Ce site est optimisé pour être consulté depuis un navigateur moderne dans lequel JavaScript est activé.

Rootkit possible ?

Calyp

Bonjour à tous, et bonne fin d'année !

Des conseils à me donner ou de l'info, en faisant un contrôle rootkit j'obtiens ça :

INFECTED: Possible Malicious Linux.Xor.DDoS installed
Et tout un tas d'autre trucs...

:~$ sudo chkrootkit -q
[sudo] Mot de passe de : 

/usr/lib/debug/.build-id /usr/lib/python3/dist-packages/PyQt5/uic/widget-plugins/.noinit /usr/lib/python3/dist-packages/matplotlib/tests/baseline_images/.keep /usr/lib/jvm/.java-1.8.0-openjdk-amd64.jinfo /usr/lib/jvm/.java-1.11.0-openjdk-amd64.jinfo /lib/modules/4.15.0-72-generic/vdso/.build-id /lib/modules/4.15.0-70-generic/vdso/.build-id
/usr/lib/debug/.build-id /lib/modules/4.15.0-72-generic/vdso/.build-id /lib/modules/4.15.0-70-generic/vdso/.build-id
not tested
INFECTED: Possible Malicious Linux.Xor.DDoS installed
/tmp/.veracrypt_aux_mnt1/volume
/tmp/.veracrypt_aux_mnt1/control
enp2s0: PACKET SNIFFER(/sbin/dhclient[2720])
 The tty of the following user process(es) were not found
 in /var/run/utmp !
! RUID          PID TTY    CMD
! gdm          2663 tty1   /usr/bin/Xwayland :1024 -rootless -terminate -accessx -core -listen 4 -listen 5 -displayfd 6
! gdm          2589 tty1   /usr/lib/gdm3/gdm-wayland-session gnome-session --autostart /usr/share/gdm/greeter/autostart
! gdm          2593 tty1   /usr/lib/gnome-session/gnome-session-binary --autostart /usr/share/gdm/greeter/autostart
! gdm          2601 tty1   /usr/bin/gnome-shell
! gdm          2765 tty1   /usr/lib/gnome-settings-daemon/gsd-a11y-settings
! gdm          2767 tty1   /usr/lib/gnome-settings-daemon/gsd-clipboard
! gdm          2769 tty1   /usr/lib/gnome-settings-daemon/gsd-color
! gdm          2775 tty1   /usr/lib/gnome-settings-daemon/gsd-datetime
! gdm          2776 tty1   /usr/lib/gnome-settings-daemon/gsd-housekeeping
! gdm          2777 tty1   /usr/lib/gnome-settings-daemon/gsd-keyboard
! gdm          2781 tty1   /usr/lib/gnome-settings-daemon/gsd-media-keys
! gdm          2782 tty1   /usr/lib/gnome-settings-daemon/gsd-mouse
! gdm          2783 tty1   /usr/lib/gnome-settings-daemon/gsd-power
! gdm          2787 tty1   /usr/lib/gnome-settings-daemon/gsd-print-notifications
! gdm          2789 tty1   /usr/lib/gnome-settings-daemon/gsd-rfkill
! gdm          2790 tty1   /usr/lib/gnome-settings-daemon/gsd-screensaver-proxy
! gdm          2795 tty1   /usr/lib/gnome-settings-daemon/gsd-sharing
! gdm          2797 tty1   /usr/lib/gnome-settings-daemon/gsd-smartcard
! gdm          2800 tty1   /usr/lib/gnome-settings-daemon/gsd-sound
! gdm          2806 tty1   /usr/lib/gnome-settings-daemon/gsd-wacom
! gdm          2762 tty1   /usr/lib/gnome-settings-daemon/gsd-xsettings
! gdm          2699 tty1   ibus-daemon --xim --panel disable
! gdm          2702 tty1   /usr/lib/ibus/ibus-dconf
! gdm          2816 tty1   /usr/lib/ibus/ibus-engine-simple
! gdm          2705 tty1   /usr/lib/ibus/ibus-x11 --kill-daemon
! moi          3105 tty2   /opt/firefox_dev/firefox-bin -contentproc -childID 2 -isForBrowser -prefsLen 6964 -prefMapSize 216057 -parentBuildID 20191227034945 -greomni /opt/firefox_dev/omni.ja -appomni /opt/firefox_dev/browser/omni.ja -appdir /opt/firefox_dev/browser 2559 true tab
! moi          3330 tty2   /opt/firefox_dev/firefox-bin -contentproc -childID 5 -isForBrowser -prefsLen 8373 -prefMapSize 216057 -parentBuildID 20191227034945 -greomni /opt/firefox_dev/omni.ja -appomni /opt/firefox_dev/browser/omni.ja -appdir /opt/firefox_dev/browser 2559 true tab
! moi         21266 tty2   /opt/firefox_dev/firefox-bin -contentproc -childID 14 -isForBrowser -prefsLen 9030 -prefMapSize 216057 -parentBuildID 20191227034945 -greomni /opt/firefox_dev/omni.ja -appomni /opt/firefox_dev/browser/omni.ja -appdir /opt/firefox_dev/browser 2559 true tab
! moi         24871 tty2   /opt/firefox_dev/firefox-bin -contentproc -childID 16 -isForBrowser -prefsLen 9169 -prefMapSize 216057 -parentBuildID 20191227034945 -greomni /opt/firefox_dev/omni.ja -appomni /opt/firefox_dev/browser/omni.ja -appdir /opt/firefox_dev/browser 2559 true tab
