So I ran a chkrootkit. I have linux.xor.ddos showing as infected. I read other forums online and I have seen things mentioning false positives. What is linux.xor.ddos file and how can I check if they are fine?
Asked
Active
Viewed 3,357 times
4
Tejas Lotlikar
- 2,945
- 5
- 17
- 26
RJ Adams
- 43
-
Where is the file located? What is its name? We need more information. – Lewis Smith Oct 24 '18 at 09:50
-
I'm not sure exactly what linux.xor.ddos files are, how would I be able to locate it? – RJ Adams Oct 24 '18 at 10:02
-
I thought chkrootkit would have told you. However, a bit of googling showed that chkrootkit reports any binary that's in /tmp as linux.xor.ddos. Check and see what is in that directory. – Lewis Smith Oct 24 '18 at 10:07
-
So Linux.xor.ddos is malware, should I remove this vpn, or is this common to happen? – RJ Adams Oct 24 '18 at 10:22
-
A VPN shouldn't really install in to /tmp. What VPN are you using? – Lewis Smith Oct 24 '18 at 10:23
-
Private Internet Access. PIA – RJ Adams Oct 24 '18 at 10:27
-
Use the PIA OpenVPN configs with Ubuntu's built in VPN client. – Lewis Smith Oct 24 '18 at 10:31
-
Ok I will try that. I installed it as a program and it runs outside of the built in VPN client. I followed the instructions from their homepage. – RJ Adams Oct 24 '18 at 10:34
2 Answers
5
Binaries in /tmp are flagged as "linux.xor.ddos" regardless of if they're infected or not. This was the case with the poster.
Kevin Bowen
- 19,615
- 55
- 79
- 83
Lewis Smith
- 430
3
Any file under temporary folder marked as executable will raise a flag.
enigma@t495:/tmp$ touch virus
enigma@t495:/tmp$ chmod +x virus
enigma@t495:/tmp$ sudo chkrootkit
Searching for Linux.Xor.DDoS ... INFECTED: Possible Malicious Linux.Xor.DDoS installed
/tmp/virus
anotherday
- 31