I have run a scan of chkrootkit. It has thrown up the following:
Searching for Linux/Ebury - Operation Windigo ssh... Possible Linux/Ebury 1.4 - Operation Windigo installed
not tested
How should I proceed? I would appreciate your assistance. Thank you!
Not tested. Why?
Let’s see what chkrootkit is performing.
Open this file /usr/lib64/chkrootkit-0.55/chkrootkit and look at the code (the power of open source).
At line 1188
The command ssh -V 2>&1 | egrep "OpenSSH_[1-5]\.|OpenSSH_6\.[-0-7]" returns nothing[1] so this if statement exit.
Then we have
if [ ! -f "${ROOTDIR}${LIBKEY}" ]; then ... echo "not tested"; fi
What is the value of ${ROOTDIR}${LIBKEY}?
While LIBKEY value is defined at line 1189 just after such test start
LIBKEY="lib/x86_64-linux-gnu/libkeyutils.so.1"
the default value of the ROOTDIR variable is defined at line 2773
ROOTDIR='/'
So: if the file/lib/x86_64-linux-gnu/libkeyutils.so.1 doesn’t exist (that is the meaning ofif [ ! -f), echo (print) “not tested”.
indeed Fedora Linux 35 is shipped with OpenSSH version 8 ↩︎