1

I recently had a spear fishing attempt on my Linux Ubuntu 18.04 I changed passwords and ran Chkrootkit and Clamscan

my chkrootkit scan came up with the following:

suspicious files and directories were found:  
/usr/lib/debug/.build-id /usr/lib/python2.7/dist-packages/PyQt5/uic/widget-plugins/.noinit /usr/lib/python3/dist-packages/PyQt5/uic/widget-plugins/.noinit /usr/lib/jvm/.java-1.11.0-openjdk-amd64.jinfo /lib/modules/4.15.0-115-generic/vdso/.build-id /lib/modules/4.15.0-112-generic/vdso/.build-id
/usr/lib/debug/.build-id /lib/modules/4.15.0-115-generic/vdso/.build-id /lib/modules/4.15.0-112-generic/vdso/.build-id

Is there a way to test if these are false positives? I update my software regularly.

Thanks in advance!

mikewhatever
  • 32,638
Jay Boyle
  • 21
  • They are all hidden files, and hidden files are labelled as suspicious. Definitely not false positives, but probably nothing to worry about. – mikewhatever Sep 03 '20 at 20:04
  • 1
    dpkg -S filename will show the package (if any) that provides the file. Other tools to apply to each file: ls -l, file, less. chkrootkit is an automated tool (a bunch of scripts), and is set to announce things that look strange. The .build-id files are strange, in that they are not visible to ls without the -a or -A options. They look to me like leftovers from a software build, but that could be camouflage. – waltinator Sep 03 '20 at 20:18

0 Answers0