! moi          3031 tty2   /opt/firefox_dev/firefox-bin -contentproc -childID 1 -isForBrowser -prefsLen 1 -prefMapSize 216057 -parentBuildID 20191227034945 -greomni /opt/firefox_dev/omni.ja -appomni /opt/firefox_dev/browser/omni.ja -appdir /opt/firefox_dev/browser 2559 true tab
! moi          3206 tty2   /usr/lib/xorg/Xorg vt2 -displayfd 3 -auth /run/user/1000/gdm/Xauthority -background none -noreset -keeptty -verbose 3
! moi          5917 tty2   baloo_file
! moi          3135 tty2   /usr/bin/python3 /usr/bin/chrome-gnome-shell /usr/lib/mozilla/native-messaging-hosts/org.gnome.chrome_gnome_shell.json chrome-gnome-shell@gnome.org
! moi          9537 tty2   /usr/lib/deja-dup/deja-dup-monitor
! moi          2559 tty2   /opt/firefox_dev/firefox
! moi          3204 tty2   /usr/lib/gdm3/gdm-x-session --run-script env GNOME_SHELL_SESSION_MODE=ubuntu gnome-session --session=ubuntu
! moi          3217 tty2   /usr/lib/gnome-session/gnome-session-binary --session=ubuntu
! moi          8838 tty2   /usr/bin/gnome-shell
! moi          5819 tty2   /usr/lib/gnome-settings-daemon/gsd-a11y-settings
! moi          5813 tty2   /usr/lib/gnome-settings-daemon/gsd-clipboard
! moi          5826 tty2   /usr/lib/gnome-settings-daemon/gsd-color
! moi          5823 tty2   /usr/lib/gnome-settings-daemon/gsd-datetime
! moi          5897 tty2   /usr/lib/gnome-disk-utility/gsd-disk-utility-notify
! moi          5834 tty2   /usr/lib/gnome-settings-daemon/gsd-housekeeping
! moi          5832 tty2   /usr/lib/gnome-settings-daemon/gsd-keyboard
! moi          5839 tty2   /usr/lib/gnome-settings-daemon/gsd-media-keys
! moi          5836 tty2   /usr/lib/gnome-settings-daemon/gsd-mouse
! moi          5658 tty2   /usr/lib/gnome-settings-daemon/gsd-power
! moi          5660 tty2   /usr/lib/gnome-settings-daemon/gsd-print-notifications
! moi          5877 tty2   /usr/lib/gnome-settings-daemon/gsd-printer
! moi          5665 tty2   /usr/lib/gnome-settings-daemon/gsd-rfkill
! moi          5667 tty2   /usr/lib/gnome-settings-daemon/gsd-screensaver-proxy
! moi          5675 tty2   /usr/lib/gnome-settings-daemon/gsd-sharing
! moi          5679 tty2   /usr/lib/gnome-settings-daemon/gsd-smartcard
! moi          5726 tty2   /usr/lib/gnome-settings-daemon/gsd-sound
! moi          5767 tty2   /usr/lib/gnome-settings-daemon/gsd-wacom
! moi          5704 tty2   /usr/lib/gnome-settings-daemon/gsd-xsettings
! moi         21643 tty2   /bin/sh /usr/bin/gufw
! moi          4965 tty2   ibus-daemon --xim --panel disable
! moi          4975 tty2   /usr/lib/ibus/ibus-dconf
! moi          6146 tty2   /usr/lib/ibus/ibus-engine-simple
! moi          4984 tty2   /usr/lib/ibus/ibus-x11 --kill-daemon
! moi          5896 tty2   /usr/lib/x86_64-linux-gnu/libexec/kdeconnectd
! moi          5898 tty2   nautilus-desktop
! moi          5888 tty2   /usr/bin/python /usr/bin/smart-notifier
! moi          5901 tty2   mono /usr/lib/tomboy/Tomboy.exe
! moi          5935 tty2   /usr/lib/tracker/tracker-extract
! moi          5907 tty2   /usr/lib/tracker/tracker-miner-apps
! moi          5924 tty2   /usr/lib/tracker/tracker-miner-fs
! moi          8416 tty2   update-notifier
! moi          5931 tty2   veracrypt
! moi          5949 tty2   veracrypt
! root        21680 tty2   /usr/lib/x86_64-linux-gnu/webkit2gtk-4.0/WebKitNetworkProcess 7 11
! root        21678 tty2   /usr/lib/x86_64-linux-gnu/webkit2gtk-4.0/WebKitWebProcess 6 11
! root        21645 tty2   /bin/bash /usr/bin/gufw-pkexec moi
! root        21655 tty2   python3 /usr/share/gufw/gufw/gufw.py moi
! root         3694 tty2   /usr/bin/veracrypt --core-service
! moi          6580 pts/0  bash
! moi          9271 pts/1  bash
! root        24957 pts/1  /bin/sh /usr/sbin/chkrootkit -q
! root        25559 pts/1  ./chkutmp
! root        25561 pts/1  ps axk tty,ruser,args -o tty,pid,ruser,args
! root        25560 pts/1  sh -c ps axk "tty,ruser,args" -o "tty,pid,ruser,args"
! root        24951 pts/1  sudo chkrootkit -q
not tested

