RootkitHunter.log

linuxdudex10

I just installed RootkitHunter.log and decided to use it, I have noticed it alerted me of a few warnings. Can you guys look at it and tell me if I should be worried yet? thanks

Goineasy9

If you Google "Xzibit rootkit", you'll find pages explaining that is a false positive. Your system is ok.

linuxdudex10

Thank you, yea Linux is pretty good against malware. I clicked on this Link one guy gave me and it sent me to one of those shock sites that was supposed to make me think I was infected and all. I knew it was running out of the browser and I did yell at myself for not using a VM to use the link. But anyway when I loaded my windows VM and went to the link, MSE found an infection immediately. Linux did not ( Because it doesn't use software that monitors).

Do you think it's possible Linux could still get infected? I forgot the name of the threat but I will open my VM and post the name ASAP because I have to goto bed right now. I'm sure it was just an IE exploit, and exploit was indeed part of the threat name. I used "killall firefox" in a virtual terminal to remedy the situation but im afraid there might still be something on the machine for a few reasons:

1. I was running firefox as root because I was to lazy to open a terminal with lower privilege.
2. I found parts of a pdf that were no doubt left by the shock site, particularly these files were found in the /tmp
directory.

This has nothing to do with what I stated in my earlier post and rootkit hunter, I just wanted to save you guys room on your site and not add unnecessary threads.

Goineasy9

I recently Googled "Bloom Energy" when their box was announced, then clicked on the Google trends link, that resulted in the same type of attack you just wrote about. I has to kill the PID of Firefox twice and reboot before Firefox allowed me to start a new session. Luckily I was using Linux and not Windows because the attack tried to install a exe file, which would have infected a Windows machine. Using Noscript would have prevented the obvious JavaScript based attack, but, LOL, I like to live dangerously. Besides, I really thought Google had a better protection filter running on their results.

So we both had a learning experience.

I checked my /home and /tmp folders and looked to see if any new files were left after the attack, I even checked the hidden files but found nothing. These attacks try to install exe files which can't be run on Linux systems, I've never seen a pdf based exploit, but I'm sure they are out there, but then again, they can't install to a Linux system so I wouldn't worry about it.

NEVER run your system with root privileges, unless your doing administration work. Log out of your session and drop to an init level that exits gdm, kdm etc (init 3 in Debian and Fedora), and never open up your DE (Gnome, KDE, etc) with root as the user. The only way malicious code can infect your computer is if you give it the privileges to do so.

BTW - the site has plenty of room, new threads are welcome. :-)

mfillpot

I agree the virus safety in Linux is because of the structure and the understanding that a user will not just do everyday tasks as the administrator. Some viruses exists for Linux based systems that can modify configuration files and download and launch executables like in windows, but the clean separation between admin and users is what protects us.
Ideally in any OS, If you download a virus as a normal user it should not be able to take over the system because the user it is running under has insufficient rights. As I stated this is deal, but zero day vulnerabilities exist in all systems that can lead to privilege escalation.

You are currently running on a system that has less enemies but is not completely invulnerable, please only user the root account for quick modifications and installation and removal of packages, this is why so many distros lock the root account and force the users to use sudo.

woboyle

Most malware that targets Linux/Unix systems per se are those looking for hosting spam or botnet servers they can pwn, or are digging for corporate IP. These usually try to get in thru unprotected TCP/IP ports that may be exposed to the internet either because your firewall is misconfigured, or because you have allowed access to those ports without properly protecting them. In any case, any server-type system that I would expose to the internet would be running SELinux and have no remote root access if at all possible. Then I would make sure that any servers that are looking for connections are configured to properly patched and secured.