Home / ubuntu / Questions / 952570
In Process
obo
Asked: 2017-09-05 00:31:43 +0800 CST

chrootkit suspicious files and directory detected

  • 772

I made a chrootkit scan.And it found something,it doesnt say any recommendations on the detection of the files or directories. Any suggestions?

results are:

The following suspicious files and directories were found:  

/usr/lib/debug/.build-id 
/lib/modules/4.4.0-93-generic/vdso/.build-id 
/lib/modules/4.4.0-92-generic/vdso/.build-id 
/lib/modules/4.4.0-91-generic/vdso/.build-id
rootkit

2 Answers

  1. Are these files/directories related to a software package (or several software packages)?

    for thing in /usr/lib/debug/.build-id /lib/modules/4.4.0-93-generic/vdso/.build-id /lib/modules/4.4.0-92-generic/vdso/.build-id /lib/modules/4.4.0-91-generic/vdso/.build-id ; do
    /bin/ls -ld $thing
    /usr/bin/dpkg -S $thing
done

    YMMV, but on MY Ubuntu 16.04.3LTS, this shows:

    $ for thing in /usr/lib/debug/.build-id /lib/modules/4.4.0-93-generic/vdso/.build-id /lib/modules/4.4.0-92-generic/vdso/.build-id /lib/modules/4.4.0-91-generic/vdso/.build-id ; do
>     /bin/ls -ld $thing
>     /usr/bin/dpkg -S $thing
> done
drwxr-xr-x 229 root root 4096 Aug 14 17:54 /usr/lib/debug/.build-id
python-bzrlib-dbg, tclcl-dbg, python2.7-dbg, libfltk1.3-dbg, graphicsmagick-dbg, python3-tk-dbg, python3-gdbm-dbg:amd64, libglib2.0-0-dbg:amd64, libkf5wallet5-dbg:amd64, libtk8.6-dbg:amd64, libtcl8.6-dbg:amd64, libc6-dbg:amd64, atanks-dbg, ballz-dbg, lyx-dbg, liblqr-1-0-dbg, ntfs-3g-dbg, python3.5-dbg, evolution-dbg, freeglut3-dbg:amd64, libgd-dbg:amd64, libgdk-pixbuf2.0-0-dbg:amd64: /usr/lib/debug/.build-id
drwxr-xr-x 5 root root 4096 Aug 28 18:31 /lib/modules/4.4.0-93-generic/vdso/.build-id
linux-image-4.4.0-93-generic: /lib/modules/4.4.0-93-generic/vdso/.build-id
drwxr-xr-x 5 root root 4096 Aug 15 19:30 /lib/modules/4.4.0-92-generic/vdso/.build-id
linux-image-4.4.0-92-generic: /lib/modules/4.4.0-92-generic/vdso/.build-id
/bin/ls: cannot access '/lib/modules/4.4.0-91-generic/vdso/.build-id': No such file or directory
dpkg-query: no path found matching pattern /lib/modules/4.4.0-91-generic/vdso/.build-id

    I don't have linux-image-4.4.0-91-generic installed.

    This is a False Positive result from chkrootkit, and shows the difficulty with any prepackaged set of "Am I rooted?" tests. While the tests may have been fine at the time of packaging, they lag behind the changes in the environment being checked. Given the high possibility of False Positive results, this type of tool should ONLY be used as a first step, a trigger to further investigation. Understanding must come before action.

    • 1

  2. build-id

    Nope it's not a virus! :) Don't delete it, it may be a system folder. Hope That Helped!

    • 0