chkrootkit (false) positive
Dan Lukes
dan at obluda.cz
Wed Mar 23 20:00:00 CET 2016
Peter Rosa wrote on 23.3.2016 18:48:
>> Copak ti vypise
>>
>>> ssh -G 2>&1 | grep -e illegal -e unknown > /dev/null && echo "System
>>> clean" || echo "System infected"
> System infected
OK. To's pustil presne ten prikaz, co ten chrootkit pousti sam, kdyz se
pokousi detekovat infekci.
Jak je videt, test predpoklada, ze ssh option -G nezna a da to najevo
textem obsahujicim slovo 'illegal' nebo 'unknown'.
Tvoje ssh -G takove slovo nepouzije a chrootkit ho proto povazuje za
infikovany.
>> ssh -G
> usage: ssh [-1246AaCfGgKkMNnqsTtVvXxYy] [-b bind_address] [-c cipher_spec]
> [-D [bind_address:]port] [-E log_file] [-e escape_char]
> [-F configfile] [-I pkcs11] [-i identity_file] [-L address]
> [-l login_name] [-m mac_spec] [-O ctl_cmd] [-o option] [-p port]
> [-Q query_option] [-R address] [-S ctl_path] [-W host:port]
> [-w local_tun[:remote_tun]] [user@]hostname [command]
A to je odpoved - ssh teto verze option -G zna, tudiz ho za
nespravny/neznamy option nepovazuje, ergo nevypisuje ocekavany test.
Test, v te podobe v jake ho chrootkit provadi nelze s touto verzi ssh
pouzit. Varovani chrootkitu o infekci neni podlozene.
Asi nemusim vysvetlovat, ze dukaz nespravneho testu a nepodlozeneho
varovani nelze zamemovat za dukaz, ze system neni necim infikovany
Dan
More information about the Users-l
mailing list