[supprimé]

Veracrypt : https://fr.wikipedia.org/wiki/VeraCrypt

Calyp

Avec ta réponse, dans le doute j'ai cherché le rapport entre Veracrypt, si ce n'était pas un faux positif...

Mais rien trouvé, du coup, c'est quoi le rapport entre Xor et Veracrypt ?

[supprimé]

Je pense surtout que tu as installé Veracrypt sur ton système.

Chkrootkit doit capter les deux répertoires suivants comme "menaces" possibles.

INFECTED: Possible Malicious Linux.Xor.DDoS installed
/tmp/.veracrypt_aux_mnt1/volume
/tmp/.veracrypt_aux_mnt1/control

Mais Xor, pour moi, c'est de la logique combinatoire, je suppose qu'il doit dire qu'il y a un truc malicieux pour Linux OU exclusif windows

Calyp

Oui je l'utilise tous les jours.

J'ai fermé les conteneurs /temp et effectivement ça ne sort plus en possible DDos.

Par contre que dire du reste ? De ce LKM trojan possible ?
En cherchant un peu partout il semble que ce soit un faux positif...

sudo chkrootkit -q
[sudo] Mot de passe de  : 

/usr/lib/debug/.build-id /usr/lib/python3/dist-packages/PyQt5/uic/widget-plugins/.noinit /usr/lib/python3/dist-packages/matplotlib/tests/baseline_images/.keep /usr/lib/jvm/.java-1.8.0-openjdk-amd64.jinfo /usr/lib/jvm/.java-1.11.0-openjdk-amd64.jinfo /lib/modules/4.15.0-72-generic/vdso/.build-id /lib/modules/4.15.0-70-generic/vdso/.build-id
/usr/lib/debug/.build-id /lib/modules/4.15.0-72-generic/vdso/.build-id /lib/modules/4.15.0-70-generic/vdso/.build-id
not tested
You have     1 process hidden for readdir command
You have     1 process hidden for ps command
chkproc: Warning: Possible LKM Trojan installed
enp2s0: PACKET SNIFFER(/sbin/dhclient[2720])
 The tty of the following user process(es) were not found
 in /var/run/utmp !
! RUID          PID TTY    CMD
! gdm          2663 tty1   /usr/bin/Xwayland :1024 -rootless -terminate -accessx -core -listen 4 -listen 5 -displayfd 6
! gdm          2589 tty1   /usr/lib/gdm3/gdm-wayland-session gnome-session --autostart /usr/share/gdm/greeter/autostart
! gdm          2593 tty1   /usr/lib/gnome-session/gnome-session-binary --autostart /usr/share/gdm/greeter/autostart
! gdm          2601 tty1   /usr/bin/gnome-shell
! gdm          2765 tty1   /usr/lib/gnome-settings-daemon/gsd-a11y-settings
! gdm          2767 tty1   /usr/lib/gnome-settings-daemon/gsd-clipboard
! gdm          2769 tty1   /usr/lib/gnome-settings-daemon/gsd-color
! gdm          2775 tty1   /usr/lib/gnome-settings-daemon/gsd-datetime
! gdm          2776 tty1   /usr/lib/gnome-settings-daemon/gsd-housekeeping
! gdm          2777 tty1   /usr/lib/gnome-settings-daemon/gsd-keyboard
! gdm          2781 tty1   /usr/lib/gnome-settings-daemon/gsd-media-keys
! gdm          2782 tty1   /usr/lib/gnome-settings-daemon/gsd-mouse
! gdm          2783 tty1   /usr/lib/gnome-settings-daemon/gsd-power
! gdm          2787 tty1   /usr/lib/gnome-settings-daemon/gsd-print-notifications
! gdm          2789 tty1   /usr/lib/gnome-settings-daemon/gsd-rfkill
