i decided to do a virus check on my ubuntu 8.10

i am using

ClamAV
chkrootkit
rkhunter

ClamAV is still going so ill post about that later..... (ClamGK is on 3% atm and has found a virus :sad:)

chkrootkit and rkhunter BOTH came up with WARNING

What shall i do, has it fixed them its self or have i got to do it??

Click to see my rkhunter.log (http://hozzamedia.co.uk/rkhunter.txt)

please help!! :(

Hmm, i just started using ubuntu so i wouldn't know, but i assume that there wouldn't be any viruses. So i think you'd be good to go.

i decided to do a virus check on my ubuntu 8.10

i am using

ClamAV
chkrootkit
rkhunter

ClamAV is still going so ill post about that later..... (ClamGK is on 3% atm and has found a virus :sad:)

chkrootkit and rkhunter BOTH came up with WARNING

What shall i do, has it fixed them its self or have i got to do it??

Click to see my rkhunter.log (http://hozzamedia.co.uk/rkhunter.txt)

please help!! :(

You need to carefully check to make sure those are not false positives. Clam AV is notorious for false positives and the root kit detectors need to be interpreted carefully or you will do more harm then good.

how do i check if they are false positives ??

the files it shows warnings for are just because it doesn't have them in its lookup table.

if you installed unhide from the repositories then it is fine.

I would like to give you the unsolicited suggestion of trying Avast (http://www.avast.com/eng/avast-for-linux-workstation.html) or AVG (http://free.avg.com/download?prd=afl) for Linux. Both are free for personal use. ClamAV can literally take hours to complete a scan.

EDIT: I should point out neither of the aforementioned AV scanners are open source. That is very important to some people.

[17:57:42] System checks summary
[17:57:42] =====================
[17:57:42]
[17:57:42] File properties checks...
[17:57:42] Files checked: 127
[17:57:42] Suspect files: 2
[17:57:43]
[17:57:43] Rootkit checks...
[17:57:43] Rootkits checked : 109
[17:57:43] Possible rootkits: 0
[17:57:43]
[17:57:43] Applications checks...
[17:57:44] Applications checked: 3
[17:57:44] Suspect applications: 0

rkhunter only found 2 files that it found "suspect" - according to the log,
they were:

/usr/sbin/unhide
/usr/sbin/unhide-linux26

But I don't think you should be worried at all...these files are present
normally. You probably didn't run the "$ sudo rkhunter --propupd " command
either, which would cause these problems.

All in all, unless you notice something strange happening with the machine,
everything should be fine.

Hi Hozza, I just installed rkhunter to compare with your results, and my results are very similar to yours. Namely, I received warnings for unhide and unhide-linux26. When installing rkunter, I noticed unhide as a dependency, so I'd take these results with a grain of salt.

As for the virus, it's most likely a windows variant, but research the results whenever the scanner finishes.

(1) no antivirus is needed
(2) if you chose to ignore (1) then do not scan linux binaries. Only attachments for window.s

Possibly it's a windows virus which reside in your hard disk. It doesn't matter if you have the windows virus because the virus cannot to anything harm to your computer, you can delete it manually from nautilus or from CLI or just ignore.

I personally have the same problems when I scan with Avast antivirus. Most of the virus came from my windows partition and pendrive coz i'm here sharing the same computer. Due to drag and drop file to and from windows partition, I suspected that I've also do the same to the virus.

I also suspected that some torrent file i download over the net contain the same virus. but who care, we are running the ubuntu linux.

in my personal view, virus, malware etc is not the security issues with my ubuntu. but if you're running a mail server you can scan the /var/mail for virus before they reach the windows client pc

I would like to give you the unsolicited suggestion of trying Avast (http://www.avast.com/eng/avast-for-linux-workstation.html) or AVG (http://free.avg.com/download?prd=afl) for Linux. Both are free for personal use. ClamAV can literally take hours to complete a scan.

EDIT: I should point out neither of the aforementioned AV scanners are open source. That is very important to some people.

I have AVG for linux and i use it however it never finds anything so i was unsure if it was working.....i will try avast aswell

[17:57:42] System checks summary
[17:57:42] =====================
[17:57:42]
[17:57:42] File properties checks...
[17:57:42] Files checked: 127
[17:57:42] Suspect files: 2
[17:57:43]
[17:57:43] Rootkit checks...
[17:57:43] Rootkits checked : 109
[17:57:43] Possible rootkits: 0
[17:57:43]
[17:57:43] Applications checks...
[17:57:44] Applications checked: 3
[17:57:44] Suspect applications: 0

rkhunter only found 2 files that it found "suspect" - according to the log,
they were:

/usr/sbin/unhide
/usr/sbin/unhide-linux26

But I don't think you should be worried at all...these files are present
normally. You probably didn't run the "$ sudo rkhunter --propupd " command
either, which would cause these problems.

All in all, unless you notice something strange happening with the machine,
everything should be fine.

thank you, but what does --propupd do??

---------

(1) no antivirus is needed

hyper_ch i do under stand that you "dont" need AV for linux however i am soon to be starting a Server Farm of Ubuntu computers, there will be many windows files on the system so i feel it is necessary.

I know this is the standard answer, but is the best way to find what options a command has:

man rkhunter

If you ever run into a command you are not sure about man is your friend.

Jim

Man pages usually are a great reference, but in the case of --propupd, I think clarification is warranted.

Here's a good explanation: http://rkhunter.wiki.sourceforge.net/MPC

Hozza, I know the Windows users will appreciate your diligence with regards to virus scanning.

[INDENT]Call me Paranoid Android :) but, I just scanned my computer with ClamTK and found 9 viruses, then I found this thread in this forum:
"Wireshark reveals consistent packets being sent to 78.131.193.150."
and then I remembered the economical problems the US and because of that, a big part of the world is living, so, some companies like M$ will be so eager to get rid of the free software for many reasons, and would try to do anything to do so, because if they were actually good companies, they could start helping to get rid of poverty which is the main reason for many problems in the world, they could donate computers to poor communities. Thats way I recommend you to scan your machine with your chosen anti virus, and remember, free software tumbling down to M$.
It is ironic that a bunch of enthusiastic boys made possible what we are living this linux reality.
English is not my native language, I am sorry for the mistakes.

Can you post the exact info on the file reported as virus by Clam. By exact, I mean the full path to file and file name.