594106 – app-forensics/chkrootkit-0.50: false positive for ssh Linux/Ebury Windigo

Bug 594106 - app-forensics/chkrootkit-0.50: false positive for ssh Linux/Ebury Windigo

Summary: app-forensics/chkrootkit-0.50: false positive for ssh Linux/Ebury Windigo

Status:	RESOLVED TEST-REQUEST

Alias:	None

Product:	Gentoo Linux
Classification:	Unclassified
Component:	Current packages (show other bugs)
Hardware:	All Linux

Importance:	Normal normal (vote)
Assignee:	No maintainer - Look at https://wiki.gentoo.org/wiki/Project:Proxy_Maintainers if you want to take care of it

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2016-09-17 13:28 UTC by BobbyK
Modified:	2017-09-30 00:07 UTC (History)
CC List:	1 user (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description BobbyK 2016-09-17 13:28:17 UTC

chkrootkit 0.50 reports:

Searching for Linux/Ebury - Operation Windigo ssh... Possible Linux/Ebury - Operation Windigo installetd

which is a false positive report resulting from a misinterpretation of the output of "ssh -G".  Fedora has a fix (see http://pkgs.fedoraproject.org/cgit/rpms/chkrootkit.git/commit/?h=f23&id=82dd537b2fd88850eb4327a80b2c9acb7dbcf2ab - changing the test from "ssh -G" to "ssh -H").  After applying the fix, chkrootkit reports:

Searching for Linux/Ebury - Operation Windigo ssh... nothing found

Thanks.

Comment 1 Pacho Ramos gentoo-dev

2017-08-30 18:28:26 UTC

Please retry with 0.51 version

Comment 2 BobbyK 2017-09-30 00:07:31 UTC

Looks good to me, thanks.