! gdm          2790 tty1   /usr/lib/gnome-settings-daemon/gsd-screensaver-proxy
! gdm          2795 tty1   /usr/lib/gnome-settings-daemon/gsd-sharing
! gdm          2797 tty1   /usr/lib/gnome-settings-daemon/gsd-smartcard
! gdm          2800 tty1   /usr/lib/gnome-settings-daemon/gsd-sound
! gdm          2806 tty1   /usr/lib/gnome-settings-daemon/gsd-wacom
! gdm          2762 tty1   /usr/lib/gnome-settings-daemon/gsd-xsettings
! gdm          2699 tty1   ibus-daemon --xim --panel disable
! gdm          2702 tty1   /usr/lib/ibus/ibus-dconf
! gdm          2816 tty1   /usr/lib/ibus/ibus-engine-simple
! gdm          2705 tty1   /usr/lib/ibus/ibus-x11 --kill-daemon
! moi          4408 tty2   ./PillarsOfEternity
! moi          8132 tty2   /opt/firefox_dev/firefox-bin -contentproc -childID 37 -isForBrowser -prefsLen 9237 -prefMapSize 216057 -parentBuildID 20191227034945 -greomni /opt/firefox_dev/omni.ja -appomni /opt/firefox_dev/browser/omni.ja -appdir /opt/firefox_dev/browser 2559 true tab
! moi         12499 tty2   /opt/firefox_dev/firefox-bin -contentproc -childID 42 -isForBrowser -prefsLen 9237 -prefMapSize 216057 -parentBuildID 20191227034945 -greomni /opt/firefox_dev/omni.ja -appomni /opt/firefox_dev/browser/omni.ja -appdir /opt/firefox_dev/browser 2559 true tab
! moi         28375 tty2   /opt/firefox_dev/firefox-bin -contentproc -childID 31 -isForBrowser -prefsLen 9169 -prefMapSize 216057 -parentBuildID 20191227034945 -greomni /opt/firefox_dev/omni.ja -appomni /opt/firefox_dev/browser/omni.ja -appdir /opt/firefox_dev/browser 2559 true tab
! moi          3031 tty2   /opt/firefox_dev/firefox-bin -contentproc -childID 1 -isForBrowser -prefsLen 1 -prefMapSize 216057 -parentBuildID 20191227034945 -greomni /opt/firefox_dev/omni.ja -appomni /opt/firefox_dev/browser/omni.ja -appdir /opt/firefox_dev/browser 2559 true tab
! moi          3206 tty2   /usr/lib/xorg/Xorg vt2 -displayfd 3 -auth /run/user/1000/gdm/Xauthority -background none -noreset -keeptty -verbose 3
! moi          5917 tty2   baloo_file
! moi          3135 tty2   /usr/bin/python3 /usr/bin/chrome-gnome-shell /usr/lib/mozilla/native-messaging-hosts/org.gnome.chrome_gnome_shell.json chrome-gnome-shell@gnome.org
! moi          9537 tty2   /usr/lib/deja-dup/deja-dup-monitor
! moi          2559 tty2   /opt/firefox_dev/firefox
! moi          4374 tty2   /usr/libexec/flatpak-bwrap --args 32 starter
! moi          4385 tty2   /usr/libexec/flatpak-bwrap --args 32 /usr/libexec/flatpak-dbus-proxy --args=34
! moi          4388 tty2   /usr/libexec/flatpak-bwrap --args 32 starter
! moi          4386 tty2   /usr/libexec/flatpak-dbus-proxy --args=34
! moi          3204 tty2   /usr/lib/gdm3/gdm-x-session --run-script env GNOME_SHELL_SESSION_MODE=ubuntu gnome-session --session=ubuntu
! moi          3217 tty2   /usr/lib/gnome-session/gnome-session-binary --session=ubuntu
! moi          8838 tty2   /usr/bin/gnome-shell
! moi          5819 tty2   /usr/lib/gnome-settings-daemon/gsd-a11y-settings
