Working with chkrootkit results in Fedora 35

I have run a scan of chkrootkit. It has thrown up the following:

Searching for Linux/Ebury - Operation Windigo ssh... Possible Linux/Ebury 1.4 - Operation Windigo installed
not tested

How should I proceed? I would appreciate your assistance. Thank you!

Not tested. Why?

Let’s see what chkrootkit is performing.

Open this file /usr/lib64/chkrootkit-0.55/chkrootkit and look at the code (the power of open source).

At line 1188

The command ssh -V 2>&1 | egrep "OpenSSH_[1-5]\.|OpenSSH_6\.[-0-7]" returns nothing[1] so this if statement exit.

Then we have
if [ ! -f "${ROOTDIR}${LIBKEY}" ]; then ... echo "not tested"; fi

What is the value of ${ROOTDIR}${LIBKEY}?

While LIBKEY value is defined at line 1189 just after such test start
LIBKEY="lib/x86_64-linux-gnu/libkeyutils.so.1"
the default value of the ROOTDIR variable is defined at line 2773
ROOTDIR='/'

So: if the file/lib/x86_64-linux-gnu/libkeyutils.so.1 doesn’t exist (that is the meaning ofif [ ! -f), echo (print) “not tested”.


  1. indeed Fedora Linux 35 is shipped with OpenSSH version 8 ↩︎

2 Likes