checked : 499
    Possible rootkits: 1

    I installed chkrootkit.
    chkrootkit is reporting:
    Searching for Linux.Xor.DDoS ... INFECTED: Possible Malicious Linux.Xor.DDoS installed

    Checking `lkm'... OooPS, not expected 209739 value

    Are these Listed as bogus hits somewhere, or genuine Infected software?

    Thanks for any input.

  2. CyberMaster

    CyberMaster New Member

    Hmmm, researching elsewhere might point that the Xor.DDS Might be a false hit on file /tmp/Maildir/subscriptions. I know that on my other servers(non ISPC's), I have for Many years received a false hit on Port 465 and so Perhaps this is a false with malicious looking strings within the /tmp/Maildir/subscriptions file.. Never had a chkrootkit hit before.

    Anyone else getting these?

    Investigating more,,,,
  3. Taleman

    Taleman Well-Known Member HowtoForge Supporter

    Those tools warn me about possible infection, but do not tell exactly why the tool thinks infection is present. So it is hard to make sure what is going on. Try to figure out what files are detected as possibly infected, and the examime those files.
    CyberMaster likes this.
  4. CyberMaster

    CyberMaster New Member

    AaaaHAH! The /tmp/Maildir/subscriptions is a FALSE! I Luckily only have a few clients on that server soo far, Rebooted, it's gone, and even it woulda been many clients added over, with a Infection Scare, I probably Still would have rebooted on them investigating..

    Anyway, I still need to research the rkhunter hits above...
    Last edited: Jul 2, 2022
  5. CyberMaster

    CyberMaster New Member

    Was my exact thinking to.. Thanks for inputting Taleman.. :)
  6. CyberMaster

    CyberMaster New Member

    I know rkhunter is notoriously famous for false hits and so I have done a database update
    rkhunter --propupd
    and will know if I see any hits in the future, to pay more close attention.

Share This Page