! moi          5813 tty2   /usr/lib/gnome-settings-daemon/gsd-clipboard
! moi          5826 tty2   /usr/lib/gnome-settings-daemon/gsd-color
! moi          5823 tty2   /usr/lib/gnome-settings-daemon/gsd-datetime
! moi          5897 tty2   /usr/lib/gnome-disk-utility/gsd-disk-utility-notify
! moi          5834 tty2   /usr/lib/gnome-settings-daemon/gsd-housekeeping
! moi          5832 tty2   /usr/lib/gnome-settings-daemon/gsd-keyboard
! moi          5839 tty2   /usr/lib/gnome-settings-daemon/gsd-media-keys
! moi          5836 tty2   /usr/lib/gnome-settings-daemon/gsd-mouse
! moi          5658 tty2   /usr/lib/gnome-settings-daemon/gsd-power
! moi          5660 tty2   /usr/lib/gnome-settings-daemon/gsd-print-notifications
! moi          5877 tty2   /usr/lib/gnome-settings-daemon/gsd-printer
! moi          5665 tty2   /usr/lib/gnome-settings-daemon/gsd-rfkill
! moi          5667 tty2   /usr/lib/gnome-settings-daemon/gsd-screensaver-proxy
! moi          5675 tty2   /usr/lib/gnome-settings-daemon/gsd-sharing
! moi          5679 tty2   /usr/lib/gnome-settings-daemon/gsd-smartcard
! moi          5726 tty2   /usr/lib/gnome-settings-daemon/gsd-sound
! moi          5767 tty2   /usr/lib/gnome-settings-daemon/gsd-wacom
! moi          5704 tty2   /usr/lib/gnome-settings-daemon/gsd-xsettings
! moi         21643 tty2   /bin/sh /usr/bin/gufw
! moi          4965 tty2   ibus-daemon --xim --panel disable
! moi          4975 tty2   /usr/lib/ibus/ibus-dconf
! moi          6146 tty2   /usr/lib/ibus/ibus-engine-simple
! moi          4984 tty2   /usr/lib/ibus/ibus-x11 --kill-daemon
! moi          5896 tty2   /usr/lib/x86_64-linux-gnu/libexec/kdeconnectd
! moi          5898 tty2   nautilus-desktop
! moi          5888 tty2   /usr/bin/python /usr/bin/smart-notifier
! moi          4389 tty2   /bin/bash /app/game/start.sh
! moi          5901 tty2   mono /usr/lib/tomboy/Tomboy.exe
! moi          5935 tty2   /usr/lib/tracker/tracker-extract
! moi          5907 tty2   /usr/lib/tracker/tracker-miner-apps
! moi          5924 tty2   /usr/lib/tracker/tracker-miner-fs
! moi          8416 tty2   update-notifier
! moi          5931 tty2   veracrypt
! moi          5949 tty2   veracrypt
! root        21680 tty2   /usr/lib/x86_64-linux-gnu/webkit2gtk-4.0/WebKitNetworkProcess 7 11
! root        21678 tty2   /usr/lib/x86_64-linux-gnu/webkit2gtk-4.0/WebKitWebProcess 6 11
! root        21645 tty2   /bin/bash /usr/bin/gufw-pkexec moi
! root        21655 tty2   python3 /usr/share/gufw/gufw/gufw.py moi
! root         3694 tty2   /usr/bin/veracrypt --core-service
! moi         12629 pts/0  bash
! root        12658 pts/0  /bin/sh /usr/sbin/chkrootkit -q
! root        13271 pts/0  ./chkutmp
! root        13273 pts/0  ps axk tty,ruser,args -o tty,pid,ruser,args
! root        13272 pts/0  sh -c ps axk "tty,ruser,args" -o "tty,pid,ruser,args"
! root        12644 pts/0  sudo chkrootkit -q
not tested

[supprimé]

Je ne connais pas ça...