Windigo - Ebury False Positive

[giannisalinetti]

Version 0.50a need a fix for the Windigo - Ebury rootkit on lastest versions of OpenSSH. Since version openssh-6.9p1 a -G was introduced (it is also documented in the ssh man page).

The code following code section should take in consideration the installed version of OpenSSH on the machine.

if $ssh -G 2>&1 | grep -e illegal -e unknow > /dev/null; then
if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi
else
echo "Possible Linux/Ebury - Operation Windigo installetd"
fi

A good idea could be to check the version of OpenSSH using the ssh -V command and store the version in a variable for further processing:

OPENSSH_VER=$(grep -o 'OpenSSH_[0-9].[0-9]p[1-9]' <(ssh -V 2>&1) | sed 's/OpenSSH_//')

Then, using a simple awk parsing we can check the version of ssh:

OPENSSH_TEST=$(echo "$OPENSSH_VER" | awk 'BEGIN {FS = "p"} ; $1 >= 6.9 && $2 >= 1')

The OPENSSH_TEST var can be tested with a small if construct:

if [ -n $OPENSSH_TEST ]; then
echo "Not a Windigo - Ebury infection... Some other stuff..."
fi

[h3ct0rjs]

Hi
A week ago I was investigating for rootkits in my servers and due to a false positive reported by chkrootkit version 0.50 under diferent Gnu/Linux OS's, Centos I'm here.

I can confirm this issue, please avoid this behavior it seems that it is a false positive, besides that the last version of the openssh project uses ** -G ** option see for reference [1] , and is a good idea of @giannisalinetti, just in case that this false positive can't be solved , rkhunter is more recent and the developers are more active there.

Best Regards ,
Hector F.

[cookiengineer]

I can confirm that the -G option is disabled on UbuntuGNOME variants (at least in 15.10 and 16.04).

I would recommend to do a double-check, if "-G" flag is disabled, ssh will output the usage. I also created a pull request for it because it's so simple to fix :)

[Magentron]

Hi guys, I will have a look at this next week. Thanks!

[h3ct0rjs]

Cool 😎 so if it's there anyway to notify all the distro developers would be great 😄

[cookiengineer]

@heticor915 I already wrote the original chkrootkit authors (Nelson Murilo and Klaus Steding-Jessen) but they won't reply to emails (dead-end email addresses?). Today I wrote to the current Debian maintainer (Giuseppe Iuculano); maybe he knows where/how to fix this false positive upstream, so that everybody in the GNU world can profit from the fixes here.

[Magentron]

Fixed in 0.50b #1 by @cookiengineer

[cookiengineer]

Awesome, thanks!

[Magentron]

Thanks to you for the pull request! :-)

[rootkea]

And the bug has been re-introduced at https://github.com/Magentron/chkrootkit/blob/master/chkrootkit#L1176

if $ssh -G 2>&1 | grep -v usage > /dev/null; then
      if $ssh -G 2>&1 | grep -e illegal -e unknow > /dev/null; then 
         if [ "${QUIET}" != "t" ]; then echo "nothing found "; fi
      else
         echo "Possible Linux/Ebury 1.4 - Operation Windigo installed" 
      fi
fi

Also, echo $ssh prints nothing.

[rootkea]

Just opened a PR #5 to fix it.